Implements API security testing with 42Crunch platform: static audits on OpenAPI specs and dynamic conformance scans. Useful for shift-left security in CI/CD pipelines.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
42Crunch是一个API安全平台,将安全左移(Shift-Left)测试与运行时防护(Shield-Right)相结合。它提供API Audit(API审计)用于OpenAPI定义的静态安全分析,API Conformance Scan(API合规扫描)用于动态漏洞检测,以及API Protect(API防护)用于实时威胁防护。该平台集成到CI/CD流水线和IDE中,在部署前后识别OWASP API安全Top 10漏洞。
Implements API security testing with 42Crunch for static audits and dynamic conformance scans of OpenAPI specs. Useful for CI/CD pipelines, IDE integration, and OWASP API Top 10 checks.
Implements API security testing with 42Crunch for static audits and dynamic conformance scans of OpenAPI specifications. Integrates with CI/CD pipelines and IDEs like VS Code.
Scans API code for OWASP Top 10 vulnerabilities: injection, BOLA, broken auth, mass assignment, excessive data exposure, missing rate limits, and weak validation.
Share bugs, ideas, or general feedback.
42Crunch是一个API安全平台,将安全左移(Shift-Left)测试与运行时防护(Shield-Right)相结合。它提供API Audit(API审计)用于OpenAPI定义的静态安全分析,API Conformance Scan(API合规扫描)用于动态漏洞检测,以及API Protect(API防护)用于实时威胁防护。该平台集成到CI/CD流水线和IDE中,在部署前后识别OWASP API安全Top 10漏洞。
API Audit无需运行中的API即可对OpenAPI定义执行静态安全分析。它按类别对规范进行300+项安全检查:
安全评分类别:
通过VS Code扩展运行API Audit:
带安全控制的OpenAPI定义示例:
openapi: 3.0.3
info:
title: Secure User API
version: 1.0.0
servers:
- url: https://api.example.com/v1
description: Production server (HTTPS only)
security:
- BearerAuth: []
paths:
/users/{userId}:
get:
operationId: getUserById
summary: Retrieve user by ID
parameters:
- name: userId
in: path
required: true
schema:
type: string
format: uuid
pattern: '^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$'
maxLength: 36
responses:
'200':
description: User details
content:
application/json:
schema:
$ref: '#/components/schemas/User'
'400':
description: Invalid request
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
'401':
description: Unauthorized
'404':
description: User not found
components:
securitySchemes:
BearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
schemas:
User:
type: object
required:
- id
- email
properties:
id:
type: string
format: uuid
readOnly: true
email:
type: string
format: email
maxLength: 254
name:
type: string
maxLength: 100
pattern: '^[a-zA-Z\s\-]+$'
additionalProperties: false
Error:
type: object
required:
- code
- message
properties:
code:
type: integer
format: int32
message:
type: string
maxLength: 256
additionalProperties: false
合规扫描对运行中的API进行动态测试,验证其是否符合OpenAPI契约,检测运行时漏洞(包括OWASP API安全Top 10问题):
Scan v2配置:
# 42c-conf.yaml
version: "2.0"
scan:
target:
url: https://api.example.com/v1
authentication:
- type: bearer
token: "${API_TOKEN}"
in: header
name: Authorization
settings:
maxScanTime: 3600
requestsPerSecond: 10
followRedirects: false
tests:
owasp:
- bola
- bfla
- injection
- ssrf
- massAssignment
- excessiveDataExposure
通过CLI运行合规扫描:
# 安装42Crunch CLI
npm install -g @42crunch/cicd-cli
# 运行合规扫描
42crunch-cli scan \
--api-definition ./openapi.yaml \
--target-url https://api.example.com/v1 \
--token $CRUNCH_TOKEN \
--min-score 70 \
--report-format sarif \
--output scan-report.sarif
GitHub Actions集成:
name: API Security Testing
on:
push:
paths:
- 'api/**'
- 'openapi/**'
jobs:
api-security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 42Crunch API审计
uses: 42Crunch/api-security-audit-action@v3
with:
api-token: ${{ secrets.CRUNCH_API_TOKEN }}
collection-name: "my-api-collection"
min-score: 75
upload-to-code-scanning: true
- name: 42Crunch合规扫描
if: github.ref == 'refs/heads/main'
uses: 42Crunch/api-conformance-scan@v1
with:
api-token: ${{ secrets.CRUNCH_API_TOKEN }}
target-url: ${{ secrets.STAGING_API_URL }}
scan-config: ./42c-conf.yaml
Jenkins流水线集成:
pipeline {
agent any
stages {
stage('API Security Audit') {
steps {
script {
def auditResult = sh(
script: '''
42crunch-cli audit \
--api-definition openapi.yaml \
--token ${CRUNCH_TOKEN} \
--min-score 75 \
--report-format json \
--output audit-report.json
''',
returnStatus: true
)
if (auditResult != 0) {
error("API安全审计失败 - 分数低于阈值")
}
}
}
}
stage('Conformance Scan') {
when { branch 'main' }
steps {
sh '''
42crunch-cli scan \
--api-definition openapi.yaml \
--target-url ${STAGING_URL} \
--token ${CRUNCH_TOKEN} \
--scan-config 42c-conf.yaml
'''
}
}
}
post {
always {
archiveArtifacts artifacts: '*-report.*'
publishHTML([
reportDir: '.',
reportFiles: 'audit-report.html',
reportName: 'API Security Report'
])
}
}
}
API Protect作为微网关(Micro-Gateway)部署在API端点前端,在运行时强制执行OpenAPI契约:
# api-protect-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: api-protect-config
data:
protection-config.json: |
{
"apiDefinition": "/config/openapi.yaml",
"enforcement": {
"validateRequests": true,
"validateResponses": true,
"blockOnFailure": true,
"logLevel": "warn"
},
"rateLimit": {
"enabled": true,
"requestsPerMinute": 100,
"burstSize": 20
},
"allowlist": {
"contentTypes": ["application/json"],
"methods": ["GET", "POST", "PUT", "DELETE"]
}
}
当42Crunch发现问题时,遵循以下修复流程:
常见审计发现及修复:
| 发现 | 严重性 | 修复方案 |
|---|---|---|
| 未定义认证 | 严重 | 添加securitySchemes和security要求 |
| 缺少输入验证 | 高 | 添加type、format、pattern、maxLength约束 |
| 服务器URL使用HTTP | 高 | 将服务器URL改为HTTPS |
| 未定义错误响应 | 中 | 添加4xx和5xx响应定义 |
| additionalProperties未限制 | 中 | 在对象Schema上设置additionalProperties: false |
| 缺少速率限制 | 中 | 添加x-rateLimit扩展或使用API Protect |
42Crunch针对以下关键安全领域评估API: