Articles
Author
vacuum
Installing
Quick Start
About vacuum
Why?
Concepts
💥 Online Demo
FAQ
Changelog
Configuring
VSCode Plugin
CLI Commands
Lint
vacuum Report
Dashboard
HTML Report
Spectral Report
References
Version
Bundle Spec
Generate RuleSet
Language Server
Developer API
API Quick Start
Spec Index
RuleResultSet
Loading RuleSet
Custom Go Functions
Custom JS Functions
Non-OpenAPI Files
Functions
Core Functions
OpenAPI Functions
OWASP Functions
Rules
Examples
OWASP
Operations/Paths
Schemas
Spec Information
Validation
Descriptions
Tags
Security
RuleSets
What are they?
Sharing RuleSets
All Rules
No Rules/Off
Recommended Rules
Custom RuleSets
OWASP Rules
  • GitHub GitHub Repo stars
  • Discord Discord Server
    • Recommended

    oas2-operation-security-defined

    Formats: Severity:

    It’s important to add the correct [Authentication and Authorization] information in a specification. It’s easy to forget to add security to an operation, or use a scheme that isn’t globally defined.

    This rule will check the security values of an operation, checking they reference a valid scheme.

    Why did this violation appear?

    A security definition has been used that is not defined as a part of securityDefinitions

    Bad example

    securityDefinitions:
  BasicAuth:
    type: basic
  ApiKeyAuth:
    type: apiKey
    in: header
paths:
  /yummy-cakes:
    get:
      summary: "Get all the cakes for you and me"
      security:
        - IDoNotExist

    Good Example

    securityDefinitions:
  BasicAuth:
    type: basic
  ApiKeyAuth:
    type: apiKey
    in: header
paths:
  /yummy-cakes:
    get:
      summary: "Get all the cakes for you and me"
      security:
        - BasicAuth
        - APIKeyAuth

    How do I fix this violation?

    Make sure all operation security definitions reference securityDefinitions that actually exist in the spec.

    Spectral Equivalent

    The rule is equivalent to oas2-operation-security-defined