Add 42Crunch API security testing plugin#1658
Open
heshaam-42c wants to merge 1 commit intogithub:stagedfrom
Open
Add 42Crunch API security testing plugin#1658heshaam-42c wants to merge 1 commit intogithub:stagedfrom
heshaam-42c wants to merge 1 commit intogithub:stagedfrom
Conversation
github-actions
Bot
added
new-submission
Contributor
🔍 Skill Validator Results
Summary
Full validator output```text Found 5 skill(s) [42crunch-api-security-testing] 📊 42crunch-api-security-testing: 2,558 BPE tokens [chars/4: 2,525] (standard ~), 4 sections, 4 code blocks [42crunch-api-security-testing] ⚠ Skill is 2,558 BPE tokens (chars/4 estimate: 2,525) — approaching "comprehensive" range where gains diminish. [42crunch-audit] 📊 42crunch-audit: 1,036 BPE tokens [chars/4: 1,025] (detailed ✓), 3 sections, 1 code blocks [42crunch-code-to-oas] 📊 42crunch-code-to-oas: 4,508 BPE tokens [chars/4: 4,284] (standard ~), 31 sections, 5 code blocks [42crunch-code-to-oas] ⚠ Skill is 4,508 BPE tokens (chars/4 estimate: 4,284) — approaching "comprehensive" range where gains diminish. [42crunch-scan] 📊 42crunch-scan: 1,964 BPE tokens [chars/4: 1,947] (detailed ✓), 4 sections, 4 code blocks [42crunch-setup] 📊 42crunch-setup: 1,633 BPE tokens [chars/4: 1,591] (detailed ✓), 15 sections, 4 code blocks ✅ All checks passed (5 skill(s)) ``` |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a new 42Crunch API security testing plugin to the Awesome Copilot marketplace, along with a set of 42Crunch-focused skills (setup, audit, scan, full pipeline, and code→OAS generation) and supporting reference docs.
Changes:
- Introduces five new 42Crunch skills covering environment setup, static audit, live scan, end-to-end pipeline orchestration, and OpenAPI generation from source.
- Adds a new
42crunch-api-security-testingplugin that bundles the skills and documents usage. - Updates plugin/skill indexes and the marketplace registry to surface the new plugin and skills.
Reviewed changes
Copilot reviewed 33 out of 33 changed files in this pull request and generated 31 comments.
Show a summary per file
| File | Description |
|---|---|
| skills/42crunch-setup/SKILL.md | New setup skill for installing 42c-ast and configuring credentials. |
| skills/42crunch-setup/references/binary-setup.md | Reference procedure for installing/updating the 42c-ast binary. |
| skills/42crunch-setup/references/credential-setup.md | Reference procedure for storing platform/freemium credentials. |
| skills/42crunch-setup/references/pre-flight.md | Shared pre-flight checks (binary, credentials, OAS resolution, tags). |
| skills/42crunch-setup/references/tag-detection.md | Reference flow for resolving/assigning platform tags for an OAS. |
| skills/42crunch-audit/SKILL.md | New audit skill to run 42Crunch audit + SQG-driven fix loop. |
| skills/42crunch-audit/references/audit-rule-translations.md | Rule-id → plain English translation table for audit findings. |
| skills/42crunch-audit/references/audit-workflow.md | Detailed audit execution, parsing, consent, and fix workflow. |
| skills/42crunch-audit/references/binary-setup.md | Audit-local copy of the binary install/update reference. |
| skills/42crunch-audit/references/credential-setup.md | Audit-local copy of the credentials setup reference. |
| skills/42crunch-audit/references/pre-flight.md | Audit-local copy of the shared pre-flight checks. |
| skills/42crunch-audit/references/tag-detection.md | Audit-local copy of the platform tag resolution flow. |
| skills/42crunch-scan/SKILL.md | New scan skill to configure and run live conformance/authz testing. |
| skills/42crunch-scan/references/binary-setup.md | Scan-local copy of the binary install/update reference. |
| skills/42crunch-scan/references/credential-setup.md | Scan-local copy of the credentials setup reference. |
| skills/42crunch-scan/references/pre-flight.md | Scan-local copy of the shared pre-flight checks. |
| skills/42crunch-scan/references/scan-workflow.md | Detailed scan config generation, auth setup, scenarios, and runs. |
| skills/42crunch-scan/references/tag-detection.md | Scan-local copy of the platform tag resolution flow. |
| skills/42crunch-code-to-oas/SKILL.md | New skill to generate an OpenAPI 3.0 spec from an API codebase. |
| skills/42crunch-api-security-testing/SKILL.md | New orchestration skill for audit → scan pipeline with separate consent gates. |
| skills/42crunch-api-security-testing/references/audit-rule-translations.md | Pipeline-local copy of audit rule translation table. |
| skills/42crunch-api-security-testing/references/audit-workflow.md | Pipeline-local copy of the audit workflow reference. |
| skills/42crunch-api-security-testing/references/binary-setup.md | Pipeline-local copy of the binary install/update reference. |
| skills/42crunch-api-security-testing/references/credential-setup.md | Pipeline-local copy of the credentials setup reference. |
| skills/42crunch-api-security-testing/references/pre-flight.md | Pipeline-local copy of the shared pre-flight checks. |
| skills/42crunch-api-security-testing/references/tag-detection.md | Pipeline-local copy of the platform tag resolution flow. |
| plugins/42crunch-api-security-testing/.github/plugin/plugin.json | Plugin manifest declaring the included skills and metadata. |
| plugins/42crunch-api-security-testing/README.md | Plugin documentation (commands, setup, usage, configuration). |
| plugins/42crunch-api-security-testing/LICENSE | MIT license for the plugin content. |
| docs/README.skills.md | Adds the new 42Crunch skills to the skills index table. |
| docs/README.plugins.md | Adds the new 42Crunch plugin to the plugins index table. |
| .github/plugin/marketplace.json | Registers the new plugin in the marketplace listing. |
Comment on lines
+3
to
+10
| description: > | ||
| Set up the 42Crunch environment so that audit and scan skills can run | ||
| without friction. Use this skill whenever the user wants to configure | ||
| 42Crunch for the first time, install or update the 42c-ast binary, configure | ||
| an API key, or troubleshoot missing credentials or binary errors. Triggers | ||
| on phrases like "setup 42crunch", "configure 42crunch", "install 42c-ast", | ||
| "update 42c-ast", "set api key", "42crunch not working", "binary not found", | ||
| or any request to prepare the environment before running an audit or scan. |
Comment on lines
+3
to
+10
| description: > | ||
| Run a 42Crunch API Security Audit and fix SQG-blocking issues in an OpenAPI | ||
| Specification file. Use this skill whenever the user wants to audit an OAS | ||
| file for security issues, fix SQG-blocking issues, score an API, apply data | ||
| dictionary enrichment, or remediate audit findings. Triggers on phrases like | ||
| "run audit", "audit only", "fix audit issues", "SQG audit", "42crunch audit", | ||
| "audit score", or any request focused on static OAS analysis and remediation | ||
| without running a live scan. |
Comment on lines
+3
to
+11
| description: > | ||
| Run a 42Crunch live conformance and authorization scan against an API and fix | ||
| SQG-blocking scan findings. Use this skill whenever the user wants to run a | ||
| conformance test, authorization scan, BOLA test, BFLA test, generate or | ||
| configure a scan config, or fix scan-reported issues. Triggers on phrases | ||
| like "run scan", "scan only", "conformance test", "BOLA test", "BFLA test", | ||
| "42crunch scan", "scan config", or any request focused on live API testing | ||
| without running a static audit. Use 42crunch-api-security-testing when the user wants both | ||
| audit and scan together. |
Comment on lines
+3
to
+10
| description: > | ||
| Analyze an entire API codebase and generate an accurate OpenAPI Specification | ||
| (OAS 3.0) file from the source code. Use this skill whenever the user wants | ||
| to generate, create, or derive an OpenAPI spec from code, reverse-engineer an | ||
| API definition, or document an existing API. Triggers on phrases like "generate | ||
| OAS from code", "create OpenAPI spec", "document my API", "reverse-engineer | ||
| spec", "write openapi.json from my codebase", or any request to produce an | ||
| OAS file by reading source files rather than an existing spec. |
Comment on lines
+3
to
+10
| description: > | ||
| Run both a 42Crunch Audit and a live Scan together in a single pipeline. | ||
| Use this skill when the user wants to run audit and scan together, complete | ||
| the full security pipeline, or when the request is ambiguous about which | ||
| phase to run. Triggers on phrases like "run audit and scan", "full 42crunch | ||
| pipeline", "full security check", "audit then scan", "42crunch", or "SQG". | ||
| Do NOT use this skill if the user explicitly requests only an audit (use | ||
| 42crunch-audit) or only a scan (use 42crunch-scan). |
Comment on lines
+112
to
+116
| Write the file. Do not quote values. Do not add spaces around `=`. | ||
|
|
||
| **Platform mode** — write to `~/.42crunch/conf/env`: | ||
|
|
||
| ``` |
Comment on lines
+23
to
+27
| Read `~/.42crunch/conf/env` (macOS/Linux) or `%APPDATA%\42Crunch\conf\env` (Windows): | ||
|
|
||
| ```bash | ||
| grep -E "^(FREEMIUM_TOKEN|API_KEY)=" "$HOME/.42crunch/conf/env" 2>/dev/null | ||
| ``` |
Comment on lines
+23
to
+27
| Read `~/.42crunch/conf/env` (macOS/Linux) or `%APPDATA%\42Crunch\conf\env` (Windows): | ||
|
|
||
| ```bash | ||
| grep -E "^(FREEMIUM_TOKEN|API_KEY)=" "$HOME/.42crunch/conf/env" 2>/dev/null | ||
| ``` |
Comment on lines
+23
to
+27
| Read `~/.42crunch/conf/env` (macOS/Linux) or `%APPDATA%\42Crunch\conf\env` (Windows): | ||
|
|
||
| ```bash | ||
| grep -E "^(FREEMIUM_TOKEN|API_KEY)=" "$HOME/.42crunch/conf/env" 2>/dev/null | ||
| ``` |
Comment on lines
+23
to
+27
| Read `~/.42crunch/conf/env` (macOS/Linux) or `%APPDATA%\42Crunch\conf\env` (Windows): | ||
|
|
||
| ```bash | ||
| grep -E "^(FREEMIUM_TOKEN|API_KEY)=" "$HOME/.42crunch/conf/env" 2>/dev/null | ||
| ``` |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Checklist
npm startand verified thatREADME.mdis up to date.stagedbranch for this pull request.Description
Adds the 42Crunch API Security Testing plugin for GitHub Copilot.
Includes plugin metadata, README, and skills for API security testing workflows.
Validation/build run locally:
Type of Contribution
Additional Notes
By submitting this pull request, I confirm that my contribution abides by the Code of Conduct and will be licensed under the MIT License.