# 42Crunch MCP for AI Agents MCP

> 42Crunch automates API security testing directly from your AI agent. Connect this MCP to continuously audit and secure your APIs without leaving your conversation window. You can manage entire collections of API specifications, run static vulnerability scans on OpenAPI definitions, and retrieve detailed compliance reports immediately.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** api-security, vulnerability-scanning, openapi, swagger, security-audit, shift-left

## Description

Building robust APIs means keeping up with changing security standards. This connector lets you talk through complex security governance right from your natural conversation flow. Instead of manually uploading specs to a web dashboard or jumping between tools, you simply tell your agent what needs auditing. Your agent handles the entire process: it can retrieve metadata for specific API collections, import new OpenAPI definitions into those groups, and then trigger deep static security audits on the specifications.

If you need proof that an endpoint behaves correctly in practice, the connector also manages dynamic conformance scans, showing historical execution reports of any implementation flaw. It’s a full lifecycle audit tool, letting developers stay focused on coding while keeping security compliance top-of-mind. When you connect this MCP via Vinkius, your agent gets access to all these critical functions, making API security governance conversational.

## Tools

### get_audit_report
Downloads a detailed static security audit report for any specified API definition.

### delete_api
Removes an existing API definition from the platform's managed collection.

### get_api
Retrieves specific metadata and the current security score for a single, named API.

### get_collection
Gets metadata and the overall aggregated security score for an entire group of APIs (a collection).

### import_api
Adds a new OpenAPI definition file into an existing API collection.

### list_apis
Lists all API definitions within a collection, showing each one's ID and current security score.

### list_collections
Retrieves a list of all managed API collections available on the platform.

### list_scans
Shows a record of historical dynamic conformance scans run against a live API endpoint.

### get_scan_report
Retrieves detailed results from the most recent dynamic conformance scan report for an API.

### trigger_audit
Runs a fresh static security audit on any specified API definition after its source specification has been updated.

## Prompt Examples

**Prompt:** 
```
What is the overall security score for all my internal microservices?
```

**Response:** 
```
**Internal Microservices Collection**

*   **Score:** 62/100 (Needs attention)
*   **API Count:** 12
*   **Primary Risk:** Authentication flow weaknesses.

We found two endpoints in that collection—`/user/profile` and `/data/export`—that are missing proper authorization checks. Would you like me to get the full metadata for those two APIs?
```

**Prompt:** 
```
Can I check if the 'User Management' API has been updated since its last audit?
```

**Response:** 
```
Yes, let’s trigger a fresh static security audit now.

*Running scan on User Management...*

✅ Audit Complete. Score: 89/100 (Improved)

**Findings:** We fixed the OAuth2 scope issue from last week. The only remaining minor risk is that the user schema accepts generic data, which isn't ideal. I recommend adding type constraints to your YAML.
```

**Prompt:** 
```
Show me all my API collections and their current status.
```

**Response:** 
```
You currently manage 3 collections:

1.  **Mobile Services:** Score: **85/100**. (4 APIs)
2.  **Internal Microservices:** Score: **62/100**. (12 APIs)
3.  **Legacy Billing:** Score: **30/100**. (2 APIs) 🔥

The Legacy Billing collection is highly uncompliant. Should I pull the details for that one and suggest immediate remediation steps?
```

## Capabilities

### View Collection Overview
List all managed API collections, viewing the aggregated security score for each one.

### Control Definitions
Import new OpenAPI specs into a collection or delete definitions that are no longer needed in production.

### Perform Static Audits
Initiate comprehensive security scans on an API's definition to score design risks and find flaws like missing authentication details.

### Inspect Live Behavior Scans
List past dynamic conformance scans and retrieve detailed execution reports highlighting undocumented endpoints or implementation issues.

## Use Cases

### Security review for a new microservice
A platform architect has just finished defining a service's OpenAPI spec. They ask the agent to run `trigger_audit` on that definition, instantly getting an audit report that scores critical risks like insufficient scope restriction before writing any code.

### Auditing retirement of old APIs
A developer needs to decommission a legacy API. They first use `get_api` to retrieve its score, then confirm it by running `delete_api`, ensuring the record is cleaned up properly.

### Checking overall compliance for an application
A DevSecOps Engineer wants a full security picture of their payment services. They ask the agent to run `list_collections` and then request details on any collections scoring below 70/100.

### Investigating suspicious runtime behavior
A QA engineer notices an endpoint behaving unexpectedly. They use the agent to list historical scans (`list_scans`) and retrieve a detailed `get_scan_report` to confirm if it's an undocumented flaw.

## Benefits

- Instead of manual uploads, you can use `import_api` to add new OpenAPI specs directly from the conversation. This keeps your workflow moving.
- You don't have to guess if an API is secure; just ask for a report. The agent uses `get_audit_report` and delivers clear, actionable findings on vulnerabilities like missing rate limits.
- Need to track security debt? Use `list_collections` to see the overall risk profile of your entire microservice portfolio at a glance.
- Comparing versions is easy. You can use `trigger_audit` whenever an API spec changes and immediately compare the new score against the old one, all in text chat.
- Don't forget live testing. If you suspect a behavior issue, running a dynamic scan via `list_scans` provides proof of undocumented endpoints or flaws.

## How It Works

The bottom line is that this MCP brings complex API security management directly into your chat window, so you don't have to context switch at all.

1. Subscribe to this MCP in Vinkius and provide your 42Crunch API Token.
2. Tell your agent which collection needs attention, or if you need to import a new OpenAPI file.
3. Ask the agent to trigger an audit or retrieve a report. It runs the scan against the platform and presents the findings back to you immediately.

## Frequently Asked Questions

**How can 42Crunch MCP help me audit my OpenAPI specs?**
The MCP lets you talk through the entire auditing process. You can tell it to trigger a static security audit on any API spec, and it will return a detailed report right in your conversation showing exactly what's wrong with the design.

**Is 42Crunch MCP only for checking vulnerabilities?**
No. It manages more than just security. You can use it to import new API definitions into collections, list all existing APIs, and track the overall health score of your entire service portfolio.

**What if I want to see how an API performs live?**
You can run dynamic conformance scans. The MCP will list historical scan results and give you detailed reports that show what was actually observed when the API ran, not just what the spec says it should do.

**Do I need to manage my APIs in multiple places?**
No. This MCP centralizes your governance. You can list all your collections and view their combined security score from one place, eliminating dashboard hopping.

**Can 42Crunch MCP help me with old or decommissioned APIs?**
Yes. If an API is retired, you can use the tools to delete it from the platform and keep your records clean, while also allowing you to audit its final status before removal.

**How do I start using 42Crunch MCP with my AI agent?**
First, subscribe to this MCP in Vinkius and provide the required API token. After that, just ask your agent conversational questions about security audits or collection scores.