Spectral OWASP linting rules

.github/workflows/pr_validation.yml

@@ -201,7 +201,7 @@ jobs:
           DISABLE: COPYPASTE,SPELL,JAVASCRIPT,MARKDOWN
           # OPENAPI_SPECTRAL is deprecated but still present in Megalinter v7
           DISABLE_LINTERS: OPENAPI_SPECTRAL,YAML_PRETTIER,REPOSITORY_GRYPE,REPOSITORY_SEMGREP,REPOSITORY_DEVSKIM,REPOSITORY_KICS,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,REPOSITORY_CHECKOV,REPOSITORY_GITLEAKS,YAML_V8R,JAVA_PMD
-          API_SPECTRAL_CONFIG_FILE: .spectral.yaml
+          API_SPECTRAL_CONFIG_FILE: .spectral-camara.yaml
           YAML_YAMLLINT_CONFIG_FILE: .yamllint.yaml
           GHERKIN_GHERKIN_LINT_CONFIG_FILE: .gherkin-lintrc
           API_SPECTRAL_FILTER_REGEX_INCLUDE: (code/API_definitions/)

.github/workflows/spectral-oas.yml

@@ -2,6 +2,7 @@ name: Execute Spectral with CAMARA ruleset
 # A reusable action for validating PRs using tools configuration from branch indicated by input `configurations` variable
 # CAMARA Project - Github Action 
 # initial version
+# 04.02.2026 refactored steps and added OWASP linting
 
 on:
   workflow_call:
@@ -24,18 +25,36 @@ jobs:
       - name: Checkout linting config
         uses: actions/checkout@v6
         with:
-          repository: camaraproject/tooling
+          repository: ${{ github.repository_owner }}/tooling
           path: lint-config
           ref: ${{ inputs.configurations }}
           sparse-checkout: |
             linting/config/
           sparse-checkout-cone-mode: false
       - name: Copy specified folder to workspace root
         run: cp -RT ${{ github.workspace }}/lint-config/linting/config ${{ github.workspace }}
-      - name: Install Spectral
-        run: npm install -g @stoplight/spectral
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+      - name: Install Spectral CLI
+        run: npm install -g @stoplight/spectral-cli
       - name: Install Spectral functions
         run: npm install -g @stoplight/spectral-functions
+      - name: Install Spectral OWASP
+        run: npm install --save-dev @stoplight/spectral-owasp-ruleset@^2.0
       - name: Run Spectral linting
-        run: spectral lint code/API_definitions/*.yaml --verbose --ruleset ${{ github.workspace }}/.spectral.yaml
-
+        run: |
+          spectral lint code/API_definitions/*.yaml --verbose --ruleset ${{ github.workspace }}/.spectral.yaml > spectral_oas.log 2>&1
+          cat spectral_oas.log
+      - name: Run Spectral linting for OWASP
+        run: |
+          spectral lint code/API_definitions/*.yaml --verbose --ruleset ${{ github.workspace }}/.spectral-owasp.yaml> spectral_owasp.log 2>&1
+          cat spectral_owasp.log
+        continue-on-error: true   
+      - name: Upload logs
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: spectral-logs
+          path: '*.log'

linting/config/.spectral-camara.yaml

@@ -0,0 +1,8 @@
+# CAMARA Project - main Spectral linting rulesetfile for use with Megalinter
+# https://docs.stoplight.io/docs/spectral/83527ef2dd8c0-extending-rulesets
+# Changelog:
+# - 27.02.2026: Initial version
+
+extends:
+  - ./.spectral.yaml
+  - ./.spectral-owasp.yaml

linting/config/.spectral-owasp-target.yaml

@@ -0,0 +1,29 @@
+# CAMARA Project - linting ruleset for OWASP API Security Top 10 2023 - documentation avaialable here:
+# https://github.com/camaraproject/Commonalities/blob/main/documentation/Linting-rules.md
+# https://apistylebook.stoplight.io/docs/owasp-top-10-2023
+# Changelog:
+# - 05.02.2026: Initial version
+# - 27.02.2026: Target version (owasp:api4 original severity restored)
+
+# extends: ["@stoplight/spectral-owasp-ruleset"]
+extends: ["https://unpkg.com/@stoplight/spectral-owasp-ruleset/dist/ruleset.mjs"]
+rules:
+# excluded rules:
+  owasp:api2:2023-auth-insecure-schemes : off
+  owasp:api2:2023-jwt-best-practices : off
+  owasp:api2:2023-no-http-basic : off
+  owasp:api4:2023-integer-limit : off
+  owasp:api4:2023-rate-limit : off
+  owasp:api4:2023-rate-limit-retry-after : off
+  owasp:api4:2023-rate-limit-responses-429 : off
+  owasp:api8:2023-define-cors-origin : off
+  owasp:api8:2023-define-error-responses-500 : off
+  owasp:api9:2023-inventory-access : off
+  owasp:api9:2023-inventory-environment : off
+
+# modified severity level:
+  owasp:api8:2023-define-error-responses-401 : error
+#  owasp:api4:2023-string-limit : warn
+#  owasp:api4:2023-integer-format: warn
+#  owasp:api4:2023-integer-limit-legacy: warn
+#  owasp:api4:2023-array-limit : warn

linting/config/.spectral-owasp.yaml

@@ -0,0 +1,28 @@
+# CAMARA Project - linting ruleset for OWASP API Security Top 10 2023 - documentation avaialable here:
+# https://github.com/camaraproject/Commonalities/blob/main/documentation/Linting-rules.md
+# https://apistylebook.stoplight.io/docs/owasp-top-10-2023
+# Changelog:
+# - 27.02.2026: Initial version
+
+# extends: ["@stoplight/spectral-owasp-ruleset"]
+extends: ["https://unpkg.com/@stoplight/spectral-owasp-ruleset/dist/ruleset.mjs"]
+rules:
+# excluded rules:
+  owasp:api2:2023-auth-insecure-schemes : off
+  owasp:api2:2023-jwt-best-practices : off
+  owasp:api2:2023-no-http-basic : off
+  owasp:api4:2023-integer-limit : off
+  owasp:api4:2023-rate-limit : off
+  owasp:api4:2023-rate-limit-retry-after : off
+  owasp:api4:2023-rate-limit-responses-429 : off
+  owasp:api8:2023-define-cors-origin : off
+  owasp:api8:2023-define-error-responses-500 : off
+  owasp:api9:2023-inventory-access : off
+  owasp:api9:2023-inventory-environment : off
+
+# modified severity level:
+  owasp:api8:2023-define-error-responses-401 : error
+  owasp:api4:2023-string-limit : warn
+  owasp:api4:2023-integer-format: warn
+  owasp:api4:2023-integer-limit-legacy: warn
+  owasp:api4:2023-array-limit : warn