Integrate Security Audit with Bamboo

You can integrate API Contract Security Audit in Atlassian Bamboo through the app REST API Static Security Testing.

NoteYou must have an account in 42Crunch Platform that the app in your Bamboo plan can use to access Security Audit. If you do not yet have an account, click here to sign up.

For more details on Bamboo, see Bamboo documentation.

Create an API token for the app

You must add an API token that the Bamboo plan uses to authenticate to Security Audit.

  1. Log in to 42Crunch Platform, and click next to your username.
  2. Select API Tokens, and click Create New Token.
  3. Enter a unique and descriptive name for the token, such as Security Audit token.
  4. In token access rights, select API Contract Security Audit, List Resources, and Delete Resources.

    A screenshot of Create API Token Wizard with the required access rights marked as selected.

  5. Click Generate Token.
  6. Copy the token value, you will need it when you configure REST API Static Security Testing.

    Create API Token Wizard showing the generated token and the buttons for showing the token value and copying it.

Add the API token in Bamboo credentials

Before you add the task to your Bamboo plan, you must add the API token you created to your Bamboo credentials.

  1. Log in to your Bamboo account, and click > Bamboo administration > Shared credentials.
  2. Click Add new credentials > Username and password.
  3. Enter a name and username for the credential and set the value of the API token as the password.

    An example screenshot of adding shared credentials dialog in Bamboo. The API token is shown as dots in the password field.

  4. Click Save credentials.

You now have credentials that your Bamboo plan can use to authenticate to Security Audit.

Configure the Bamboo plan

To integrate Security Audit with Bamboo, you must add the app REST API Static Security Testing to your Bamboo server and add a task in your Bamboo plan.

  1. If your Bamboo server does not yet have the app REST API Static Security Testing installed, install it from Atlassian Marketplace. This needs to be done only once for each Bamboo server.
  2. Go to the Bamboo project and the plan that you want, and click Actions > Configure plan.
  3. Click the job you want to integrate with API Contract Security Audit, and add the task REST API Static Security Testing.

  4. Set API token to access 42Crunch Platform to the credential you added in Bamboo credentials.

    An example screenshot showing the task configuration.

  5. Choose the API collection where the discovered OpenAPI definitions are stored. By default, the task will use the plan name.

    You can leave the name as the default one, or enter a name you want.

    • If the API collection with the specified name does not exist in your organization in 42Crunch Platform, the build task creates the collection.
    • If the API collection with the specified name does already exist, the build task first removes any existing API definitions (along with their API UUIDs) from that collection before storing the discovered OpenAPI definitions in it. Each discovered API definition also gets a new API UUID on the platform.

    Caution The plugin always starts by clearing the API collection you specify for it. Removing APIs and their API UUIDS also permanently removes any information tied to the API UUIDs, such as previous audit reports, scan reports, or protection configuration and logs. For more details on how to avoid this, see Mapping OpenAPI files to APIs in the platform.

  6. Enter the minimum API score that the audited OpenAPI definitions must get from the audit for the task to succeed. If any API definitions scores lower than the minimum score you set, the task will fail. The default is 75.
  7. Click Save to finish configuring the task. To test the integration, run your Bamboo plan.

The task will either succeed or fail depending on the minimum score. The summary of the build provides you further details. In either case, the task uploads all discovered OpenAPI definitions to the specified API collection in 42Crunch Platform:

An example screenshot showing the collection the task created in 42Crunch Platform.

The logs of the run include the URL of each discovered API in the platform. You can copy the URL and paste it to your browser to view the detailed audit report of the corresponding API.

A screenshot of a job log. The log shows the URLs to the audit reports of the discovered APIs.

If the build fails because one or more APIs do not meet the criteria you set, these APIs are shown as failures is the build summary:

An example screenshot of a build result summary in Bamboo.

These failures are also automatically added to tests in your build job:

A screenshot of the tests added for two APIs that failed the build task.

As issues found in the audit are fixed in the API definitions so that they pass your criteria, they are moved from failed tests to passed tests in the job. This makes it easy to keep track of progress and spot regressions.

For a practical example, check out the following video on configuring the REST API Static Security Testing task for a Bamboo plan:

You can further fine-tune how the integration plugin works by adding a configuration file called 42c-conf.yaml to the root level of your source code repository where the CI/CD pipeline connects to. For example:

  • Map OpenAPI files to API UUIDS of APIs in the platform.
  • Specify fail_on conditions to define what the plugin reports as failures.
  • Control what happens in the discovery phase.

For more details, see the configuration examples in our Resources repository in GitHub.