Add 42Crunch API security testing plugin#1658
Open
heshaam-42c wants to merge 27 commits into
Open
Conversation
github-actions
Bot
added
new-submission
Contributor
🔍 Skill Validator Results
Summary
Full validator output```text Found 5 skill(s) [42crunch-api-security-testing] 📊 42crunch-api-security-testing: 2,558 BPE tokens [chars/4: 2,524] (standard ~), 4 sections, 4 code blocks [42crunch-api-security-testing] ⚠ Skill is 2,558 BPE tokens (chars/4 estimate: 2,524) — approaching "comprehensive" range where gains diminish. [42crunch-audit] 📊 42crunch-audit: 1,035 BPE tokens [chars/4: 1,025] (detailed ✓), 3 sections, 1 code blocks [42crunch-code-to-oas] 📊 42crunch-code-to-oas: 4,507 BPE tokens [chars/4: 4,283] (standard ~), 31 sections, 5 code blocks [42crunch-code-to-oas] ⚠ Skill is 4,507 BPE tokens (chars/4 estimate: 4,283) — approaching "comprehensive" range where gains diminish. [42crunch-scan] 📊 42crunch-scan: 1,963 BPE tokens [chars/4: 1,946] (detailed ✓), 4 sections, 4 code blocks [42crunch-setup] 📊 42crunch-setup: 1,622 BPE tokens [chars/4: 1,587] (detailed ✓), 15 sections, 4 code blocks ✅ All checks passed (5 skill(s)) ``` |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a new 42Crunch API security testing plugin to the Awesome Copilot marketplace, along with a set of 42Crunch-focused skills (setup, audit, scan, full pipeline, and code→OAS generation) and supporting reference docs.
Changes:
- Introduces five new 42Crunch skills covering environment setup, static audit, live scan, end-to-end pipeline orchestration, and OpenAPI generation from source.
- Adds a new
42crunch-api-security-testingplugin that bundles the skills and documents usage. - Updates plugin/skill indexes and the marketplace registry to surface the new plugin and skills.
Reviewed changes
Copilot reviewed 33 out of 33 changed files in this pull request and generated 31 comments.
Show a summary per file
| File | Description |
|---|---|
| skills/42crunch-setup/SKILL.md | New setup skill for installing 42c-ast and configuring credentials. |
| skills/42crunch-setup/references/binary-setup.md | Reference procedure for installing/updating the 42c-ast binary. |
| skills/42crunch-setup/references/credential-setup.md | Reference procedure for storing platform/freemium credentials. |
| skills/42crunch-setup/references/pre-flight.md | Shared pre-flight checks (binary, credentials, OAS resolution, tags). |
| skills/42crunch-setup/references/tag-detection.md | Reference flow for resolving/assigning platform tags for an OAS. |
| skills/42crunch-audit/SKILL.md | New audit skill to run 42Crunch audit + SQG-driven fix loop. |
| skills/42crunch-audit/references/audit-rule-translations.md | Rule-id → plain English translation table for audit findings. |
| skills/42crunch-audit/references/audit-workflow.md | Detailed audit execution, parsing, consent, and fix workflow. |
| skills/42crunch-audit/references/binary-setup.md | Audit-local copy of the binary install/update reference. |
| skills/42crunch-audit/references/credential-setup.md | Audit-local copy of the credentials setup reference. |
| skills/42crunch-audit/references/pre-flight.md | Audit-local copy of the shared pre-flight checks. |
| skills/42crunch-audit/references/tag-detection.md | Audit-local copy of the platform tag resolution flow. |
| skills/42crunch-scan/SKILL.md | New scan skill to configure and run live conformance/authz testing. |
| skills/42crunch-scan/references/binary-setup.md | Scan-local copy of the binary install/update reference. |
| skills/42crunch-scan/references/credential-setup.md | Scan-local copy of the credentials setup reference. |
| skills/42crunch-scan/references/pre-flight.md | Scan-local copy of the shared pre-flight checks. |
| skills/42crunch-scan/references/scan-workflow.md | Detailed scan config generation, auth setup, scenarios, and runs. |
| skills/42crunch-scan/references/tag-detection.md | Scan-local copy of the platform tag resolution flow. |
| skills/42crunch-code-to-oas/SKILL.md | New skill to generate an OpenAPI 3.0 spec from an API codebase. |
| skills/42crunch-api-security-testing/SKILL.md | New orchestration skill for audit → scan pipeline with separate consent gates. |
| skills/42crunch-api-security-testing/references/audit-rule-translations.md | Pipeline-local copy of audit rule translation table. |
| skills/42crunch-api-security-testing/references/audit-workflow.md | Pipeline-local copy of the audit workflow reference. |
| skills/42crunch-api-security-testing/references/binary-setup.md | Pipeline-local copy of the binary install/update reference. |
| skills/42crunch-api-security-testing/references/credential-setup.md | Pipeline-local copy of the credentials setup reference. |
| skills/42crunch-api-security-testing/references/pre-flight.md | Pipeline-local copy of the shared pre-flight checks. |
| skills/42crunch-api-security-testing/references/tag-detection.md | Pipeline-local copy of the platform tag resolution flow. |
| plugins/42crunch-api-security-testing/.github/plugin/plugin.json | Plugin manifest declaring the included skills and metadata. |
| plugins/42crunch-api-security-testing/README.md | Plugin documentation (commands, setup, usage, configuration). |
| plugins/42crunch-api-security-testing/LICENSE | MIT license for the plugin content. |
| docs/README.skills.md | Adds the new 42Crunch skills to the skills index table. |
| docs/README.plugins.md | Adds the new 42Crunch plugin to the plugins index table. |
| .github/plugin/marketplace.json | Registers the new plugin in the marketplace listing. |
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
heshaam-42c
force-pushed
the
add-42crunch-api-security-testing
branch
from
7b85da2 to
97ef008
Compare
Updated binary setup instructions for macOS/Linux and Windows to initialize BIN_DIR and BINARY_PATH before version checks.
Added initialization steps for BIN_DIR and BINARY_PATH in both macOS/Linux and Windows sections. Updated the platform detection logic to use PLATFORM_KEY instead of BIN_DIR and BINARY_PATH.
Updated the setup instructions for binary installation on macOS/Linux and Windows, including initialization of BIN_DIR and BINARY_PATH variables.
aaronpowell
reviewed
May 11, 2026
Contributor
aaronpowell
left a comment
aaronpowell
left a comment
There was a problem hiding this comment.
I notice that you also have the repo https://github.com/42Crunch-AI/copilot-plugins in which from my initial review the plugin is a mirror of.
This then begs the question of whether it's a good idea to have it in Awesome Copilot, as it could create a maintenance burden on yourselves to keep them in sync. Is it a fair assessment that the desire is discoverability through the Awesome Copilot marketplace?
Updated instructions for resolving binary paths and fetching the manifest for both macOS/Linux and Windows.
Updated the binary setup instructions to initialize BIN_DIR and BINARY_PATH before version checks and simplified SHA-256 verification.
Author
|
Hi Aaron, yes you're correct. That is a marketplace repo we created to house the plugin. The intent for this PR was for discoverability in the Awesome Copilot marketplace, so that users have the option to add the plugin without necessarily needing to add the 42Crunch marketplace. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Checklist
npm startand verified thatREADME.mdis up to date.stagedbranch for this pull request.Description
Adds the 42Crunch API Security Testing plugin for GitHub Copilot.
Includes plugin metadata, README, and skills for API security testing workflows.
Validation/build run locally:
Type of Contribution
Additional Notes
By submitting this pull request, I confirm that my contribution abides by the Code of Conduct and will be licensed under the MIT License.