Define security quality gates

Security quality gates (SQGs) set the baseline for specific quality criteria that APIs must reach. As part of performing an action like auditing the API definition or scanning the API implementation, the API must also meet the criteria of the SQG.

To view SQGs in your organization, click Security quality gates in the main menu of 42Crunch Platform on the left. You can see all SQGs already in your organization

The screenshot shows the default security quality gate in its default configuration.

Edit a default security quality gate

Each organization gets default SQGs for both API Security Audit and API Conformance Scan out of the box. Default SQGs are automatically applied to all APIs in your organization. Organization administrators cannot delete or remove the default SQGs, but can edit them as needed.

  1. On the default SQG you want, click > Update.
  2. Change the name of the SQG if you want, and click Configure audit criteria or Configure scan criteria, depending which default SQG you are updating.
  3. Edit the criteria as you want. Check the tooltips next to the criteria to see what their impact is.

    A screenshot showing the score and severity criteria for audit in the update dialog.

    The default SQGs are automatically applied to all APIs, and if you have integrated Security Audit with your CI/CD system, this may hinder CI/CD builds, especially with APIs that are just in the beginning of their development. As a workaround, you can remove severity restrictions from the default audit SQG, and set them in another audit SQG that you apply with tags to APIs as they mature. Note that this does not fix issues in your APIs, merely hides them from the audit SQG, and you need to remember to manually tag your APIs to apply the tighter quality criteria.

  4. Click Rejected issues, and select what issues, if any, cause the SQG to fail.
  5. When you are ready, click Update security quality gate.

The status of the SQG passing or failing is updated based on your changes the next time an action is performed on any API, such as running Security Audit or viewing an audit or scan report.

If you have integrated Security Audit with your CI/CD pipeline, the integration plugin automatically checks the status of SQGs applied to the APIs it discovered. If any of the SQGs fails, the CI/CD build fails too. CI/CD integration for API Conformance Scan is coming, but currently scan SQGs can only be enforced in 42Crunch Platform, not on your CI/CD.

The fail-on criteria you set in the CI/CD plugin are independent from the acceptance criteria defined in SQGs, and the plugin can fail even if SQGs pass. For example, CI/CD plugins by default fail APIs that do not have valid OpenAPI definitions, but in SQGs you need to specifically switch this on. This means that your CI/CD build can fail either because the criteria of a SQG or the criteria of the CI/CD plugin are not met, or both, and so just looking at SQGs to explain why a build has failed may not be enough.

Create additional security quality gates

You can also create additional SQGs and apply them to the APIs you want using tags.

  1. Before you start, make sure that the category and tag you want to associate with the new SQG already exists. See Create new tags and categories.

    We recommend adding a dedicated category for SQGs, so that it is easy to find the related tags. We also recommend that you do not allow users to create tags in this category, so that organization administrators stay in control of these.

  2. Go to the list of your SQGs, and do one of the following:
    • To start from the baseline defined in an existing SQG, such as your default SQG, go to the SQG you want, and click > Copy.
    • To start from scratch, click New security quality gate, and select which SQG you want to create.
  3. Enter a name for the rule, and select which category and tag it is associated with.

    The screenshot shows a new SQG that has been sassociated with a tag category and a tag.

  4. Configure the acceptance criteria that you want the SQG to impose. Check the tooltips next to the criteria to see what their impact is.
  5. When you are ready, click Create security quality gate.
  6. To apply your new SQG to an API, tag the API with the category:tag pair you associated with the SQG. See Apply tags to APIs. You can only apply one SQG for Security Audit and another for Conformance Scan to a single API.

Once the SQG is applied to the API, the status of it passing or failing is updated based on your changes the next time an action, such as running Security Audit or viewing the audit report, is performed on the API.

Manage handling of criteria from default and tag-based SQGs

By default, the default SQG is ignored after you tag an API for another SQG of the same type: for example, if you create a new audit SQG and apply that to an API, the criteria from the default SQG for Security Audit are no longer enforced on that API. This makes it easier to understand why an API has failed a SQG and prevents unpredictable combinations of SQG criteria for the same feature. However, if needed, organization administrators can allow combining the criteria from both the default and tag-based SQGs.

  1. Click next to your username, and click System preferences.
  2. In Handling of default customization rules and SQGs, switch the setting off or on according to the behavior you want:
    • To ignore the criteria from default SQGs on APIs that are tagged for another SQG of the same type, switch the setting off. This is the recommended option because it makes easier to understand why an API fails a SQG.
    • To allow combining the criteria from the default SQGs with the SQGs applied with tags, switch the setting on. This can provide time for updating the existing SQGs, but it may cause unexpected results when criteria from several sources are combined.

View approval reports from security quality gates

Once a SQG is applied to an API, the API must pass the quality criteria defined in the SQG. For example, when you run Security Audit on an API, the results from the audit are compared to the criteria of the audit SQG. The results from SQGs are listed in an approval report.

  1. In 42Crunch Platform, find the API you want, and click to view the API summary. The quickest way to find API definitions in 42Crunch Platform is to click Find API in the main menu. You can see if the security quality gates have passed or failed alongside the results from the latest audit or scan.

    You can also quickly check the overall status of which SQGs are passing and which failing when you view APIs in an API collection.

  2. Click Read report either on Security Audit or Conformance Scan, depending on which SQG you want (audit and scan SQGs are shown separately). You can see the latest report, with the overall status of the applied security quality gate shown above the report text.

  3. To view the approval report from the applied SQG:
    • Audit SQG: Expand the SQG banner to view the status. The criteria that failed are highlighted in red. You can also filter the audit report to show only the to-do list of issues that you must fix to pass the SQG.

      The screenshot shows a SGQ approval report for the Petstore API that has failed the audit criteria set in the default SQG: the audit score of the API is only 45/100 and is highlighted in red, because the SQG requires at least 70/100.

    • Scan SQG: Click Get approval report to view the status. A failed SQG is highlighted in red.

You can also download the approval report form each SQG as JSON, for example, to share it to other teams.

Delete a security quality gate

You cannot delete the default SQGs, but you can delete the SQGs you have created yourself and that you no longer need. Just click > Delete on the SQG you want to remove.

Deleting a SQG permanently removes it from 42Crunch Platform. This action cannot be undone.

Deleting a SQG does not delete the category or tag associated with it, nor does it remove the tag from APIs where the SQG has been applied.