42Crunch API Security Review 2026: Audit & Protect

Name: 42Crunch
Availability: OnlineOnly

42Crunch is an API security tools platform that audits OpenAPI specifications, tests live APIs for conformance, and deploys micro firewalls for runtime protection. Its IDE extensions have been used by over 1.6 million developers across VS Code, JetBrains, and Eclipse.

42Crunch OpenAPI Explorer in VS Code showing API structure navigation

The company was founded in 2016 by Jacques Declas and Isabelle Mauny. It is headquartered in London and backed by a $17M Series A round led by Energy Impact Partners, with Adara Ventures participating.

What is 42Crunch?

42Crunch covers the API security lifecycle from design through runtime. The platform works in three stages: audit your OpenAPI spec before deployment, scan the running API for conformance issues, and then protect it with a micro firewall that enforces the contract in production.

Unlike traffic-based API security tools that analyze behavior after deployment, 42Crunch starts with the OpenAPI definition itself. The spec becomes the single source of truth for what the API should accept, return, and block.

API Security Audit

Static analysis of OpenAPI definitions with 300+ checks across security, data validation, and spec compliance. Each API gets a score from 0 to 100.

API Conformance Scan

Dynamic testing that sends real traffic to live API endpoints. Validates that the implementation matches the documented contract and flags deviations.

Micro API Firewall

Runtime protection deployed as a sidecar or gateway. Blocks any transaction that does not conform to the OpenAPI definition. Sub-millisecond latency overhead.

Key Features

Feature	Details
Security Audit	300+ checks on OpenAPI v2, v3.0, v3.1 definitions
Audit Scoring	0-100 score (30 pts security, 70 pts data validation)
Conformance Scan	Dynamic testing with happy path, unhappy path, and custom tests
Micro API Firewall	Positive security model based on OpenAPI contract enforcement
IDE Support	VS Code, 19+ JetBrains IDEs, Eclipse
CI/CD Integration	GitHub Actions, GitLab, Azure Pipelines, Jenkins, Bitbucket, Bamboo, Tekton
API Contract Generator	Converts Postman Collections and HAR files to OpenAPI specs
File Support	JSON and YAML, up to 10 MB per file

API Security Audit

Security Audit performs static analysis on OpenAPI definitions. It runs over 300 checks across three categories:

Security definitions — evaluates authentication methods, authorization schemes, and transport security (up to 30 points)
Data validation — assesses input/output schemas, data constraints, and format enforcement (up to 70 points)
OpenAPI format — checks structural validity and adherence to OpenAPI specification rules

The audit follows up to six consecutive JSON schema references when calculating scores. Each issue found deducts points based on severity, and sensitivity multipliers adjust deductions based on operation risk levels.

42Crunch recommends a minimum audit score of 70 before running conformance scans. APIs scoring below that threshold lack sufficient security definitions for reliable firewall protection.

42Crunch API Security Audit issues list in VS Code showing severity levels

Key Differentiator

42Crunch treats the OpenAPI definition as the single source of truth. The same spec drives the audit score, conformance tests, and runtime firewall rules — no separate configuration required.

API Conformance Scan

Conformance Scan generates real traffic against live API endpoints. It follows a four-stage process:

Preparation — parses the OpenAPI definition, generates parameter values, verifies authentication, and checks endpoint availability
Happy path tests — sends valid requests to confirm baseline behavior (expects HTTP 200-399 or 404)
Test generation — creates test payloads based on happy path responses
Scan execution — sends test requests at a constant rate and analyzes responses

The scan engine supports multiple test types:

Happy path tests — baseline validation with valid inputs
Conformance tests — schema injection, parameter injection, header injection, and HTTP method tests
Unhappy path tests (v2 engine) — error scenario testing with expected 4XX responses
Custom tests (v2 engine) — user-defined tests for specific implementation scenarios
Drift scan (v2 engine) — lightweight monitoring to verify deployed APIs maintain expected behavior

Parameter values are generated automatically from OpenAPI constraints. Standard formats like dates, emails, IPs, and UUIDs follow RFC specifications. Developers can override defaults using x-42c-sample, default, enum, or example properties.

42Crunch states that invasive scans should only run against APIs you own, and only against non-production systems. Drift scans are the exception — those are approved for production.

Micro API Firewall

API Protection deploys a micro firewall in front of each API. It enforces the OpenAPI contract on every incoming and outgoing transaction using a positive security model.

The firewall creates an allowlist from the API definition. Any request or response that falls outside the contract gets blocked. This differs from traditional WAFs that rely on signature-based detection of known attack patterns.

When deployed as a sidecar proxy in Kubernetes pods, 42Crunch reports sub-millisecond latency overhead. The firewall also runs on standalone deployments outside container orchestrators.

API Contract Generator

A newer addition to the platform, the API Contract Generator converts existing Postman Collections and HAR (HTTP Archive) files into OpenAPI definitions. It processes up to 10 input files (250 MB combined) and runs directly in VS Code and JetBrains IDEs.

This is useful for teams that have APIs running without formal OpenAPI documentation — generating the spec is the first step toward auditing and protecting them.

Integrations

IDE Extensions

42Crunch’s IDE extensions have been used by over 1.6 million developers worldwide as of November 2025. They support Security Audit, Conformance Scan, and the API Contract Generator.

IDEs

VS Code

JetBrains (19+ IDEs)

Eclipse

Three execution modes are available in the IDE:

Freemium — stateless centralized service with usage limits, no account needed
Local CLI — runs the 42Crunch AST binary locally
Platform — connects to the full 42Crunch SaaS platform via IDE tokens

The VS Code extension includes an OpenAPI editor with IntelliSense, code navigation, SwaggerUI/ReDoc preview, and a “Try It” feature for testing API operations directly from the editor.

CI/CD Pipelines

CI/CD

GitHub Actions

GitLab Pipelines

Azure Pipelines

Jenkins

Bitbucket Pipelines

Bamboo

Tekton

A generic Docker image is also available for CI/CD platforms not on this list.

The GitHub Actions integration (42Crunch/api-security-audit-action) runs static security testing on OpenAPI files, sets minimum score thresholds, and uploads findings to GitHub Code Scanning alerts as SARIF reports.

42Crunch platform integration architecture showing IDE, CI/CD, and platform connections

Cloud Marketplaces

42Crunch is available on the Microsoft Azure Marketplace and integrates with Microsoft Defender for Cloud.

Getting started

Install the IDE extension — Search for “42Crunch” in the VS Code, JetBrains, or Eclipse marketplace. The freemium tier works without an account.

Open an OpenAPI file — The extension activates on .json and .yaml files that contain OpenAPI definitions. Use the OpenAPI Explorer panel to navigate the structure.

Run Security Audit — Click the audit button in the editor. The tool runs 300+ checks and returns a score with categorized issues. Use quick-fix suggestions to resolve findings.

Run Conformance Scan — Point the scan at a running API endpoint. The engine generates test traffic based on the OpenAPI definition and reports conformance violations.

For the full platform (CI/CD gates, runtime protection, team dashboards), create an account at 42crunch.com and generate an API token for your integrations.

When to use 42Crunch

42Crunch fits teams that already use OpenAPI specifications or are willing to adopt them. The entire platform revolves around the OpenAPI contract, so teams without formal API documentation need to create specs first (the Contract Generator helps with that).

It works well when:

Your APIs have OpenAPI definitions and you want automated security scoring in the IDE and CI/CD pipeline
You need a runtime firewall that enforces the API contract, not just signature-based blocking
You want to shift API security left into the development workflow rather than testing only after deployment
Compliance requirements demand documented, tested, and enforced API security policies

Best For

API-first teams that maintain OpenAPI specifications and want security checks embedded in their IDE, CI/CD pipeline, and production runtime — all driven from the same contract.

It is probably not the right fit when:

Your APIs lack formal OpenAPI definitions and you do not plan to create them
You need traffic-based API discovery as the primary feature — 42Crunch focuses on spec-driven security, not network traffic analysis
You want a standalone DAST scanner — consider tools like Invicti or APIsec instead

Frequently Asked Questions

What is 42Crunch?

42Crunch is an API security platform that audits OpenAPI specifications with over 300 security checks, performs dynamic conformance scanning against live APIs, and deploys micro API firewalls for runtime protection. Its IDE extensions have been used by over 1.6 million developers across VS Code, JetBrains, and Eclipse.

Is 42Crunch free or commercial?

42Crunch offers a freemium model. The free tier includes API Security Audit and Conformance Scan in VS Code, JetBrains, and Eclipse IDEs through a stateless service. The full platform with runtime protection, CI/CD integration, and enterprise features requires a paid subscription.

How does the 42Crunch API Security Audit score work?

42Crunch assigns each API a score from 0 to 100. The score starts at 100 and deducts points for each issue found. Security analysis accounts for up to 30 points and data validation up to 70 points. 42Crunch recommends a minimum score of 70 before running conformance scans or enabling API firewall protection.

What CI/CD platforms does 42Crunch support?

42Crunch integrates with GitHub Actions, GitLab Pipelines, Azure Pipelines, Jenkins, Bitbucket Pipelines, Bamboo, and Tekton. A generic Docker image is also available for other CI/CD systems.

What is the 42Crunch micro API firewall?

The micro API firewall enforces the OpenAPI contract on all incoming and outgoing API transactions. It uses a positive security model, blocking any request that does not conform to the API definition. When deployed as a sidecar proxy in Kubernetes, it adds sub-millisecond latency.