42Crunch for API version deprecation audit

An API version deprecation audit requires mapping which endpoints remain active, which are deprecated, and which should be retired. middleBrick is a scanner focused on runtime behavior, not contract governance. It does not parse source control history or governance policies, so it cannot directly identify deprecated versions declared only in documentation or tickets. The scanner does detect inventory signals such as missing versioning in paths and server fingerprinting that can indicate legacy routes.

During a scan, middleBrick checks for version-agnostic paths and common legacy patterns such as /api/users versus /v1/api/users. The OpenAPI analysis parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime behavior. Findings include undefined security schemes, sensitive fields exposed in schemas, and deprecated operations still responding to requests. These signals help you verify that newer versioned routes are in use and that legacy paths are intentionally maintained or retired.

Security misconfigurations often increase when multiple API versions coexist. The scanner checks authentication schemes across versions, including Bearer, API key, Basic auth, and Cookie flows, and validates that domain verification is enforced where credentials are accepted. It also flags dangerous HTTP methods, CORS wildcard origins, missing pagination, and excessive data exposure such as internal field leakage or PII patterns like email and credit card numbers. These checks align with OWASP API Top 10 (2023) and support audit evidence for SOC 2 Type II and PCI-DSS 4.0 control cross-references.

Integrating middleBrick into a deprecation workflow requires coordination between scanning and change management. Authenticated scans need domain verification via DNS TXT record or HTTP well-known file so that only the domain owner can submit credentials. The CLI allows scripted runs, for example middlebrick scan https://api.example.com, producing JSON or text output that can be incorporated into CI checks. The GitHub Action can gate merges when the score drops below a chosen threshold, but the tool does not auto-remediate or enforce deprecation policies; human review remains necessary to interpret findings in the context of version lifecycle decisions.

For teams maintaining long-lived version migration plans, the Pro tier offers scheduled rescans every 6 hours, daily, weekly, or monthly. Diff detection across scans highlights new findings, resolved findings, and score drift, including changes in inventory signals or security headers. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks notify external systems, with auto-disable after five consecutive failures. This monitoring helps ensure that deprecated endpoints do not reappear and that newly introduced routes comply with your security expectations.