Risk Level: high
Spectral Rule ID: OPENAPI017
Add the security object at the root level of the OpenAPI document and define one or more security requirement objects in its array. Each security requirement object contains one or more key-value pairs, where the key is the name of a security scheme defined in the components/securitySchemes section, and the value is an array of scope names required for the execution (for OAuth 2 and OpenID Connect only). For example:
security: - app_id: 
Add the components/securitySchemes object at the root level of the OpenAPI document and define one or more security scheme objects under it. Each security scheme object has a type property that specifies the type of authentication, such as apiKey, http, oauth2, or openIdConnect. Depending on the type, other properties may be required or optional, such as name, in, scheme, flows, openIdConnectUrl, etc. For example:
components: securitySchemes: app_id: type: apiKey name: app_id in: query
# This is a sample OpenAPI document with a security object and a components/securitySchemes object openapi: 3.0.0 info: title: Sample API version: 1.0.0 servers: - url: https://api.example.com/v1 paths: /pets: get: summary: List all pets + # Add this section to define the global security method for the API + security: + - app_id:  # This is an arbitrary name for this security scheme responses: '200': description: A list of pets content: application/json: schema: type: array items: $ref: '#/components/schemas/Pet' default: description: Unexpected error content: application/json: schema: $ref: '#/components/schemas/Error' components: schemas: Pet: type: object required: - id - name properties: id: type: integer format: int64 name: type: string tag: type: string Error: type: object required: - code - message properties: code: type: integer format: int32 message: type: string + securitySchemes: + app_id: + type: apiKey # This is an API key based authentication + name: app_id # This is the name of the query parameter that contains the API key + in: query # This means that the API key should be passed in the query string # for OpenAPI 2.0 swagger: '2.0' info: version: 1.0.0 title: Sample API + # Add this section to define all security schemes used by the API + securityDefinitions: + app_id: + type: apiKey + name: app_id + in: query paths: /users: get: summary: List all users + # Apply a specific security scheme to this operation + security: + - app_id:  responses: '200': description: A list of users. schema: type: array items: $ref: '#/definitions/User'
Updated 3 months ago