Articles

Author

vacuum

Installing

Quick Start

About vacuum

Why?

Concepts

💥 Online Demo

FAQ

Ignoring Violations

Changelog

Configuring

VSCode Plugin

CLI Commands

Lint

vacuum Report

Dashboard

HTML Report

Spectral Report

References

Version

Bundle Spec

Generate RuleSet

Language Server

Developer API

API Quick Start

Spec Index

RuleResultSet

Loading RuleSet

Custom Go Functions

Custom JS Functions

Non-OpenAPI Files

Functions

Core Functions

OpenAPI Functions

OWASP Functions

Rules

Examples

OWASP

Operations/Paths

Schemas

Spec Information

Validation

Descriptions

owasp-protection-global-safe

Formats:

Severity:

Check if the operation is protected at operation level. Otherwise, check the global #/security property

Rule was extracted from https://github.com/italia/api-oas-checker/blob/master/security/security.yml

Bad example

openapi: 3.0.1
info:
  version: "1.2.3"
  title: "securitySchemes"
paths:
  /security-ko-get:
    get:
      responses: {}
    head:
      security: []
components:
  securitySchemes:
    BasicAuth:
      type: http
      scheme: basic

Good Example

openapi: 3.0.1
info:
  version: "1.2.3"
  title: "securitySchemes"
paths:
  /security-ko-missing:
    put:
      responses: {}
    post:
      security: []
  /security-ok-put:
    put:
      security:
        -  BasicAuth: []
      responses: {}
  /security-ok-get:
    get:
      security:
        - {}
      responses: {}
    head:
      security:
        - {}
        - BasicAuth: []
  /security-ko-info:
    post:
      security:
        - {}
        - BasicAuth: []
components:
  securitySchemes:
    BasicAuth:
      type: http
      scheme: basic

How do I fix this violation?

Make sure that all operations should be protected especially when they are not safe (methods that do not alter the state of the server) HTTP methods like POST, PUT, PATCH, and DELETE. This is done with one or more non-empty security rules.

Security rules are defined in the securityScheme section.