Stats
Actions
Tags
Implements API security testing with 42Crunch platform: static audits on OpenAPI specs and dynamic conformance scans. Useful for shift-left security in CI/CD pipelines.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:implementing-api-security-testing-with-42crunchThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
42Crunch是一个API安全平台,将安全左移(Shift-Left)测试与运行时防护(Shield-Right)相结合。它提供API Audit(API审计)用于OpenAPI定义的静态安全分析,API Conformance Scan(API合规扫描)用于动态漏洞检测,以及API Protect(API防护)用于实时威胁防护。该平台集成到CI/CD流水线和IDE中,在部署前后识别OWASP API安全Top 10漏洞。
42Crunch是一个API安全平台,将安全左移(Shift-Left)测试与运行时防护(Shield-Right)相结合。它提供API Audit(API审计)用于OpenAPI定义的静态安全分析,API Conformance Scan(API合规扫描)用于动态漏洞检测,以及API Protect(API防护)用于实时威胁防护。该平台集成到CI/CD流水线和IDE中,在部署前后识别OWASP API安全Top 10漏洞。
API Audit无需运行中的API即可对OpenAPI定义执行静态安全分析。它按类别对规范进行300+项安全检查:
安全评分类别:
通过VS Code扩展运行API Audit:
带安全控制的OpenAPI定义示例:
openapi: 3.0.3
info:
title: Secure User API
version: 1.0.0
servers:
- url: https://api.example.com/v1
description: Production server (HTTPS only)
security:
- BearerAuth: []
paths:
/users/{userId}:
get:
operationId: getUserById
summary: Retrieve user by ID
parameters:
- name: userId
in: path
required: true
schema:
type: string
format: uuid
pattern: '^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$'
maxLength: 36
responses:
'200':
description: User details
content:
application/json:
schema:
$ref: '#/components/schemas/User'
'400':
description: Invalid request
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
'401':
description: Unauthorized
'404':
description: User not found
components:
securitySchemes:
BearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
schemas:
User:
type: object
required:
- id
- email
properties:
id:
type: string
format: uuid
readOnly: true
email:
type: string
format: email
maxLength: 254
name:
type: string
maxLength: 100
pattern: '^[a-zA-Z\s\-]+$'
additionalProperties: false
Error:
type: object
required:
- code
- message
properties:
code:
type: integer
format: int32
message:
type: string
maxLength: 256
additionalProperties: false
合规扫描对运行中的API进行动态测试,验证其是否符合OpenAPI契约,检测运行时漏洞(包括OWASP API安全Top 10问题):
Scan v2配置:
# 42c-conf.yaml
version: "2.0"
scan:
target:
url: https://api.example.com/v1
authentication:
- type: bearer
token: "${API_TOKEN}"
in: header
name: Authorization
settings:
maxScanTime: 3600
requestsPerSecond: 10
followRedirects: false
tests:
owasp:
- bola
- bfla
- injection
- ssrf
- massAssignment
- excessiveDataExposure
通过CLI运行合规扫描:
# 安装42Crunch CLI
npm install -g @42crunch/cicd-cli
# 运行合规扫描
42crunch-cli scan \
--api-definition ./openapi.yaml \
--target-url https://api.example.com/v1 \
--token $CRUNCH_TOKEN \
--min-score 70 \
--report-format sarif \
--output scan-report.sarif
GitHub Actions集成:
name: API Security Testing
on:
push:
paths:
- 'api/**'
- 'openapi/**'
jobs:
api-security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 42Crunch API审计
uses: 42Crunch/api-security-audit-action@v3
with:
api-token: ${{ secrets.CRUNCH_API_TOKEN }}
collection-name: "my-api-collection"
min-score: 75
upload-to-code-scanning: true
- name: 42Crunch合规扫描
if: github.ref == 'refs/heads/main'
uses: 42Crunch/api-conformance-scan@v1
with:
api-token: ${{ secrets.CRUNCH_API_TOKEN }}
target-url: ${{ secrets.STAGING_API_URL }}
scan-config: ./42c-conf.yaml
Jenkins流水线集成:
pipeline {
agent any
stages {
stage('API Security Audit') {
steps {
script {
def auditResult = sh(
script: '''
42crunch-cli audit \
--api-definition openapi.yaml \
--token ${CRUNCH_TOKEN} \
--min-score 75 \
--report-format json \
--output audit-report.json
''',
returnStatus: true
)
if (auditResult != 0) {
error("API安全审计失败 - 分数低于阈值")
}
}
}
}
stage('Conformance Scan') {
when { branch 'main' }
steps {
sh '''
42crunch-cli scan \
--api-definition openapi.yaml \
--target-url ${STAGING_URL} \
--token ${CRUNCH_TOKEN} \
--scan-config 42c-conf.yaml
'''
}
}
}
post {
always {
archiveArtifacts artifacts: '*-report.*'
publishHTML([
reportDir: '.',
reportFiles: 'audit-report.html',
reportName: 'API Security Report'
])
}
}
}
API Protect作为微网关(Micro-Gateway)部署在API端点前端,在运行时强制执行OpenAPI契约:
# api-protect-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: api-protect-config
data:
protection-config.json: |
{
"apiDefinition": "/config/openapi.yaml",
"enforcement": {
"validateRequests": true,
"validateResponses": true,
"blockOnFailure": true,
"logLevel": "warn"
},
"rateLimit": {
"enabled": true,
"requestsPerMinute": 100,
"burstSize": 20
},
"allowlist": {
"contentTypes": ["application/json"],
"methods": ["GET", "POST", "PUT", "DELETE"]
}
}
当42Crunch发现问题时,遵循以下修复流程:
常见审计发现及修复:
| 发现 | 严重性 | 修复方案 |
|---|---|---|
| 未定义认证 | 严重 | 添加securitySchemes和security要求 |
| 缺少输入验证 | 高 | 添加type、format、pattern、maxLength约束 |
| 服务器URL使用HTTP | 高 | 将服务器URL改为HTTPS |
| 未定义错误响应 | 中 | 添加4xx和5xx响应定义 |
| additionalProperties未限制 | 中 | 在对象Schema上设置additionalProperties: false |
| 缺少速率限制 | 中 | 添加x-rateLimit扩展或使用API Protect |
42Crunch针对以下关键安全领域评估API:
npx claudepluginhub killvxk/cybersecurity-skills-zhImplement comprehensive API security testing using the 42Crunch platform to perform static audit and dynamic conformance scanning of OpenAPI specifications.
Implement comprehensive API security testing using the 42Crunch platform to perform static audit and dynamic conformance scanning of OpenAPI specifications.
Implements API security testing with 42Crunch for static audits and dynamic conformance scans of OpenAPI specs. Useful for CI/CD pipelines, IDE integration, and OWASP API Top 10 checks.