zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff1f4bd119e294e82b366862d68e24bd48aac597
gh-agentsecops-secopsagentkit/skills/appsec/api-spectral/SKILL.md
Zhongwei Li ff1f4bd119 Initial commit
2025-11-29 17:51:02 +08:00

709 lines
22 KiB
Markdown
Raw Blame History

---
name: api-spectral
description: >
API specification linting and security validation using Stoplight's Spectral with support for
OpenAPI, AsyncAPI, and Arazzo specifications. Validates API definitions against security best
practices, OWASP API Security Top 10, and custom organizational standards. Use when: (1) Validating
OpenAPI/AsyncAPI specifications for security issues and design flaws, (2) Enforcing API design
standards and governance policies across API portfolios, (3) Creating custom security rules for
API specifications in CI/CD pipelines, (4) Detecting authentication, authorization, and data
exposure issues in API definitions, (5) Ensuring API specifications comply with organizational
security standards and regulatory requirements.
version: 0.1.0
maintainer: SirAppSec
category: appsec
tags: [api-security, openapi, asyncapi, linting, spectral, api-governance, owasp-api, specification-validation]
frameworks: [OWASP]
dependencies:
tools: [node, npm]
optional: [docker, git]
references:
- https://docs.stoplight.io/docs/spectral/674b27b261c3c-overview
- https://github.com/stoplightio/spectral
- https://owasp.org/API-Security/editions/2023/en/0x11-t10/
---
# API Security with Spectral
## Overview
Spectral is a flexible JSON/YAML linter from Stoplight that validates API specifications against
security best practices and organizational standards. With built-in rulesets for OpenAPI v2/v3.x,
AsyncAPI v2.x, and Arazzo v1.0, Spectral helps identify security vulnerabilities, design flaws,
and compliance issues during the API design phase—before code is written. Custom rulesets enable
enforcement of OWASP API Security Top 10 patterns, authentication standards, and data protection
requirements across your entire API portfolio.
## Quick Start
### Installation
```bash
# Install via npm
npm install -g @stoplight/spectral-cli
# Or using Yarn
yarn global add @stoplight/spectral-cli
# Or using Docker
docker pull stoplight/spectral
# Verify installation
spectral --version
```
### Basic API Specification Linting
```bash
# Lint OpenAPI specification with built-in rules
spectral lint openapi.yaml
# Lint with specific ruleset
spectral lint openapi.yaml --ruleset .spectral.yaml
# Output as JSON for CI/CD integration
spectral lint openapi.yaml --format json --output results.json
```
### Quick Security Scan
```bash
# Create security-focused ruleset
echo 'extends: ["spectral:oas"]' > .spectral.yaml
# Lint API specification
spectral lint api-spec.yaml --ruleset .spectral.yaml
```
## Core Workflow
### Workflow Checklist
Progress:
[ ] 1. Install Spectral and select appropriate base rulesets
[ ] 2. Create or configure ruleset with security rules
[ ] 3. Identify API specifications to validate (OpenAPI, AsyncAPI, Arazzo)
[ ] 4. Run linting with appropriate severity thresholds
[ ] 5. Review findings and categorize by security impact
[ ] 6. Map findings to OWASP API Security Top 10
[ ] 7. Create custom rules for organization-specific security patterns
[ ] 8. Integrate into CI/CD pipeline with failure thresholds
[ ] 9. Generate reports with remediation guidance
[ ] 10. Establish continuous validation process
Work through each step systematically. Check off completed items.
### Step 1: Ruleset Configuration
Create a `.spectral.yaml` ruleset extending built-in security rules:
```yaml
# .spectral.yaml - Basic security-focused ruleset
extends: ["spectral:oas", "spectral:asyncapi"]
rules:
# Enforce HTTPS for all API endpoints
oas3-valid-schema-example: true
oas3-server-not-example.com: true
# Authentication security
operation-security-defined: error
# Information disclosure prevention
info-contact: warn
info-description: warn
```
**Built-in Rulesets:**
- `spectral:oas` - OpenAPI v2/v3.x security and best practices
- `spectral:asyncapi` - AsyncAPI v2.x validation rules
- `spectral:arazzo` - Arazzo v1.0 workflow specifications
**Ruleset Selection Best Practices:**
- Start with built-in rulesets and progressively add custom rules
- Use `error` severity for critical security issues (authentication, HTTPS)
- Use `warn` for recommended practices and information disclosure risks
- Use `info` for style guide compliance and documentation completeness
For advanced ruleset patterns, see `references/ruleset_patterns.md`.
### Step 2: Security-Focused API Linting
Run Spectral with security-specific validation:
```bash
# Comprehensive security scan
spectral lint openapi.yaml \
--ruleset .spectral.yaml \
--format stylish \
--verbose
# Focus on error-level findings only (critical security issues)
spectral lint openapi.yaml \
--ruleset .spectral.yaml \
--fail-severity error
# Scan multiple specifications
spectral lint api-specs/*.yaml --ruleset .spectral.yaml
# Generate JSON report for further analysis
spectral lint openapi.yaml \
--ruleset .spectral.yaml \
--format json \
--output security-findings.json
```
**Output Formats:**
- `stylish` - Human-readable terminal output (default)
- `json` - Machine-readable JSON for CI/CD integration
- `junit` - JUnit XML for test reporting platforms
- `html` - HTML report (requires additional plugins)
- `github-actions` - GitHub Actions annotations format
### Step 3: OWASP API Security Validation
Validate API specifications against OWASP API Security Top 10:
```yaml
# .spectral-owasp.yaml - OWASP API Security focused rules
extends: ["spectral:oas"]
rules:
# API1:2023 - Broken Object Level Authorization
operation-security-defined:
severity: error
message: "All operations must have security defined (OWASP API1)"
# API2:2023 - Broken Authentication
security-schemes-defined:
severity: error
message: "API must define security schemes (OWASP API2)"
# API3:2023 - Broken Object Property Level Authorization
no-additional-properties:
severity: warn
message: "Consider disabling additionalProperties to prevent data leakage (OWASP API3)"
# API5:2023 - Broken Function Level Authorization
operation-tag-defined:
severity: warn
message: "Operations should be tagged for authorization policy mapping (OWASP API5)"
# API7:2023 - Server Side Request Forgery
no-http-basic:
severity: error
message: "HTTP Basic auth transmits credentials in plain text (OWASP API7)"
# API8:2023 - Security Misconfiguration
servers-use-https:
description: All server URLs must use HTTPS
severity: error
given: $.servers[*].url
then:
function: pattern
functionOptions:
match: "^https://"
message: "Server URL must use HTTPS (OWASP API8)"
# API9:2023 - Improper Inventory Management
api-version-required:
severity: error
given: $.info
then:
field: version
function: truthy
message: "API version must be specified (OWASP API9)"
```
**Run OWASP-focused validation:**
```bash
spectral lint openapi.yaml --ruleset .spectral-owasp.yaml
```
For complete OWASP API Security Top 10 rule mappings, see `references/owasp_api_mappings.md`.
### Step 4: Custom Security Rule Development
Create organization-specific security rules using Spectral's rule engine:
```yaml
# .spectral-custom.yaml
extends: ["spectral:oas"]
rules:
# Require API key authentication
require-api-key-auth:
description: All APIs must support API key authentication
severity: error
given: $.components.securitySchemes[*]
then:
field: type
function: enumeration
functionOptions:
values: [apiKey, oauth2, openIdConnect]
message: "API must define apiKey, OAuth2, or OpenID Connect security"
# Prevent PII in query parameters
no-pii-in-query:
description: Prevent PII exposure in URL query parameters
severity: error
given: $.paths[*][*].parameters[?(@.in == 'query')].name
then:
function: pattern
functionOptions:
notMatch: "(ssn|social.?security|credit.?card|password|secret|token)"
message: "Query parameters must not contain PII identifiers"
# Require rate limiting headers
require-rate-limit-headers:
description: API responses should include rate limit headers
severity: warn
given: $.paths[*][*].responses[*].headers
then:
function: schema
functionOptions:
schema:
type: object
properties:
X-RateLimit-Limit: true
X-RateLimit-Remaining: true
message: "Consider adding rate limit headers for security"
# Enforce consistent error responses
error-response-format:
description: Error responses must follow standard format
severity: error
given: $.paths[*][*].responses[?(@property >= 400)].content.application/json.schema
then:
function: schema
functionOptions:
schema:
type: object
required: [error, message]
properties:
error:
type: string
message:
type: string
message: "Error responses must include 'error' and 'message' fields"
```
**Custom Rule Development Resources:**
- `references/custom_rules_guide.md` - Complete rule authoring guide with functions
- `references/custom_functions.md` - Creating custom JavaScript/TypeScript functions
- `assets/rule-templates/` - Reusable rule templates for common security patterns
### Step 5: CI/CD Pipeline Integration
Integrate Spectral into continuous integration workflows:
**GitHub Actions:**
```yaml
# .github/workflows/api-security-lint.yml
name: API Security Linting
on: [push, pull_request]
jobs:
spectral:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install Spectral
run: npm install -g @stoplight/spectral-cli
- name: Lint API Specifications
run: |
spectral lint api-specs/*.yaml \
--ruleset .spectral.yaml \
--format github-actions \
--fail-severity error
- name: Generate Report
if: always()
run: |
spectral lint api-specs/*.yaml \
--ruleset .spectral.yaml \
--format json \
--output spectral-report.json
- name: Upload Report
if: always()
uses: actions/upload-artifact@v3
with:
name: spectral-security-report
path: spectral-report.json
```
**GitLab CI:**
```yaml
# .gitlab-ci.yml
api-security-lint:
stage: test
image: node:18
script:
- npm install -g @stoplight/spectral-cli
- spectral lint api-specs/*.yaml --ruleset .spectral.yaml --fail-severity error
artifacts:
when: always
reports:
junit: spectral-report.xml
```
**Docker-Based Pipeline:**
```bash
# Run in CI/CD with Docker
docker run --rm \
-v $(pwd):/work \
stoplight/spectral lint /work/openapi.yaml \
--ruleset /work/.spectral.yaml \
--format json \
--output /work/results.json
# Fail build on critical security issues
if jq -e '.[] | select(.severity == 0)' results.json > /dev/null; then
echo "Critical security issues detected!"
exit 1
fi
```
For complete CI/CD integration examples, see `scripts/ci_integration_examples/`.
### Step 6: Results Analysis and Remediation
Analyze findings and provide security remediation:
```bash
# Parse Spectral JSON output for security report
python3 scripts/parse_spectral_results.py \
--input spectral-report.json \
--output security-report.html \
--map-owasp \
--severity-threshold error
# Generate remediation guidance
python3 scripts/generate_remediation.py \
--input spectral-report.json \
--output remediation-guide.md
```
**Validation Workflow:**
1. Review all error-level findings (critical security issues)
2. Verify each finding in API specification context
3. Map findings to OWASP API Security Top 10 categories
4. Prioritize by severity and exploitability
5. Apply fixes to API specifications
6. Re-lint to verify remediation
7. Document security decisions and exceptions
**Feedback Loop Pattern:**
```bash
# 1. Initial lint
spectral lint openapi.yaml --ruleset .spectral.yaml -o scan1.json
# 2. Apply security fixes to API specification
# 3. Re-lint to verify fixes
spectral lint openapi.yaml --ruleset .spectral.yaml -o scan2.json
# 4. Compare results
python3 scripts/compare_spectral_results.py scan1.json scan2.json
```
## Advanced Patterns
### Pattern 1: Multi-Specification Governance
Enforce consistent security standards across API portfolio:
```bash
# Scan all API specifications with organization ruleset
find api-specs/ -name "*.yaml" -o -name "*.json" | while read spec; do
echo "Linting: $spec"
spectral lint "$spec" \
--ruleset .spectral-org-standards.yaml \
--format json \
--output "reports/$(basename $spec .yaml)-report.json"
done
# Aggregate findings across portfolio
python3 scripts/aggregate_api_findings.py \
--input-dir reports/ \
--output portfolio-security-report.html
```
### Pattern 2: Progressive Severity Enforcement
Start with warnings and progressively enforce stricter rules:
```yaml
# .spectral-phase1.yaml - Initial rollout (warnings only)
extends: ["spectral:oas"]
rules:
servers-use-https: warn
operation-security-defined: warn
# .spectral-phase2.yaml - Enforcement phase (errors)
extends: ["spectral:oas"]
rules:
servers-use-https: error
operation-security-defined: error
```
```bash
# Phase 1: Awareness (don't fail builds)
spectral lint openapi.yaml --ruleset .spectral-phase1.yaml
# Phase 2: Enforcement (fail on violations)
spectral lint openapi.yaml --ruleset .spectral-phase2.yaml --fail-severity error
```
### Pattern 3: API Security Pre-Commit Validation
Prevent insecure API specifications from being committed:
```bash
# .git/hooks/pre-commit
#!/bin/bash
# Find staged API specification files
SPECS=$(git diff --cached --name-only --diff-filter=ACM | grep -E '\.(yaml|yml|json)$' | grep -E '(openapi|swagger|api)')
if [ -n "$SPECS" ]; then
echo "Validating API specifications..."
for spec in $SPECS; do
spectral lint "$spec" --ruleset .spectral.yaml --fail-severity error
if [ $? -ne 0 ]; then
echo "Security validation failed for $spec"
exit 1
fi
done
fi
```
### Pattern 4: Automated Security Review Comments
Generate security review comments for pull requests:
```bash
# Generate PR review comments from Spectral findings
spectral lint openapi.yaml \
--ruleset .spectral.yaml \
--format json | \
python3 scripts/generate_pr_comments.py \
--file openapi.yaml \
--severity error,warn \
--output pr-comments.json
# Post to GitHub PR via gh CLI
gh pr comment $PR_NUMBER --body-file pr-comments.json
```
## Custom Functions for Advanced Security Rules
Create custom JavaScript functions for complex security validation:
```javascript
// spectral-functions/check-jwt-expiry.js
export default (targetVal, opts) => {
// Validate JWT security scheme includes expiration
if (targetVal.type === 'http' && targetVal.scheme === 'bearer') {
if (!targetVal.bearerFormat || targetVal.bearerFormat !== 'JWT') {
return [{
message: 'Bearer authentication should specify JWT format'
}];
}
}
return [];
};
```
```yaml
# .spectral.yaml with custom function
functions:
- check-jwt-expiry
functionsDir: ./spectral-functions
rules:
jwt-security-check:
description: Validate JWT security configuration
severity: error
given: $.components.securitySchemes[*]
then:
function: check-jwt-expiry
```
For complete custom function development guide, see `references/custom_functions.md`.
## Automation & Continuous Validation
### Scheduled API Security Scanning
```bash
# Automated daily API specification scanning
./scripts/spectral_scheduler.sh \
--schedule daily \
--specs-dir api-specs/ \
--ruleset .spectral-owasp.yaml \
--output-dir scan-results/ \
--alert-on error \
--slack-webhook $SLACK_WEBHOOK
```
### API Specification Monitoring
```bash
# Monitor API specifications for security regressions
./scripts/spectral_monitor.sh \
--baseline baseline-scan.json \
--current-scan latest-scan.json \
--alert-on-new-findings \
--email security-team@example.com
```
## Security Considerations
- **Specification Security**: API specifications may contain sensitive information (internal URLs, authentication schemes) - control access and sanitize before sharing
- **Rule Integrity**: Protect ruleset files from unauthorized modification - store in version control with code review requirements
- **False Positives**: Manually review findings before making security claims - context matters for API design decisions
- **Specification Versioning**: Maintain version history of API specifications to track security improvements over time
- **Secrets in Specs**: Never include actual credentials, API keys, or secrets in example values - use placeholder values only
- **Compliance Mapping**: Document how Spectral rules map to compliance requirements (PCI-DSS, GDPR, HIPAA)
- **Governance Enforcement**: Define exception process for legitimate rule violations with security team approval
- **Audit Logging**: Log all Spectral scans, findings, and remediation actions for security auditing
- **Access Control**: Restrict modification of security rulesets to designated API security team members
- **Continuous Validation**: Re-validate API specifications whenever they change or when new security rules are added
## Bundled Resources
### Scripts (`scripts/`)
- `parse_spectral_results.py` - Parse Spectral JSON output and generate security reports with OWASP mapping
- `generate_remediation.py` - Generate remediation guidance based on Spectral findings
- `compare_spectral_results.py` - Compare two Spectral scans to track remediation progress
- `aggregate_api_findings.py` - Aggregate findings across multiple API specifications
- `spectral_ci.sh` - CI/CD integration wrapper with exit code handling
- `spectral_scheduler.sh` - Scheduled scanning with alerting
- `spectral_monitor.sh` - Continuous monitoring with baseline comparison
- `generate_pr_comments.py` - Convert Spectral findings to PR review comments
### References (`references/`)
- `owasp_api_mappings.md` - Complete OWASP API Security Top 10 rule mappings
- `custom_rules_guide.md` - Custom rule authoring with examples
- `custom_functions.md` - Creating custom JavaScript/TypeScript validation functions
- `ruleset_patterns.md` - Reusable ruleset patterns for common security scenarios
- `api_security_checklist.md` - API security validation checklist
### Assets (`assets/`)
- `spectral-owasp.yaml` - Comprehensive OWASP API Security Top 10 ruleset
- `spectral-org-template.yaml` - Organization-wide API security standards template
- `github-actions-template.yml` - Complete GitHub Actions workflow
- `gitlab-ci-template.yml` - GitLab CI integration template
- `rule-templates/` - Reusable security rule templates
## Common Patterns
### Pattern 1: Security-First API Design Validation
Validate API specifications during design phase:
```bash
# Design phase validation (strict security rules)
spectral lint api-design.yaml \
--ruleset .spectral-owasp.yaml \
--fail-severity warn \
--verbose
```
### Pattern 2: API Specification Diff Analysis
Detect security regressions between API versions:
```bash
# Compare two API specification versions
spectral lint api-v2.yaml --ruleset .spectral.yaml -o v2-findings.json
spectral lint api-v1.yaml --ruleset .spectral.yaml -o v1-findings.json
python3 scripts/compare_spectral_results.py \
--baseline v1-findings.json \
--current v2-findings.json \
--show-regressions
```
### Pattern 3: Multi-Environment API Security
Different rulesets for development, staging, production:
```yaml
# .spectral-dev.yaml (permissive)
extends: ["spectral:oas"]
rules:
servers-use-https: warn
# .spectral-prod.yaml (strict)
extends: ["spectral:oas"]
rules:
servers-use-https: error
operation-security-defined: error
```
## Integration Points
- **CI/CD**: GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure DevOps
- **API Gateways**: Kong, Apigee, AWS API Gateway (validate specs before deployment)
- **IDE Integration**: VS Code extension, JetBrains plugins for real-time validation
- **API Documentation**: Stoplight Studio, Swagger UI, Redoc
- **Issue Tracking**: Jira, GitHub Issues, Linear (automated ticket creation for findings)
- **API Governance**: Backstage, API catalogs (enforce standards across portfolios)
- **Security Platforms**: Defect Dojo, SIEM platforms (via JSON export)
## Troubleshooting
### Issue: Too Many False Positives
**Solution**:
- Start with `error` severity only: `spectral lint --fail-severity error`
- Progressively add rules and adjust severity levels
- Use `overrides` section in ruleset to exclude specific paths
- See `references/ruleset_patterns.md` for filtering strategies
### Issue: Custom Rules Not Working
**Solution**:
- Verify JSONPath expressions using online JSONPath testers
- Check rule syntax with `spectral lint --ruleset .spectral.yaml --verbose`
- Use `--verbose` flag to see which rules are being applied
- Test rules in isolation before combining them
### Issue: Performance Issues with Large Specifications
**Solution**:
- Lint specific paths only: `spectral lint api-spec.yaml --ignore-paths "components/examples"`
- Use `--skip-rules` to disable expensive rules temporarily
- Split large specifications into smaller modules
- Run Spectral in parallel for multiple specifications
### Issue: CI/CD Integration Failing
**Solution**:
- Check Node.js version compatibility (requires Node 14+)
- Verify ruleset path is correct relative to specification file
- Use `--fail-severity` to control when builds should fail
- Review exit codes in `scripts/spectral_ci.sh`
## References
- [Spectral Documentation](https://docs.stoplight.io/docs/spectral/674b27b261c3c-overview)
- [Spectral GitHub Repository](https://github.com/stoplightio/spectral)
- [OWASP API Security Top 10](https://owasp.org/API-Security/editions/2023/en/0x11-t10/)
- [OpenAPI Specification](https://spec.openapis.org/oas/latest.html)
- [AsyncAPI Specification](https://www.asyncapi.com/docs/reference/specification/latest)
Reference in New Issue View Git Blame Copy Permalink