github · heshaam-42c · May 9, 2026
@@ -10,6 +10,12 @@
     "email": "copilot@github.com"
   },
   "plugins": [
+    {
+      "name": "42crunch-api-security-testing",
+      "source": "42crunch-api-security-testing",
+      "description": "Automate API security directly in GitHub Copilot with 42Crunch - automatically audit OpenAPI specs, detect vulnerabilities aligned with OWASP API Security risks (including BOLA/BFLA), and apply AI-powered fixes. Designed for AI-assisted development workflows, it provides continuous guardrails through an audit->scan->remediate->validate loop, ensuring APIs meet enterprise security standards before deployment.",
+      "version": "1.0.0"
+    },
     {
       "name": "acreadiness-cockpit",
       "source": "acreadiness-cockpit",

@@ -25,6 +25,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-plugins) for guidelines on how t
 
 | Name | Description | Items | Tags |
 | ---- | ----------- | ----- | ---- |
+| [42crunch-api-security-testing](../plugins/42crunch-api-security-testing/README.md) | Automate API security directly in GitHub Copilot with 42Crunch - automatically audit OpenAPI specs, detect vulnerabilities aligned with OWASP API Security risks (including BOLA/BFLA), and apply AI-powered fixes. Designed for AI-assisted development workflows, it provides continuous guardrails through an audit->scan->remediate->validate loop, ensuring APIs meet enterprise security standards before deployment. | 5 items | openapi, api-security, audit, scan, remediation, vulnerability, compliance, owasp, ai, devsecops |
 | [acreadiness-cockpit](../plugins/acreadiness-cockpit/README.md) | Drive Microsoft AgentRC from Copilot chat: assess AI readiness, generate Copilot instructions (flat or nested with applyTo globs for monorepos), and manage policies. Produces a self-contained static HTML dashboard at reports/index.html. | 4 items | agentrc, ai-readiness, copilot-instructions, readiness-report, monorepo, policy, dashboard |
 | [ai-team-orchestration](../plugins/ai-team-orchestration/README.md) | Bootstrap and run a multi-agent AI development team with named roles (Producer, Dev Team, QA). Sprint planning, brainstorm prompts with distinct agent voices, cross-chat context survival, and parallel team workflows. Based on a proven template that shipped a 30-game app in 5 days with zero human-written code. | 4 items | ai-team, multi-agent, sprint-planning, brainstorm, project-management, orchestration, developer-workflow |
 | [arize-ax](../plugins/arize-ax/README.md) | Arize AX platform skills for LLM observability, evaluation, and optimization. Includes trace export, instrumentation, datasets, experiments, evaluators, AI provider integrations, annotations, prompt optimization, and deep linking to the Arize UI. | 9 items | arize, llm, observability, tracing, evaluation, instrumentation, datasets, experiments, prompt-optimization |

@@ -27,6 +27,11 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
 
 | Name | Description | Bundled Assets |
 | ---- | ----------- | -------------- |
+| [42crunch-api-security-testing](../skills/42crunch-api-security-testing/SKILL.md)<br />`gh skills install github/awesome-copilot 42crunch-api-security-testing` | Run both a 42Crunch Audit and a live Scan together in a single pipeline. Use this skill when the user wants to run audit and scan together, complete the full security pipeline, or when the request is ambiguous about which phase to run. Triggers on phrases like "run audit and scan", "full 42crunch pipeline", "full security check", "audit then scan", "42crunch", or "SQG". Do NOT use this skill if the user explicitly requests only an audit (use 42crunch-audit) or only a scan (use 42crunch-scan). | `references/audit-rule-translations.md`<br />`references/audit-workflow.md`<br />`references/binary-setup.md`<br />`references/credential-setup.md`<br />`references/pre-flight.md`<br />`references/scan-workflow.md`<br />`references/tag-detection.md` |
+| [42crunch-audit](../skills/42crunch-audit/SKILL.md)<br />`gh skills install github/awesome-copilot 42crunch-audit` | Run a 42Crunch API Security Audit and fix SQG-blocking issues in an OpenAPI Specification file. Use this skill whenever the user wants to audit an OAS file for security issues, fix SQG-blocking issues, score an API, apply data dictionary enrichment, or remediate audit findings. Triggers on phrases like "run audit", "audit only", "fix audit issues", "SQG audit", "42crunch audit", "audit score", or any request focused on static OAS analysis and remediation without running a live scan. | `references/audit-rule-translations.md`<br />`references/audit-workflow.md`<br />`references/binary-setup.md`<br />`references/credential-setup.md`<br />`references/pre-flight.md`<br />`references/tag-detection.md` |
+| [42crunch-code-to-oas](../skills/42crunch-code-to-oas/SKILL.md)<br />`gh skills install github/awesome-copilot 42crunch-code-to-oas` | Analyze an entire API codebase and generate an accurate OpenAPI Specification (OAS 3.0) file from the source code. Use this skill whenever the user wants to generate, create, or derive an OpenAPI spec from code, reverse-engineer an API definition, or document an existing API. Triggers on phrases like "generate OAS from code", "create OpenAPI spec", "document my API", "reverse-engineer spec", "write openapi.json from my codebase", or any request to produce an OAS file by reading source files rather than an existing spec. | None |
+| [42crunch-scan](../skills/42crunch-scan/SKILL.md)<br />`gh skills install github/awesome-copilot 42crunch-scan` | Run a 42Crunch live conformance and authorization scan against an API and fix SQG-blocking scan findings. Use this skill whenever the user wants to run a conformance test, authorization scan, BOLA test, BFLA test, generate or configure a scan config, or fix scan-reported issues. Triggers on phrases like "run scan", "scan only", "conformance test", "BOLA test", "BFLA test", "42crunch scan", "scan config", or any request focused on live API testing without running a static audit. Use 42crunch-api-security-testing when the user wants both audit and scan together. | `references/binary-setup.md`<br />`references/credential-setup.md`<br />`references/pre-flight.md`<br />`references/scan-workflow.md`<br />`references/tag-detection.md` |
+| [42crunch-setup](../skills/42crunch-setup/SKILL.md)<br />`gh skills install github/awesome-copilot 42crunch-setup` | Set up the 42Crunch environment so that audit and scan skills can run without friction. Use this skill whenever the user wants to configure 42Crunch for the first time, install or update the 42c-ast binary, configure an API key, or troubleshoot missing credentials or binary errors. Triggers on phrases like "setup 42crunch", "configure 42crunch", "install 42c-ast", "update 42c-ast", "set api key", "42crunch not working", "binary not found", or any request to prepare the environment before running an audit or scan. | `references/binary-setup.md`<br />`references/credential-setup.md`<br />`references/pre-flight.md`<br />`references/tag-detection.md` |
 | [acquire-codebase-knowledge](../skills/acquire-codebase-knowledge/SKILL.md)<br />`gh skills install github/awesome-copilot acquire-codebase-knowledge` | Use this skill when the user explicitly asks to map, document, or onboard into an existing codebase. Trigger for prompts like "map this codebase", "document this architecture", "onboard me to this repo", or "create codebase docs". Do not trigger for routine feature implementation, bug fixes, or narrow code edits unless the user asks for repository-level discovery. | `assets/templates`<br />`references/inquiry-checkpoints.md`<br />`references/stack-detection.md`<br />`scripts/scan.py` |
 | [acreadiness-assess](../skills/acreadiness-assess/SKILL.md)<br />`gh skills install github/awesome-copilot acreadiness-assess` | Run the AgentRC readiness assessment on the current repository and produce a static HTML dashboard at reports/index.html. Wraps `npx github:microsoft/agentrc readiness` and hands off rendering to the @ai-readiness-reporter custom agent. Supports policies (--policy) for org-specific scoring. Use when asked to assess, audit, or score the AI readiness of a repo. | `report-template.html` |
 | [acreadiness-generate-instructions](../skills/acreadiness-generate-instructions/SKILL.md)<br />`gh skills install github/awesome-copilot acreadiness-generate-instructions` | Generate tailored AI agent instruction files via AgentRC instructions command. Produces .github/copilot-instructions.md (default, recommended for Copilot in VS Code) plus optional per-area .instructions.md files with applyTo globs for monorepos. Use after running /acreadiness-assess to close gaps in the AI Tooling pillar. | None |

@@ -0,0 +1,29 @@
+{
+  "name": "42crunch-api-security-testing",
+  "description": "Automate API security directly in GitHub Copilot with 42Crunch - automatically audit OpenAPI specs, detect vulnerabilities aligned with OWASP API Security risks (including BOLA/BFLA), and apply AI-powered fixes. Designed for AI-assisted development workflows, it provides continuous guardrails through an audit->scan->remediate->validate loop, ensuring APIs meet enterprise security standards before deployment.",
+  "version": "1.0.0",
+  "author": {
+    "name": "42Crunch",
+    "email": "support@42crunch.com"
+  },
+  "skills": [
+    "./skills/42crunch-api-security-testing/",
+    "./skills/42crunch-audit/",
+    "./skills/42crunch-code-to-oas/",
+    "./skills/42crunch-scan/",
+    "./skills/42crunch-setup/"
+  ],
+  "license": "MIT",
+  "keywords": [
+    "openapi",
+    "api-security",
+    "audit",
+    "scan",
+    "remediation",
+    "vulnerability",
+    "compliance",
+    "owasp",
+    "ai",
+    "devsecops"
+  ]
+}
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright 2026 42Crunch
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,162 @@
+# 42Crunch API Security Plugin
+
+Automate API security directly in GitHub Copilot with 42Crunch - audit OpenAPI specs, detect vulnerabilities aligned with OWASP API Security risks (including BOLA/BFLA), and apply AI-powered fixes.
+
+## Overview
+
+The `api-security-testing` plugin is designed for AI-assisted development workflows, it provides continuous guardrails through an **audit->scan->remediate->validate** loop, ensuring APIs meet enterprise security standards before deployment.
+
+## Commands
+
+| Skill | Description |
+|---|---|
+| [`/42crunch-setup`](./README.md#42crunch-setup) | Install the `42c-ast` binary and configure credentials (one-time) |
+| [`/42crunch-audit`](./README.md#42crunch-audit) | Static security audit of an OpenAPI Specification file with scored findings and AI-assisted fixes |
+| [`/42crunch-scan`](./README.md#42crunch-scan) | Live conformance and authorization scan (BOLA/BFLA) against a running API |
+| [`/42crunch-api-security-testing`](./README.md#42crunch-api-security-testing) | Full audit + scan pipeline in a single session |
+| [`/code-to-oas`](./README.md#code-to-oas) | Generate a complete `openapi.json` from your API source code| 
+
+## Prerequisites
+
+- [GitHub Copilot](https://github.com/features/copilot) (CLI or IDE extension)
+- A 42Crunch account — [freemium](https://42crunch.com/freemium/) or paid (Platform API key)
+- For `42crunch-scan`: a running API server reachable at the URL in `servers[0]` of your OAS (or via `SCAN42C_HOST`)
+
+The `42c-ast` binary is downloaded and kept up to date automatically on first use.
+
+## Installation
+
+Add the 42Crunch marketplace:
+
+```
+copilot plugin marketplace add 42Crunch-AI/copilot-plugins
+```
+
+Install the `api-security-testing` plugin:
+
+```
+copilot plugin install api-security-testing@42crunch-marketplace
+```
+
+## Quick Start
+
+1. **Install the plugin** — add this marketplace to GitHub Copilot.
+2. **Set up the environment** — say: *"set up 42crunch"*
+3. **Audit your API** — say: *"run a 42Crunch audit"* (Copilot will offer to generate an OAS from source code if you don't have one)
+4. **Fix issues** — Copilot presents findings by severity and asks your consent before changing anything
+5. **Scan your API** — say: *"run a conformance scan"* against your running server
+
+## Skills
+
+### `42crunch-setup`
+
+Installs the `42c-ast` binary for your OS/architecture, verifies its checksum, and walks you through credential configuration. Supports Platform (API key) and Freemium (token) modes. Credentials are stored in `~/.42crunch/conf/env` with `600` permissions.
+
+> **Trigger:** "set up 42crunch", "configure 42crunch", "install 42c-ast", "update 42c-ast", "set api key", "42crunch not working", "binary not found"
+
+**Usage:**
+```
+/42crunch-setup
+```
+
+---
+
+### `42crunch-audit`
+
+Runs a static analysis of an OpenAPI Specification and produces a 0–100 security score. Findings are classified into three tiers:
+
+- **SQG-Blocking** — must fix to pass the Security Quality Gate
+- **Security** — recommended fixes
+- **Data Validation** — informational
+
+Copilot asks your explicit consent before applying any changes, then re-runs the audit to confirm passage.
+
+**Platform mode:** SQG threshold enforced from your platform policy.  
+**Freemium mode:** No automated SQG gate; you set the target score and blocking severity for the session.
+
+> **Trigger:** "run audit", "42crunch audit", "fix audit issues", "SQG audit", "audit score"
+
+**Usage:**
+```
+/42crunch-audit
+```
+
+---
+
+### `42crunch-scan`
+
+Runs a live conformance and authorization test against a running API server. Copilot confirms the target URL, checks reachability, analyses the OAS (operations, auth schemes, BOLA candidates), and presents a scan preview before any configuration begins. After a happy-path validation run, Copilot asks your consent before starting the full fuzzing scan.
+
+Findings are classified into three tiers:
+
+- **Authorization failures** — BOLA/BFLA confirmed
+- **SQG-Blocking conformance** — must fix to pass the Security Quality Gate
+- **Informational conformance** — surfaced for review
+
+Copilot asks your consent before applying any fixes — both OAS contract updates and server-side code changes.
+
+**Platform mode:** SQG enforced from platform policy.  
+**Freemium mode:** All findings presented informally; you decide what to fix.
+
+> **Trigger:** "run scan", "scan only", "conformance test", "BOLA test", "BFLA test", "42crunch scan", "scan config"
+
+**Usage:**
+```
+/42crunch-scan
+```
+
+---
+
+### `42crunch-api-security-testing`
+
+Orchestrates Audit (Phase 1) and Scan (Phase 2) in sequence. Resolves the OAS file and confirms the scan target URL up front. Each phase requires separate user consent. Produces a combined summary covering both phases.
+
+> **Trigger:** "run audit and scan", "full 42crunch pipeline", "full security check", "audit then scan", "SQG"
+
+**Usage:**
+```
+/42crunch-api-security-testing
+```
+
+---
+
+### `code-to-oas`
+
+Analyses your API codebase and generates a complete `openapi.json`. Detects routes, parameters, request/response schemas, auth middleware, data models, and server config. Performs a self-review pass before writing the file.
+
+Supported frameworks: Express, Fastify, Koa, Hapi, NestJS, FastAPI, Flask, Django, Starlette, Spring Boot, Quarkus, Micronaut, Gin, Echo, Chi, Gorilla/mux, Rails, Sinatra, Grape, ASP.NET Core, and more.
+
+> **Trigger:** "generate OAS from code", "create OpenAPI spec", "document my API", "reverse-engineer spec", "write openapi.json from my codebase"
+
+**Usage:**
+```
+/code-to-oas
+```
+
+---
+
+## Configuration
+
+Credentials are read from `~/.42crunch/conf/env` (macOS/Linux) or `%APPDATA%\42Crunch\conf\env` (Windows), written by `42crunch-setup`. Never edit this file manually while a skill is running.
+
+| Variable | Description | Mode |
+|---|---|---|
+| `API_KEY` | Platform token (`api_*` or `ide_*`) | Platform |
+| `PLATFORM_HOST` | 42Crunch platform base URL (e.g. `https://us.42crunch.cloud`) | Platform |
+| `FREEMIUM_TOKEN` | Freemium token (Base64) | Freemium |
+| `SCAN42C_HOST` | Override scan target URL (overrides `servers[0]` in OAS) | Both |
+
+Credentials are never printed in plaintext after entry.
+
+---
+
+## Links
+
+- [42Crunch](https://42crunch.com/)
+- [42Crunch Documentation](https://docs.42crunch.com)
+- [42Crunch on GitHub](https://github.com/42Crunch)
+- Support: support@42crunch.com
+
+## License
+
+MIT — see [LICENSE](./LICENSE) for details.