42Crunch Releases OpenAPI Static Security Audit in GitHub Code Scanning

IRVINE, CA, OCTOBER 7, 2020Today, the API security leader and creator of the industry’s first API Firewall, 42Crunch, announced the availability of its REST API Static Security Testing with  GitHub code scanning. By adding 42Crunch to code scanning, developers can include REST API OpenAPI / Swagger definitions within static security tests.

Most of today’s applications are driven by APIs. The transition to cloud-native architectures, microservices, serverless, single-page, IoT, and mobile applications lead to proliferation of APIs. What used to be components of monolithic applications communicating within a single server are now standalone APIs talking to each other over the network.

This significantly expanded the attack area and led to the rise of API attacks. In fact, there’s now not a single week without new high profile API vulnerabilities reported by the popular API security news site

Gartner estimates that by 2022 APIs will become the most common attack vector.

Having direct access to applications’ backend services and databases with sensitive customer data, APIs are a lucrative target. API breaches can have significant business, public image, and financial impact.

At the same time, companies now have hundreds if not thousands of APIs. These APIs are constantly changing as teams adopt agile methodologies and continuously iterate over their functionality. Old approaches of manual review and approval processes and static runtime rules can no longer serve as the foundation for securing such complex dynamic systems.

The best way to provide cost-effective security for APIs is to “shift-left” and establish security measures across the whole API lifecycle: from design, to development, testing, and run-time protection and ideally doing so automatically without human interaction

Available as a GitHub Action, REST API Static Security Testing allows users to:

  • Discover REST APIs in their GitHub repositories
  • Audit each API with 200+ security checks from 42Crunch covering industry best practices across authentication, authorization, transport, and data validation
  • Analyze the discovered vulnerabilities by looking into the details provided for each vulnerability within GitHub code scanning alerts
  • Fix the vulnerabilities by going through the prioritized alert list and fixing the issues with remediation suggestions provided for each alert
  • Enforce security by setting criteria for your CI/CD workflows and automated Pull Request checks

“GitHub is the world’s leading software development collaboration platform,” says Dmitry Sotnikov, Chief Product Officer at 42Crunch. “We are happy to see Static Application Security Testing (SAST) to now become a standard feature of GitHub through code scanning and happy to provide our integration to handle the API security part of it.”

“GitHub code scanning is a major step on our journey to help open source and enterprise developers build secure software,” says John Leon, VP of Business Development at GitHub. “Adding 42Crunch’s security audit for REST APIs to GitHub code scanning tests will provide additional insight and security capabilities for developers.”

You can find out more by visiting the 42Crunch REST API Static Security Testing page in the GitHub Marketplace.

About 42Crunch

42Crunch bridges the gap between API development and security teams with a simple, automated platform that provides auditing, live endpoint scanning, and micro API firewall protection. Unlike other solutions on the market, 42Crunch Platform empowers development, security, and operations teams with a set of integrated tools to easily build security into the foundation of the API and enforce those policies throughout the API lifecycle. By delivering security as code, you enable a seamless DevSecOps experience, allowing innovation at the speed of business without sacrificing integrity. Visit to learn more. 

Visit our online community

Latest Resources


Top Things You Need to Know About API Security

Two of the API security industry’s leading experts, Dr Philippe de Ryck and Isabelle Mauny, guide you through some real-world cases of API security attacks and also share some best practices for securing your APIs.


What’s the best way to test an API for vulnerabilities? RTFM

By Tom Chang | June 11, 2024

If you’re a child of the 80s like me, you may have had the distinction of being the only one in your house who knew how to program your VCR. My motivation was strong. Clarinet lessons were interfering with my favorite show, the A Team. I was the […]


APIs are the core building block of every enterprise’s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developers’ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

Ready to Learn More?

Developer-first solution for delivering API security as code.