Articles

Author

vacuum

Installing

Quick Start

About vacuum

Why?

Concepts

💥 Online Demo

FAQ

Ignoring Violations

Changelog

Configuring

VSCode Plugin

CLI Commands

Lint

vacuum Report

Dashboard

HTML Report

Spectral Report

References

Version

Bundle Spec

Generate RuleSet

Language Server

Developer API

API Quick Start

Spec Index

RuleResultSet

Loading RuleSet

Custom Go Functions

Custom JS Functions

Non-OpenAPI Files

Functions

Core Functions

OpenAPI Functions

OWASP Functions

Rules

Examples

OWASP

Operations/Paths

Schemas

Spec Information

Validation

Descriptions

oas3-operation-security-defined

Formats:

Severity:

It’s important to add the correct [Authentication and Authorization] information in a specification. It’s easy to forget to add security to an operation, or use a scheme that isn’t globally defined.

This rule will check the security values of an operation, checking they reference a valid scheme.

Why did this violation appear?

A security definition has been used that is not defined as a part of $components.securitySchemes

Bad example

components:
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
    BasicAuth:
      type: http
      scheme: basic
paths:
  /yummy-cakes:
    get:
      summary: "Get all the cakes for you and me"
      security:
        - IDoNotExist

Good Example

components:
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
    BasicAuth:
      type: http
      scheme: basic
paths:
  /yummy-cakes:
    get:
      summary: "Get all the cakes for you and me"
      security:
        - BasicAuth
        - BearerAuth

How do I fix this violation?

Make sure all operation security definitions reference securitySchemes that actually exist in the spec.

Spectral Equivalent

The rule is equivalent to oas3-operation-security-defined