diff --git a/.github/workflows/pr_validation.yml b/.github/workflows/pr_validation.yml index 456bf1f..ceb6ea7 100644 --- a/.github/workflows/pr_validation.yml +++ b/.github/workflows/pr_validation.yml @@ -201,7 +201,7 @@ jobs: DISABLE: COPYPASTE,SPELL,JAVASCRIPT,MARKDOWN # OPENAPI_SPECTRAL is deprecated but still present in Megalinter v7 DISABLE_LINTERS: OPENAPI_SPECTRAL,YAML_PRETTIER,REPOSITORY_GRYPE,REPOSITORY_SEMGREP,REPOSITORY_DEVSKIM,REPOSITORY_KICS,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,REPOSITORY_CHECKOV,REPOSITORY_GITLEAKS,YAML_V8R,JAVA_PMD - API_SPECTRAL_CONFIG_FILE: .spectral.yaml + API_SPECTRAL_CONFIG_FILE: .spectral-camara.yaml YAML_YAMLLINT_CONFIG_FILE: .yamllint.yaml GHERKIN_GHERKIN_LINT_CONFIG_FILE: .gherkin-lintrc API_SPECTRAL_FILTER_REGEX_INCLUDE: (code/API_definitions/) diff --git a/.github/workflows/spectral-oas.yml b/.github/workflows/spectral-oas.yml index 6ae424a..22ac9db 100644 --- a/.github/workflows/spectral-oas.yml +++ b/.github/workflows/spectral-oas.yml @@ -2,6 +2,7 @@ name: Execute Spectral with CAMARA ruleset # A reusable action for validating PRs using tools configuration from branch indicated by input `configurations` variable # CAMARA Project - Github Action # initial version +# 04.02.2026 refactored steps and added OWASP linting on: workflow_call: @@ -24,7 +25,7 @@ jobs: - name: Checkout linting config uses: actions/checkout@v6 with: - repository: camaraproject/tooling + repository: ${{ github.repository_owner }}/tooling path: lint-config ref: ${{ inputs.configurations }} sparse-checkout: | @@ -32,10 +33,28 @@ jobs: sparse-checkout-cone-mode: false - name: Copy specified folder to workspace root run: cp -RT ${{ github.workspace }}/lint-config/linting/config ${{ github.workspace }} - - name: Install Spectral - run: npm install -g @stoplight/spectral + - name: Set up Node.js + uses: actions/setup-node@v6 + with: + node-version: '24' + - name: Install Spectral CLI + run: npm install -g @stoplight/spectral-cli - name: Install Spectral functions run: npm install -g @stoplight/spectral-functions + - name: Install Spectral OWASP + run: npm install --save-dev @stoplight/spectral-owasp-ruleset@^2.0 - name: Run Spectral linting - run: spectral lint code/API_definitions/*.yaml --verbose --ruleset ${{ github.workspace }}/.spectral.yaml - + run: | + spectral lint code/API_definitions/*.yaml --verbose --ruleset ${{ github.workspace }}/.spectral.yaml > spectral_oas.log 2>&1 + cat spectral_oas.log + - name: Run Spectral linting for OWASP + run: | + spectral lint code/API_definitions/*.yaml --verbose --ruleset ${{ github.workspace }}/.spectral-owasp.yaml> spectral_owasp.log 2>&1 + cat spectral_owasp.log + continue-on-error: true + - name: Upload logs + if: always() + uses: actions/upload-artifact@v6 + with: + name: spectral-logs + path: '*.log' diff --git a/linting/config/.spectral-camara.yaml b/linting/config/.spectral-camara.yaml new file mode 100644 index 0000000..b9df7b2 --- /dev/null +++ b/linting/config/.spectral-camara.yaml @@ -0,0 +1,8 @@ +# CAMARA Project - main Spectral linting rulesetfile for use with Megalinter +# https://docs.stoplight.io/docs/spectral/83527ef2dd8c0-extending-rulesets +# Changelog: +# - 27.02.2026: Initial version + +extends: + - ./.spectral.yaml + - ./.spectral-owasp.yaml diff --git a/linting/config/.spectral-owasp-target.yaml b/linting/config/.spectral-owasp-target.yaml new file mode 100644 index 0000000..973c807 --- /dev/null +++ b/linting/config/.spectral-owasp-target.yaml @@ -0,0 +1,29 @@ +# CAMARA Project - linting ruleset for OWASP API Security Top 10 2023 - documentation avaialable here: +# https://github.com/camaraproject/Commonalities/blob/main/documentation/Linting-rules.md +# https://apistylebook.stoplight.io/docs/owasp-top-10-2023 +# Changelog: +# - 05.02.2026: Initial version +# - 27.02.2026: Target version (owasp:api4 original severity restored) + +# extends: ["@stoplight/spectral-owasp-ruleset"] +extends: ["https://unpkg.com/@stoplight/spectral-owasp-ruleset/dist/ruleset.mjs"] +rules: +# excluded rules: + owasp:api2:2023-auth-insecure-schemes : off + owasp:api2:2023-jwt-best-practices : off + owasp:api2:2023-no-http-basic : off + owasp:api4:2023-integer-limit : off + owasp:api4:2023-rate-limit : off + owasp:api4:2023-rate-limit-retry-after : off + owasp:api4:2023-rate-limit-responses-429 : off + owasp:api8:2023-define-cors-origin : off + owasp:api8:2023-define-error-responses-500 : off + owasp:api9:2023-inventory-access : off + owasp:api9:2023-inventory-environment : off + +# modified severity level: + owasp:api8:2023-define-error-responses-401 : error +# owasp:api4:2023-string-limit : warn +# owasp:api4:2023-integer-format: warn +# owasp:api4:2023-integer-limit-legacy: warn +# owasp:api4:2023-array-limit : warn diff --git a/linting/config/.spectral-owasp.yaml b/linting/config/.spectral-owasp.yaml new file mode 100644 index 0000000..44f086d --- /dev/null +++ b/linting/config/.spectral-owasp.yaml @@ -0,0 +1,28 @@ +# CAMARA Project - linting ruleset for OWASP API Security Top 10 2023 - documentation avaialable here: +# https://github.com/camaraproject/Commonalities/blob/main/documentation/Linting-rules.md +# https://apistylebook.stoplight.io/docs/owasp-top-10-2023 +# Changelog: +# - 27.02.2026: Initial version + +# extends: ["@stoplight/spectral-owasp-ruleset"] +extends: ["https://unpkg.com/@stoplight/spectral-owasp-ruleset/dist/ruleset.mjs"] +rules: +# excluded rules: + owasp:api2:2023-auth-insecure-schemes : off + owasp:api2:2023-jwt-best-practices : off + owasp:api2:2023-no-http-basic : off + owasp:api4:2023-integer-limit : off + owasp:api4:2023-rate-limit : off + owasp:api4:2023-rate-limit-retry-after : off + owasp:api4:2023-rate-limit-responses-429 : off + owasp:api8:2023-define-cors-origin : off + owasp:api8:2023-define-error-responses-500 : off + owasp:api9:2023-inventory-access : off + owasp:api9:2023-inventory-environment : off + +# modified severity level: + owasp:api8:2023-define-error-responses-401 : error + owasp:api4:2023-string-limit : warn + owasp:api4:2023-integer-format: warn + owasp:api4:2023-integer-limit-legacy: warn + owasp:api4:2023-array-limit : warn