API Security & Conformance Scan using OpenAPI Swagger Editor Extension in VS Code

A dynamic security scan of your API to check for conformance against the API design (OpenAPI contract) and security vulnerabilities such as BOLA and BFLA. The tutorial videos below are relevant for all the available IDEs. API Scan is also available on the 42Crunch Platform and CI/CD platforms such as GitHub Actions and Azure DevOps.

Activate API Scan

You can run the dynamic API Scan security test locally on your machine without having to share the API. Activation differs slightly between free and paying customers. Please refer to the relevant video below.

Paying Customers

Free Customers

Overview of the Scan Configuration Viewer

Explanation of the scan configuration viewer where you configure and run your scan tests

Running your first API Scan

Learn how to configure and run your first API Scan and read the results

Use Variable Substitution

Variable substitution is a powerful feature that enables dynamic changes to your requests and responses

Setup Dynamic API Authentication

Authentication tokens such as OAuth or an API key may be required In order to test your API. Find out how to configure the scan for dynamic authentication.

API Happy Path Scanarios

You can add additional operations and requests to your scan configuration scenario to create more complex test scenarios. Take a look at the video explainer.

Setup and Teardown using Global Blocks

Set up and tear down test resources or create test states to test the API using before and after blocks e.g. Create a new test user account, run tests and then delete the new user

Test for Broken Authorization

Find out how to test your APIs for Authorization vulnerabilities such as OWASP API 01:2023 - Broken Object Level Authorization (BOLA) or OWASP API 05:2023 - Broken Functional Level Authorization (BFLA) using the 42Crunch API Scan tool.

Latest Resources


Top Things You Need to Know About API Security

Two of the API security industry’s leading experts, Dr Philippe de Ryck and Isabelle Mauny, guide you through some real-world cases of API security attacks and also share some best practices for securing your APIs.


What’s the best way to test an API for vulnerabilities? RTFM

By Tom Chang | June 11, 2024

If you’re a child of the 80s like me, you may have had the distinction of being the only one in your house who knew how to program your VCR. My motivation was strong. Clarinet lessons were interfering with my favorite show, the A Team. I was the […]


APIs are the core building block of every enterprise’s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developers’ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

Ready to Learn More?

Developer-first solution for delivering API security as code.