42Crunch

42Crunch Integration with DefectDojo

If your team runs 42Crunch Audit or Conformance Scan as part of your CI/CD pipeline, you're already generating structured, API-specific security findings. The question is what happens to them after the build completes. Piping those results into DefectDojo gives you something the raw 42Crunch report doesn't: a persistent, deduplicated record of API vulnerabilities across every service, every sprint, and every team — with the ability to track remediation status, assign findings to engineers, enforce SLAs, and report on API security posture over time.

42Crunch is purpose-built for API security. It covers both static analysis of OpenAPI/Swagger contract definitions (Audit) and dynamic conformance testing against live API endpoints (Conformance Scan). Neither tool has a general-purpose vuln management layer built in. DefectDojo provides exactly that layer.

Why 42Crunch Matters

API security is not a subset of general application security. Misconfigurations in an OpenAPI contract — weak authentication schemes, missing input validation, permissive response schemas — don't show up in SAST or SCA tools. They require a tool that reads the API contract itself and understands how the implementation is supposed to behave.

• Audit performs static analysis of OpenAPI Specification (OAS v2, v3.0, v3.1) files across more than 300 checks covering authentication, authorization, transport security, and data validation. Each API contract receives a composite security score from 0 to 100.
• Conformance Scan dynamically tests live API endpoints by deriving test cases from the OpenAPI definition — injecting bad payloads, invalid tokens, and malformed requests — and validating responses for OWASP API Security Top 10 issues, schema violations, and data leakage.
• Both tools output findings in structured JSON and SARIF formats, making them practical to import programmatically.
• The findings map directly to the OWASP API Security Top 10 (2019 and 2023), giving security teams a recognized risk framework to communicate findings across engineering and leadership.

Without a vulnerability management platform, 42Crunch results stay siloed inside CI pipeline logs or the 42Crunch Platform UI. You lose trend visibility, remediation tracking, and any audit trail the moment a pipeline reruns.

Advantages of This Integration

• Persistent finding history across scans. Every time 42Crunch runs in CI, findings can be imported into DefectDojo. This gives you a longitudinal view of which API vulnerabilities have been open for how long, which were remediated, and which keep reappearing — something you can't get from reading isolated pipeline reports.
• Deduplication across services and branches. If the same authentication weakness appears in three microservices, DefectDojo's deduplication logic surfaces that as a cross-cutting issue rather than three independent tickets. This reduces noise significantly when you're running API audits across a large microservice estate.
• SLA tracking on API-specific findings. API security findings often fall through the cracks because they don't map neatly into the same triage process as CVEs or SAST findings. DefectDojo lets you define separate SLA configurations for API audit findings so that critical authentication issues have an enforced remediation deadline, not just an open finding in someone's queue.
• Centralized assignment and ownership. DefectDojo lets you route findings to specific teams or engineers. When 42Crunch flags a missing OAuth 2.0 scope on a payment API, that finding can be assigned directly to the team responsible for that service — not just logged somewhere.
• Risk acceptance workflows. Some 42Crunch Audit findings are known, accepted risks for a given API (e.g., a deliberately permissive schema on an internal service). DefectDojo's risk acceptance workflows let you formally document those decisions with an expiry date, keeping your active finding count accurate without suppressing data.
• Unified API security posture reporting. Combining 42Crunch Audit scores, Conformance Scan findings, and DefectDojo's reporting gives leadership a single view of API security health — by team, by service, or across the whole organization.

How This Integration Works

42Crunch outputs findings in JSON and SARIF formats. DefectDojo supports import of 42Crunch Audit results natively via its 42Crunch Audit parser (scan type: 42Crunch Audit). Conformance Scan results can be imported using the generic SARIF parser or as JSON reports via the API.

Step 1 — Export findings from 42Crunch. In CI/CD, configure your 42Crunch GitHub Action, GitLab CI step, or Jenkins plugin to export results as JSON or SARIF. For Audit:

- name: Run 42Crunch Audit

uses: 42Crunch/api-security-audit-action@v4

with:

upload-to-code-scanning: false

sarif-report: 42crunch-audit.sarif

export-as-pdf: false

log-level: info

For a JSON export of the audit report, use the --json-report flag via the 42Crunch CLI or configure the action to produce the JSON artifact. Step 2 — Import into DefectDojo. Use the DefectDojo import API or the web UI to create a new Test under the relevant Engagement for your API product.

curl -X POST https://<your-defectdojo>/api/v2/import-scan/ \

-H "Authorization: Token <your-token>" \

-F "scan_type=42Crunch Audit" \

-F "file=@42crunch-audit.json" \

-F "engagement=<engagement-id>" \

-F "product_name=<your-api-product>"

For Conformance Scan results, use scan_type=SARIF if importing SARIF output, or pipe the JSON report through a pre-processing script that maps findings to DefectDojo's generic format. Step 3 — Automate as part of CI/CD. Add the DefectDojo import step as a post-step in your pipeline, after 42Crunch completes. This ensures every scan run produces a corresponding test record in DefectDojo with full finding detail and timestamps. Use the close_old_findings=true parameter to automatically mark findings as resolved when they no longer appear in subsequent scans.

Data Granularity: What Gets Imported

The following fields are captured from 42Crunch Audit JSON reports and surfaced in DefectDojo findings:

For Conformance Scan results, additional fields are available:

Use Cases

• In a CI/CD pipeline for a microservice API platform. Your platform has 30+ APIs, each with its own OpenAPI definition. 42Crunch Audit runs on every PR and main branch merge. Results are imported into DefectDojo per-API, grouped by product. The security team monitors a DefectDojo dashboard showing which APIs are below the acceptable audit score threshold and which have unresolved Critical or High findings. SLA breaches trigger Jira tickets automatically via DefectDojo's integration.
• During a security review of a new API before production launch. A new API goes through a pre-launch gate requiring an audit score of at least 75. The 42Crunch CI step fails the build if the threshold isn't met. When findings are imported into DefectDojo, the security engineer reviewing the API can annotate specific findings, accept documented risks, and formally close the engagement when the gate is met. This creates a permanent audit trail for compliance purposes.
• When tracking remediation velocity across teams. Engineering leadership wants to know whether API security debt is increasing or decreasing across the platform quarter-over-quarter. Because every 42Crunch scan run imports findings into DefectDojo, the trend data is already there — opened vs. closed findings over time, mean time to remediate by severity, and which teams are consistently shipping APIs with authentication weaknesses.
• After a 42Crunch Conformance Scan identifies runtime behavior mismatches. The scan finds that your API is returning undocumented fields in responses for several endpoints — a data leakage risk. Those findings land in DefectDojo, get assigned to the owning team, and are tracked through to closure with a documented fix. The next scan run marks them resolved automatically if they no longer appear.

Operational Tips

• Tag findings by API product or domain. Use DefectDojo's tagging to separate API audit findings from other vulnerability types (SAST, SCA, container scanning). Tags like api-security, 42crunch, and openapi make filtering and reporting more precise when you're running multiple scanner types in the same DefectDojo instance.
• Set separate SLA configurations for API findings. Authentication and authorization findings from an API audit represent a different risk profile than a dependency CVE. Configure a tighter SLA for Critical API security findings — they often reflect architectural issues that are harder to fix quickly, but more important to prioritize.
• Use close_old_findings=true on import. This is critical for keeping your active finding count accurate. Without it, each CI run creates new findings without closing the ones that were fixed. With it, DefectDojo automatically resolves findings that no longer appear in the latest scan output.
• Map 42Crunch API audit scores to product risk ratings. The audit score (0–100) can be stored as a custom field or noted in the test description. Over time, tracking score progression per API in DefectDojo gives you a proxy metric for API security maturity — useful for both engineering retrospectives and executive reporting.
• Run Conformance Scan in staging, not production. 42Crunch Conformance Scan sends active test traffic to live API endpoints. Configure your DefectDojo environments accordingly so findings from staging scans don't get conflated with findings from static audit runs against production contracts.

Normalize severity before import if needed. 42Crunch's severity scale (Critical, High, Medium, Low, Info) maps cleanly to DefectDojo's model. No pre-processing is required for Audit results using the native parser. For Conformance Scan JSON imports, verify that your import script maps severity strings consistently before pushing to DefectDojo.