A set of policies for Open Policy Agent to validate OpenAPI definitions.

• Use opa eval to execute policies against OpenAPI documents
• Built-in support for Conftest
• Based on the rules used by Spectral.

Spego may be used as an Open Policy Agent (OPA) bundle. First, be sure to follow the instructions to install OPA.

git clone [email protected]:kevinswiber/spego.git
opa eval \
  --bundle ./spego/src \
  --format pretty \
  --input ./spego/example/inputs/openapi.json \
  "data.openapi.main.results"

Spego can also be used with Conftest. First, be sure to follow the instructions to download Conftest.

conftest pull git::https://github.com/kevinswiber/spego//src
conftest test -n "openapi.main" ./openapi.json

Note: Policy execution can be configured by adding a data file named data.openapi.ruleset as defined in the Configuration section.

• Supports a subset of Spectral custom rulesets, including Changing Rule Severity, Recommended or All, Disabling Rules, and Enabling Rules.
• Included as data in Open Policy Agent, under data.openapi.ruleset.
• Configuration is optional. The recommended policies are executed by default.

openapi:
  ruleset:
    extends: [['spego:oas', 'recommended']]
    rules:
      operation-success-response: error
      openapi-tags: true

Contact object must have "name", "url" and "email".

Recommended: true

Enum values must not have duplicate entry.

Recommended: true

Info object must have "contact" object.

Recommended: true

Info "description" must be present and non-empty string.

Info object must have "license" object.

License object must include "url".

Recommended: true

Markdown descriptions must not have "eval(".

Recommended: true

Markdown descriptions must not have "<script>" tags.

Recommended: true

Each tag must have a unique name.

OpenAPI object must have non-empty "tags" array.

Recommended: true

Operation "description" must be present and non-empty string.

Recommended: true

Every operation must have unique "operationId".

Recommended: true

operationId must not have characters that are invalid when used in URL.

Recommended: true

Operation must have "operationId".

Recommended: true

Operation parameters are unique and non-repeating.

Operation must not have more than a singular tag.

Recommended: true

Operation must have at least one "2xx" or "3xx" response.

Recommended: true

Operation tags must be defined in global tags.

Recommended: true

Operation must have non-empty "tags" array.

Recommended: true

Path parameter declarations must not be empty, ex."/given/{}" is invalid.

Recommended: true

Path must not end with slash.

Recommended: true

Path must not include query string.

Recommended: true

Path parameters must be defined and valid.

Tag object must have "description".