42Crunch Releases OpenAPI Static Security Audit in GitHub Code Scanning

IRVINE, CA, OCTOBER 7, 2020Today, the API security leader and creator of the industry’s first API Firewall, 42Crunch, announced the availability of its REST API Static Security Testing with  GitHub code scanning. By adding 42Crunch to code scanning, developers can include REST API OpenAPI / Swagger definitions within static security tests.

Most of today’s applications are driven by APIs. The transition to cloud-native architectures, microservices, serverless, single-page, IoT, and mobile applications lead to proliferation of APIs. What used to be components of monolithic applications communicating within a single server are now standalone APIs talking to each other over the network.

This significantly expanded the attack area and led to the rise of API attacks. In fact, there’s now not a single week without new high profile API vulnerabilities reported by the popular API security news site

Gartner estimates that by 2022 APIs will become the most common attack vector.

Having direct access to applications’ backend services and databases with sensitive customer data, APIs are a lucrative target. API breaches can have significant business, public image, and financial impact.

At the same time, companies now have hundreds if not thousands of APIs. These APIs are constantly changing as teams adopt agile methodologies and continuously iterate over their functionality. Old approaches of manual review and approval processes and static runtime rules can no longer serve as the foundation for securing such complex dynamic systems.

The best way to provide cost-effective security for APIs is to “shift-left” and establish security measures across the whole API lifecycle: from design, to development, testing, and run-time protection and ideally doing so automatically without human interaction

Available as a GitHub Action, REST API Static Security Testing allows users to:

  • Discover REST APIs in their GitHub repositories
  • Audit each API with 200+ security checks from 42Crunch covering industry best practices across authentication, authorization, transport, and data validation
  • Analyze the discovered vulnerabilities by looking into the details provided for each vulnerability within GitHub code scanning alerts
  • Fix the vulnerabilities by going through the prioritized alert list and fixing the issues with remediation suggestions provided for each alert
  • Enforce security by setting criteria for your CI/CD workflows and automated Pull Request checks

“GitHub is the world’s leading software development collaboration platform,” says Dmitry Sotnikov, Chief Product Officer at 42Crunch. “We are happy to see Static Application Security Testing (SAST) to now become a standard feature of GitHub through code scanning and happy to provide our integration to handle the API security part of it.”

“GitHub code scanning is a major step on our journey to help open source and enterprise developers build secure software,” says John Leon, VP of Business Development at GitHub. “Adding 42Crunch’s security audit for REST APIs to GitHub code scanning tests will provide additional insight and security capabilities for developers.”

You can find out more by visiting the 42Crunch REST API Static Security Testing page in the GitHub Marketplace.

About 42Crunch

42Crunch bridges the gap between API development and security teams with a simple, automated platform that provides auditing, live endpoint scanning, and micro API firewall protection. Unlike other solutions on the market, 42Crunch Platform empowers development, security, and operations teams with a set of integrated tools to easily build security into the foundation of the API and enforce those policies throughout the API lifecycle. By delivering security as code, you enable a seamless DevSecOps experience, allowing innovation at the speed of business without sacrificing integrity. Visit to learn more. 

Visit our online community

Latest Resources


Something Old, Something New – OWASP API Security Top 10 in 2023

42Crunch’s Colin Domoney takes a look at the new OWASP API Security 2023 listing, identifying which vulnerabilities are new, which have not changed and which have been removed.


How to Embed API Security Testing into the Development Lifecycle without Delaying Production Rollout

By Mark Dolan | September 19, 2023

This is the first in a 3-part series of blogs exploring how 42Crunch assists enterprises with API security compliance. In her seminal blogpost, “Shifting Security to the Left” Shannon Lietz explains how including security testing earlier in the development lifecycle makes for longer-lived and more resilient software. The principles she advocates for are also what guides us at 42Crunch..


APIs are the core building block of every enterprise’s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developers’ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

Ready to Learn More?

Developer-first solution for delivering API security as code.