42Crunch as a GitHub Action for API security

The GitHub Action provides a CI/CD gate that runs a black-box scan against an API endpoint during workflow execution. It submits a URL to the scanner, receives a risk score from A to F, and reports prioritized findings directly in the workflow run.

Findings from the scan map directly to OWASP API Top 10 (2023), and they support audit evidence for SOC 2 Type II and PCI-DSS 4.0. This alignment helps you prepare for compliance reviews by surfacing findings relevant to those frameworks without claiming certification.

Authenticated scans require a verified domain and one of the supported credential types, such as Bearer tokens, API keys, Basic auth, or Cookies. Before credentials are accepted, the product performs a domain verification gate using DNS TXT records or an HTTP well-known file to confirm domain ownership. Only selected headers, including Authorization, X-API-Key, Cookie, and X-Custom-*, are forwarded to the API under scan.

The scanner performs read-only checks using GET and HEAD methods, with limited text-only POST for LLM probes. It detects issues such as authentication misconfigurations, IDOR, privilege escalation, input validation problems, rate limiting, data exposure indicators, encryption settings, SSRF indicators, inventory issues, unsafe consumption patterns, and LLM/AI security probes. It does not perform active SQL injection or command injection testing, does not fix or remediate findings, and cannot detect business logic vulnerabilities or blind SSRF, which require human expertise and out-of-band infrastructure.

In a GitHub workflow, the Action can fail the build when the score drops below a configured threshold, blocking deployment of vulnerable APIs. Results are shown in the GitHub Checks interface, and the Action supports configurable scan depth, such as Quick or Standard tiers, to balance thoroughness with execution time. Note that the Action is a scanner and does not replace a full human pentest for high-stakes audits.