This action can be used to enforce compliance to 42Crunch security quality gates, produce SARIF reports from raw 42Crunch dynamic scan reports and upload SARIF results to GitHub Code Scanning.
42Crunch API Conformance Scan serves two purposes:
- Testing the resilience and behavior of APIs by automatically generating security tests from the APIs OpenAPI (a.k.a Swagger) definition. Tests are injecting bad payloads, tokens and use invalid HTTP verbs and path to detect vulnerabilities, especially those associated to the OWASP API Security Top 10.
- Validating that the implementation of the API is indeed in line with its established contract.
Security quality gates are used to enforce security compliance across the enterprise by analyzing a conformance scan report and comparing it across the rules established centrally.
Key examples include:
- Preventing APIs with API1 through API 5 vulnerabilities from being deployed
- Preventing APIs with high rish issues from being deployed
- Preventing APIs with low test coverage from being deployed
Additionally, you can export 42Crunch native JSON report format as a SARIF file. This file can then be used with third party tools or your own dashboards for analysis.
Finally, you can publish the SARIF results to GitHub Code Scanning, assuming Code Scanning is enabled on your repository. Results will be shown on the Security tab, where you can filter results by tool and by PR/Branch.
A link is provided to directly pinpoint the location of the error in your source repository.
To use this action, you must have an account on 42Crunch platform. You can request an account by contacting us from this page: https://42crunch.com/get-started/ .
Then, follow the steps described in the documentation to create an API token for the action to authenticate to 42Crunch Platform, and save it as a secret in GitHub.
You can customize the action execution through various parameters:
| Parameter | Required? | Description | Default |
|---|---|---|---|
| api-token | Yes | API token to connect to 42Crunch platform | |
| platform-url | No | Full URL of 42Crunch platform to connect to | https://platform.42crunch.com) |
| audit-report-path | Yes | Report generated by the audit action execution, containing list of APIs and their platform UUIDs. | |
| convert-to-sarif | No | Convert the scan reports to SARIF format | False |
| upload-sarif | No | Upload SARIF reports to Code Scanning | False |
| check-sqg | No | Check whether reports conforms to platform SQGs | True |
| github-token | No | Access to GitHub Code Scanning | ${{ github.token }} |
A typical new step in an existing workflow would look like this:
- Set permissions to allow uploads to Github Code Scanning
- Check scan reports for compliance: for each of the APIs which have been previously audited, check the conformance scan report results against security gates and upload SARIF results to Github code scanning.
run_42c_scan:
runs-on: ubuntu-latest
environment: dev
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # To upload results to Github Code Scanning
steps:
...
- name: Check scan report compliance
uses: 42crunch/cicd-github-actions@v1
with:
api-token: ${{ secrets.API_TOKEN }}
platform-url: ${{ env.PLATFORM_URL}}
audit-report-path: audit-action-report-${{ github.run_id }}.json
convert-to-sarif: scan-report-${{ github.run_id }}.sarif
upload-sarif: true
check-sqg: true
uses: 42Crunch/api-security-scan-action-freemium@v1
A typical workflow which executes the scan and then analyzes the results via this action would look like this:
- Obtain API credential. In this example, the API exposes a login endpoint which requires a user and password. The pipeline leverages secrets and environments to store this information.
- Update the scan configuration on the platform and obtain the corresponding scan token.
- Run the scan leveraging scand manager
- Check the scan report for compliance: this action leverages the audit task report execution to find the API in the 42Crunch platform. It then waits for the scan task to complete and analyzes the report against the security gates defined at the platform level.
steps:
- name: checkout repo
uses: actions/checkout@v3
- name: get_pixi_token
id: get_pixi_token
run: |
login_response=$(python .42c/scripts/pixi-login.py -u ${{ vars.PIXI_USER_NAME }} -p ${{ secrets.USER_PASS }} -t ${{ vars.PIXI_TARGET_URL }})
echo "PIXI_TOKEN=$login_response" >> $GITHUB_OUTPUT
- name: update_scan_config
id: update_scan_config
run: |
scanconfig_response=$(python .42c/scripts/scan_v1_config.py ${{github.server_url}}/${{ github.repository }} ${{ github.ref }} ${{ secrets.API_TOKEN }} '{$ACCESS_TOKEN}' ${{env.PLATFORM_URL}})
echo "SCANV1_TOKEN=$scanconfig_response" >> $GITHUB_OUTPUT
- name: download_audit_report
uses: actions/download-artifact@v3
with:
name: auditaction-report-${{ github.run_id }}
- name: 42crunch-dynamic-api-testing
uses: fjogeleit/http-request-action@v1
with:
url: ${{ vars.SCAND_MANAGER_URL }}
method: POST
contentType: "application/json"
customHeaders: '{"Accept": "application/json"}'
data: '{"token": "${{ steps.update_scan_config.outputs.SCANV1_TOKEN }}","name": "scand-${{ github.run_id }}-${{ github.run_attempt }}","platformService": "${{ env.PLATFORM_SERVICE_ENDPOINT }}","scandImage": "${{vars.SCAN_AGENT_V1}}","expirationTime": 600,"env": { "SECURITY_ACCESS_TOKEN": "${{ steps.get_pixi_token.outputs.PIXI_TOKEN }}"}}'
- name: check scan results
uses: 42crunch/cicd-github-actions@v1
with:
api-token: ${{ secrets.API_TOKEN }}
platform-url: ${{ env.PLATFORM_URL}}
audit-report-path: audit-action-report-${{ github.run_id }}.json
convert-to-sarif: scan-report-${{ github.run_id }}.sarif
upload-sarif: true
check-sqg: trueThe action is maintained by the 42Crunch ecosystems team. If you run into an issue, or have a question not answered here, you can create a support ticket at support.42crunch.com and we will be happy to help.
When reporting an issue, do include:
- The version of the GitHub action
- Relevant logs and error messages
- Steps to reproduce the issue