FAQ

  • GitHub GitHub Repo stars
  • Discord Discord Server
  • ✨ New! Try the OpenAPI Doctor ✨ The OpenAPI Doctor
    Recommended

    oas2-operation-security-defined


    Formats: Severity:

    It’s important to add the correct [Authentication and Authorization] information in a specification. It’s easy to forget to add security to an operation, or use a scheme that isn’t globally defined.

    This rule will check the security values of an operation, checking they reference a valid scheme.

    Why did this violation appear?

    A security definition has been used that is not defined as a part of securityDefinitions

    Bad example

    securityDefinitions:
      BasicAuth:
        type: basic
      ApiKeyAuth:
        type: apiKey
        in: header
    paths:
      /yummy-cakes:
        get:
          summary: "Get all the cakes for you and me"
          security:
            - IDoNotExist
    

    Good Example

    securityDefinitions:
      BasicAuth:
        type: basic
      ApiKeyAuth:
        type: apiKey
        in: header
    paths:
      /yummy-cakes:
        get:
          summary: "Get all the cakes for you and me"
          security:
            - BasicAuth
            - APIKeyAuth
    

    How do I fix this violation?

    Make sure all operation security definitions reference securityDefinitions that actually exist in the spec.

    Spectral Equivalent

    The rule is equivalent to oas2-operation-security-defined