42Crunch for CI/CD security gate

What middleBrick covers

Black-box API security scanning under one minute per target
Read-only methods only, no destructive payloads in CI/CD
Detection of OWASP API Top 10 (2023) issues and LLM probes
OpenAPI 3.x and Swagger 2.0 parsing with $ref resolution
Authenticated scanning with domain verification for credentials
GitHub Action integration with build-fail thresholds

CI/CD security gate overview

A CI/CD security gate runs checks before code merges or deploys. It must produce a deterministic outcome, integrate with pipeline tooling, and avoid long feedback cycles. middleBrick operates as a gate by validating API surfaces through black-box scans that require only a reachable URL. The gate fails the build when the score drops below a threshold defined in the GitHub Action configuration.

Scan approach and coverage for CI/CD

middleBrick performs a read-only black-box scan that completes in under a minute. It supports GET and HEAD methods and text-only POST for LLM probes, avoiding destructive payloads. The scanner detects issues across 12 categories aligned to OWASP API Top 10 (2023), including authentication bypass, IDOR, privilege escalation, input validation, rate limiting, data exposure, SSRF, and LLM security probes. OpenAPI 3.0, 3.1, and Swagger 2.0 specs are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to highlight undefined security schemes or deprecated operations.

Authenticated scanning and domain verification

For endpoints that require authentication, middleBrick supports Bearer tokens, API keys, Basic auth, and cookies at the Starter tier and above. Domain verification is enforced through a DNS TXT record or an HTTP well-known file, ensuring that only the domain owner can submit credentials for scanning. The scanner forwards a restricted allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers, reducing noise and limiting exposure.

Integration with GitHub Actions and pipeline workflows

The GitHub Action installs the middleBrick CLI and runs scans against API endpoints defined in workflow files. You can configure the action to fail the build when the score drops below a chosen grade, providing a CI/CD security gate that blocks merges or deployments. The action outputs JSON or text results, which can be consumed by downstream tooling for reporting or ticket creation. Scan data can be stored in the middleBrick dashboard for trend analysis across branches and releases.

Limitations and complementary testing practices

middleBrick does not perform active SQL injection or command injection testing, nor does it detect business logic vulnerabilities that require domain understanding. Blind SSRF and certain client-side issues are out of scope because they rely on out-of-band infrastructure. The tool does not replace a human pentester for high-stakes audits, but it provides repeatable, fast feedback that complements broader test suites and manual review.

Frequently Asked Questions

How does the GitHub Action fail the build?

The action compares the scan score against a configurable threshold. If the score is below the threshold, the action exits with a non-zero status, causing the pipeline step to fail.

Can authenticated scans be run in CI/CD pipelines?

Yes, authenticated scanning is supported from Starter tier onward. Credentials must be provided as secrets, and domain verification must be completed before scans with credentials are accepted.

What happens to scan data after a pipeline run?

Results are available in the dashboard and can be exported. Customer data is deletable on demand and purged within 30 days of cancellation. Scan data is never sold and is not used for model training.

Does the scanner validate compliance with frameworks such as PCI-DSS?

The scanner maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it helps you prepare for audits by surfacing findings relevant to those controls.