Anthropic-Cybersecurity-Skills implementing-api-security-testing-with-42crunch
Implement comprehensive API security testing using the 42Crunch platform to perform static audit and dynamic
install
source · Clone the upstream repo
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/implementing-api-security-testing-with-42crunch" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-implementing-api-security-testing-with-4 && rm -rf "$T"
manifest:
skills/implementing-api-security-testing-with-42crunch/SKILL.mdsource content
Implementing API Security Testing with 42Crunch
Overview
42Crunch is an API security platform that combines Shift-Left security testing with Shield-Right runtime protection. It provides API Audit for static security analysis of OpenAPI definitions, API Conformance Scan for dynamic vulnerability detection, and API Protect for real-time threat prevention. The platform integrates into CI/CD pipelines and IDEs to identify OWASP API Security Top 10 vulnerabilities before and after deployment.
When to Use
- When deploying or configuring implementing api security testing with 42crunch capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- 42Crunch platform account (free tier available for evaluation)
- OpenAPI Specification (OAS) v2.0, v3.0, or v3.1 definitions for target APIs
- IDE with 42Crunch extension (VS Code, IntelliJ, or Eclipse)
- CI/CD pipeline (Jenkins, GitHub Actions, Azure DevOps, or GitLab CI)
- Running API instance for dynamic scanning (conformance scan)
- Node.js or Python environment for CLI tooling
Core Concepts
API Audit (Static Analysis)
API Audit performs static security analysis of OpenAPI definitions without requiring a running API. It evaluates the specification against 300+ security checks organized into categories:
Security Score Categories:
- Data Validation: Schema definitions, parameter constraints, response validation
- Authentication: Security scheme definitions, scope requirements
- Transport Security: Server URL schemes, TLS requirements
- Error Handling: Error response definitions, information leakage prevention
Running API Audit via VS Code Extension:
- Install the 42Crunch extension from the VS Code marketplace
- Open an OpenAPI specification file (YAML or JSON)
- Click the security audit icon in the editor toolbar
- Review the security score (0-100) and individual findings
- Address issues using the inline remediation guidance
Example OpenAPI Definition with Security Controls:
openapi: 3.0.3 info: title: Secure User API version: 1.0.0 servers: - url: https://api.example.com/v1 description: Production server (HTTPS only) security: - BearerAuth: [] paths: /users/{userId}: get: operationId: getUserById summary: Retrieve user by ID parameters: - name: userId in: path required: true schema: type: string format: uuid pattern: '^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$' maxLength: 36 responses: '200': description: User details content: application/json: schema: $ref: '#/components/schemas/User' '400': description: Invalid request content: application/json: schema: $ref: '#/components/schemas/Error' '401': description: Unauthorized '404': description: User not found components: securitySchemes: BearerAuth: type: http scheme: bearer bearerFormat: JWT schemas: User: type: object required: - id - email properties: id: type: string format: uuid readOnly: true email: type: string format: email maxLength: 254 name: type: string maxLength: 100 pattern: '^[a-zA-Z\s\-]+$' additionalProperties: false Error: type: object required: - code - message properties: code: type: integer format: int32 message: type: string maxLength: 256 additionalProperties: false
API Conformance Scan (Dynamic Testing)
The conformance scan dynamically tests a running API against its OpenAPI contract to detect runtime vulnerabilities including OWASP API Security Top 10 issues:
Scan v2 Configuration:
# 42c-conf.yaml version: "2.0" scan: target: url: https://api.example.com/v1 authentication: - type: bearer token: "${API_TOKEN}" in: header name: Authorization settings: maxScanTime: 3600 requestsPerSecond: 10 followRedirects: false tests: owasp: - bola - bfla - injection - ssrf - massAssignment - excessiveDataExposure
Running Conformance Scan via CLI:
# Install the 42Crunch CLI npm install -g @42crunch/cicd-cli # Run conformance scan 42crunch-cli scan \ --api-definition ./openapi.yaml \ --target-url https://api.example.com/v1 \ --token $CRUNCH_TOKEN \ --min-score 70 \ --report-format sarif \ --output scan-report.sarif
CI/CD Pipeline Integration
GitHub Actions Integration:
name: API Security Testing on: push: paths: - 'api/**' - 'openapi/**' jobs: api-security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: 42Crunch API Audit uses: 42Crunch/api-security-audit-action@v3 with: api-token: ${{ secrets.CRUNCH_API_TOKEN }} collection-name: "my-api-collection" min-score: 75 upload-to-code-scanning: true - name: 42Crunch Conformance Scan if: github.ref == 'refs/heads/main' uses: 42Crunch/api-conformance-scan@v1 with: api-token: ${{ secrets.CRUNCH_API_TOKEN }} target-url: ${{ secrets.STAGING_API_URL }} scan-config: ./42c-conf.yaml
Jenkins Pipeline Integration:
pipeline { agent any stages { stage('API Security Audit') { steps { script { def auditResult = sh( script: ''' 42crunch-cli audit \ --api-definition openapi.yaml \ --token ${CRUNCH_TOKEN} \ --min-score 75 \ --report-format json \ --output audit-report.json ''', returnStatus: true ) if (auditResult != 0) { error("API Security Audit failed - score below threshold") } } } } stage('Conformance Scan') { when { branch 'main' } steps { sh ''' 42crunch-cli scan \ --api-definition openapi.yaml \ --target-url ${STAGING_URL} \ --token ${CRUNCH_TOKEN} \ --scan-config 42c-conf.yaml ''' } } } post { always { archiveArtifacts artifacts: '*-report.*' publishHTML([ reportDir: '.', reportFiles: 'audit-report.html', reportName: 'API Security Report' ]) } } }
API Protect (Runtime Protection)
API Protect deploys as a micro-gateway in front of API endpoints to enforce the OpenAPI contract at runtime:
# api-protect-config.yaml apiVersion: v1 kind: ConfigMap metadata: name: api-protect-config data: protection-config.json: | { "apiDefinition": "/config/openapi.yaml", "enforcement": { "validateRequests": true, "validateResponses": true, "blockOnFailure": true, "logLevel": "warn" }, "rateLimit": { "enabled": true, "requestsPerMinute": 100, "burstSize": 20 }, "allowlist": { "contentTypes": ["application/json"], "methods": ["GET", "POST", "PUT", "DELETE"] } }
Remediation Workflow
When 42Crunch identifies issues, follow this remediation process:
- Triage: Review findings sorted by severity (Critical, High, Medium, Low)
- Analyze: Understand the specific security control missing from the OpenAPI definition
- Fix: Apply the recommended changes to the specification
- Validate: Re-run audit to confirm the score improvement
- Deploy: Push the updated specification through the CI/CD pipeline
Common Audit Findings and Fixes:
| Finding | Severity | Fix |
|---|---|---|
| No authentication defined | Critical | Add securitySchemes and security requirements |
| Missing input validation | High | Add type, format, pattern, maxLength constraints |
| Server URL uses HTTP | High | Change server URLs to HTTPS |
| No error responses defined | Medium | Add 4xx and 5xx response definitions |
| additionalProperties not restricted | Medium | Set additionalProperties: false on object schemas |
| Missing rate limiting | Medium | Add x-rateLimit extension or use API Protect |
Key Security Checks
42Crunch evaluates APIs against these critical security areas:
- BOLA Prevention: Validates that object-level authorization patterns are defined
- BFLA Prevention: Checks for function-level access control definitions
- Injection Prevention: Ensures input parameters have proper type/format/pattern constraints
- Data Exposure: Verifies response schemas limit returned properties
- Security Misconfiguration: Checks authentication schemes, transport security, CORS settings
- Mass Assignment: Validates that request bodies use explicit property allowlists
References
- 42Crunch API Security Platform: https://42crunch.com/api-security-platform/
- 42Crunch Documentation: https://docs.42crunch.com/
- Microsoft Defender for Cloud 42Crunch Integration: https://learn.microsoft.com/en-us/azure/defender-for-cloud/onboarding-guide-42crunch
- OWASP API Security Top 10 2023: https://owasp.org/API-Security/editions/2023/en/0x00-header/
- Jenkins Plugin for 42Crunch: https://plugins.jenkins.io/42crunch-security-audit/