Scan APIs

API Scan is a dynamic runtime analysis that runs checks on your live API implementation to discover issues and vulnerabilities in how your API and the backend services behind it behave.

We have introduced a new version of API Scan, referred to as Scan v2 engine. For backward compatibility and to avoid the adoption of the new version disrupting your day-to-day work, we have retained the previous engine version, Scan v1. Both versions of API Scan share the same core features and operation, but the new Scan v2 engine offers additional features and more flexibility. Where applicable, the difference between the versions has been clearly indicated in this documentation.

You can run Scan v1 engine in 42Crunch Platform or on premises as a Docker image. Scan v2 engine is currently available as Docker image for on-premises scan, or in v1-compatibility mode for running in 42Crunch Platform.

Types of scans

You can use API Scan to run different types of scans that focus on different aspects of your API implementation. In all scans, the underlying scan engine is the same, but the scan configuration that the engine uses includes different instructions on what kind of requests to generate for the scan.

Different scan types are only available for Scan v2 engine. Scan v1 engine can only run conformance scan.

API Scan can run the following types of scans:

  • Conformance scan: A design-time scan to ensure that you do not inadvertently introduce vulnerabilities and your code and API implementation matches the documented contract in your API definition
  • Drift scan: A lightweight scan on deployed and operational APIs to ensure they continue to work the expected way