.spectral.yaml

.spectral.yaml

extends:
  - "spectral:oas"
rules:
  operation-tag-defined: true
  operation-success-response: true
  oas3-server-trailing-slash: true

  #Path must not end with Slash.
  path-keys-no-trailing-slash:
    message: "Path must not end with slash."
    severity: error
    given: "$.paths[*]~"
    then:
      function: pattern
      functionOptions:
        notMatch: ".+\\/$"
  # Require 3-part Semantic Versions as the spec versions.
  semver:
    severity: error
    recommended: true
    message: Specs should follow semantic versioning. {{value}} is not a valid version.
    given: $.info.version
    then:
      function: pattern
      functionOptions:
        match: "^([0-9]+.[0-9]+.[0-9]+)$"
  # Input Request should only be of Type - application/json
  content-type-application-json-specific:
    description: Every request SHOULD support `application/json` media type
    severity: error
    message: "{{description}}"
    given:
      - $.paths[*][*][requestBody].content
    then:
      field: "application/json"
      function: truthy
  # Path Parameters should always be lowercase and should be in kebab-case
  paths-kebab-case:
    description: "Path Should paths be kebab-case."
    message: "{{property}} should be kebab-case (lower case and separated with hyphens)"
    severity: error
    given: $.paths[*]~
    then:
      function: pattern
      functionOptions:
        match: "^(\/|[a-z-.]+|{[a-z-]+})+$"  
  # Security must be applied to "write" endpoints
  security-must-be-enforced-for-unsafe-endpoints:
    message: Security must be applied to "write" endpoints
    severity: error
    given: "$.paths.*[?(@property == 'post' || @property == 'put' || @property == 'patch' || @property == 'delete')]"
    then:
      - field: security
        function: truthy
  
  
  # Get Method should not have Body Parameters
  request-GET-no-body:
    message: GET operations cannot have a requestBody.
    description: A `GET` request MUST NOT accept a `body` parameter
    severity: error
    given: $.paths..get.requestBody
    then:
      - field: requestBody
        function: truthy
  # Defined Query parameter should be Snake_Case
  query-parameter-snake-case:
    description: "Query parameters should be snake case"
    severity: error
    given: "$..parameters.[?(@.in === 'query')].name"
    then:
      function: casing
      functionOptions:
        type: snake
  # Only Https Protocol is Allowed
  oas3-protocol-https-only:
    description: "ALL requests MUST go through `https` protocol only"
    severity: error
    message: "Servers MUST be https and no other protocol is allowed."
    given: $.servers..url
    then:
      function: pattern
      functionOptions:
        match: "/^https:/"
  # Defined Field Name should be snake_case
  field-name-snake-case:
    description: "Field name should be snake case"
    severity: warn
    message: '"{{property}}" is not snake_case: {{error}}'
    given: $.components..properties[*]~
    then:
      function: casing
      functionOptions:
        type: snake
  # custom Spectral rule to ensure request bodies and non-204 responses provide content object
  content-entry-provided:
    description: Request bodies and non-204 responses should define a content object
    given:
      - $.paths[*][*].responses[?(@property != '204')]
      - $.paths[*][*].requestBody
    severity: warn
    formats: ["oas3"]
    resolved: true
    then:
      field: content
      function: truthy
  
  # Operation Id must be kebab-case
  operationid-must-be-kebab-cased:
    description: "operationIds must be kebab cased and lowercase (e.g. kebab-case)"
    type: style
    given: "$..operationId"
    severity: error
    message: "{{description}}; {{value}} incorrect"
    then:
      function: casing
      functionOptions:
        type: kebab