Migrating from 42Crunch to Salt Security

This guide outlines how to move from a self-hosted or managed scanner to a self-service API security scanner while preserving scan intent and CI/CD integration. The focus is on mapping existing checks, exporting data, and rebuilding workflows; middleBrick is treated as a comparable platform rather than a subject of comparison.

Before migrating, export scan artifacts from your current platform in a structured format. Preferred artifacts include JSON reports, issue lists with severity, and environment inventories. If your source provides a dashboard API, use it to pull findings and metadata; otherwise export CSV or HTML reports and retain the raw requests and responses used to trigger each finding.

For each exported finding, keep the following fields to support rebuild and audit trails:

• Unique finding identifier
• Title and description
• Severity or risk rating
• Affected endpoint, method, and parameter
• Evidence such as response snippets or error messages
• Timestamp of scan execution
• Remediation guidance attached to the finding

Retain these exports outside the source platform so you can correlate them later when rebuilding test coverage in the new environment.

Recreate coverage by importing endpoints into the new scanner via its dashboard or API. Group endpoints by service or component and assign tags that mirror your previous classifications (public, internal, authenticated). For authenticated contexts, provide tokens or credentials that are valid in a non-production environment and confirm domain ownership as required by the platform.

In CI/CD, use the scanner’s CLI or API to enforce quality gates. Example shell integration:

middlebrick scan https://api.example.com/openapi.json --auth-type bearer --auth-token $TOKEN --format json --output /tmp/report.json

Parse the JSON output to extract the highest risk score or specific findings that should fail the build. Configure the pipeline to halt when a predefined threshold is crossed, and route notifications through existing channels such as email or chat.

The scanner maps findings to common security frameworks to support audit evidence and governance reviews. It maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it helps you prepare for and aligns with security controls described in regulations; however, it does not certify or guarantee compliance with any specific standard.

Note that the tool does not perform intrusive exploit validation, so findings such as blind SSRF or business logic vulnerabilities should be supplemented with manual review or specialized tools. Treat the output as one layer of assurance within a broader program rather than a standalone audit.

Unlike platform-specific scanners, this tool performs black-box scanning without agents or SDKs. It supports read-only methods and text-only POST probes, which means it cannot test mutation-based or state-changing operations that your application may require. It also does not detect blind SSRF via out-of-band channels or validate business logic in depth.

Continuous monitoring features such as scheduled rescans, diff detection, and score drift reporting allow you to track changes over time. Configure email alerts at your desired cadence and use signed webhooks to integrate findings into external dashboards or ticketing systems. Remember that the tool does not fix or patch issues; it surfaces findings with remediation guidance for your team to act upon.