Skip to content

Spectral OWASP linting rules#95

Open
rartych wants to merge 20 commits intocamaraproject:mainfrom
rartych:extend_spectral_owasp
Open

Spectral OWASP linting rules#95
rartych wants to merge 20 commits intocamaraproject:mainfrom
rartych:extend_spectral_owasp

Conversation

@rartych
Copy link
Contributor

@rartych rartych commented Feb 27, 2026

What type of PR is this?

  • enhancement/feature

What this PR does / why we need it:

This PR adds Spectral OWASP linting rules to be used in reusable linting workflows.

  • .spectral-owasp.yaml includes OWASP rules selected in https://github.com/camaraproject/Commonalities/blob/main/documentation/Linting-rules.md
  • .spectral-owasp-target.yaml modifies severity of api4 rules to target values
  • .spectral-camara.yaml aggregates rulesests (already defined and OWASP) as Megalinter requires only one input parameter for ruleset file
  • spectral-oas.yml - refactored workflow for manually launched Spectral linting (including OWASP target ruleset)
  • pr_validation.yml - changed ruleset file to .spectral-camara.yaml

Which issue(s) this PR fixes:

Fixes #

Special notes for reviewers:

Changelog input

Spectral OWASP linting rules added to reusable linting workflows

Additional documentation

rartych added 20 commits February 4, 2026 19:40
@rartych
Refactor Spectral workflow to add OWASP linting
b508483 
Refactored workflow to include OWASP linting and Node.js setup.
@rartych
Add OWASP API Security Top 10 2023 linting ruleset
0edea98 
This file contains linting rules for the OWASP API Security Top 10 2023, including excluded rules and modified severity levels.
@rartych
Update repository reference in workflow config
2163299
@rartych
Enhance Spectral linting with logging and artifact upload
e4ee76c 
Redirect spectral linting output to log files and upload them as artifacts.
@rartych
Fix path syntax for log file upload
96a626f
@rartych
Add spectral-camara.yaml configuration file
3080859
@rartych
Add OWASP API Security Top 10 2023 linting ruleset
6a4e760 
Initial version of the OWASP API Security Top 10 2023 linting ruleset.
@rartych
Update spectral OWASP ruleset source URL
dfe31e7
@rartych
Update OWASP ruleset URL in spectral config
a0683d2
@rartych
Update pr_validation.yml
82583ab
@rartych
Update .spectral-camara.yaml
2af801f
@rartych
Update API Spectral config file reference
336b1b3
@rartych
Update API Spectral config file reference
d37060e
@rartych
Update repository in PR validation workflow
06e91b1
@rartych
Update pr_validation.yml
4251b99
@rartych
Update OWASP spectral configuration file
91599fb
@rartych
Update repository and ref in PR validation workflow
5d588ef
@rartych
Update .spectral-owasp.yaml
1e97676
@rartych
Update .spectral-camara.yaml
0e10023
@rartych
Update .spectral-owasp-target.yaml
bce9c4b
@rartych rartych requested a review from Kevsy as a code owner February 27, 2026 12:55
@Kevsy
Copy link
Contributor

Kevsy commented Mar 2, 2026

@rartych looks good, but why are so many rules excluded (off) by default - was that the outcome of earlier discussions?

@rartych
Copy link
Contributor Author

rartych commented Mar 2, 2026

why are so many rules excluded (off) by default - was that the outcome of earlier discussions?

Yes I tried to review all the rules in camaraproject/Commonalities#539 and its sub-issues.
The reasons to exclude some rules are:

  • CAMARA APIs use advanced Auth schemes (defined by ICM) - not covered in the rules
  • some security features are not specified in CAMARA and left to implementation/API Gateway configuration (rate limiting, intended environment in server descriptions using terms like local, staging, production)
  • some rules are for OAS 3.1 (they OAS 3.0 counterparts named as -legacy are active)

Of course the selection can be modified if needed.
Other question is: If CAMARA specific rules for OWASP recommendations can be added beyond the official Spectral ruleset?

@Kevsy
Copy link
Contributor

Kevsy commented Mar 2, 2026

Yes I tried to review all the rules in camaraproject/Commonalities#539 and its sub-issues.

Thanks, I suspected that was the case - but good to confirm.

Other question is: If CAMARA specific rules for OWASP recommendations can be added beyond the official Spectral ruleset?

I believe that should be allowed. If they are rules for existing OWASP recommendations, they could be including in the *owasp*yaml files, if they are complementary security rules they could be included in spectral-camara.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kevsy Kevsy Awaiting requested review from Kevsy Kevsy is a code owner

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rartych @Kevsy