pet3r · January 14, 2021 11:25
diff --git a/merged.yaml b/merged.yaml
 # Make sure every post/put/delete/patch endpoint has some sort of security
 rules:
  api-home:
    description: APIs MUST have a root path defined (`/`), to stop forcing all API consumers to visit documentation for basic interactions.
    severity: error
    given: $.paths
    then:
      field: /
      function: truthy

  paths-kebab-case:
    description: Should paths be kebab-case.
    message: '{{property}} should be kebab-case (lower case and separated with hyphens)'
    severity: warn
    given: $.paths[*]~
    then:
      function: pattern
      functionOptions:
        match: "^(\/|[a-z0-9-.]+|{[a-zA-Z0-9_]+})+$"

  paths-kebab-case2:
    description: Should paths be kebab-case.
    message: '{{property}} is not kebab-case: {{error}}'
    severity: warn
    recommended: true
    given: $.paths[*]~
    then:
      function: casing
      functionOptions:
        type: kebab
        separator:
          char: "/"

  no-http-basic:
    description: "Consider a more secure alternative to HTTP Basic."
    message: "HTTP Basic is a pretty insecure way to pass credentials around, please consider an alternative."
    severity: warn
    given: $.components.securitySchemes[*]
    then:
      field: scheme
      function: pattern
      functionOptions:
        notMatch: basic

  no-x-headers:
    description: "Please do not use headers with X-"
    message: "Headers cannot start with X-, so please find a new name for {{property}}. More: https://tools.ietf.org/html/rfc6648"
    given: "$..parameters.[?(@.in === 'header')].name"
    then:
      function: pattern
      functionOptions:
        notMatch: '^(x|X)-'

  request-GET-no-body:
    description: A `GET` request MUST NOT accept a `body` parameter
    severity: error
    given: $.paths..get.parameters..in
    then:
      function: pattern
      functionOptions:
        notMatch: "/^body$/"

  headers-hyphenated-pascal-case:
    description: All `HTTP` headers MUST use `Hyphenated-Pascal-Case` notation
    severity: error
    given: "$..parameters[?(@.in == 'header')].name"
    message: "'HTTP' headers MUST follow 'Hyphenated-Pascal-Case' notation"
    type: style
    then:
      function: pattern
      functionOptions:
        match: "/^([A-Z][a-z0-9]-)*([A-Z][a-z0-9])+/"

  oas3-hosts-https-only:
    description: "ALL requests MUST go through `https` protocol only"
    formats:
      - oas3
    severity: error
    message: "Servers MUST be https and no other protocol is allowed."
    given: $.servers..url
    then:
      function: pattern
      functionOptions:
        match: "/^https:/"

  oas3-request-support-json:
    description: Every request SHOULD support `application/json` media type
    formats:
      - oas3
    severity: warn
    message: "{{description}}: {{error}}"
    given: $.paths.[*].requestBody.content[?(@property.indexOf('json') === -1)]^
    then:
      function: falsy

  operation-short-summary:
    description: "Operation summary should be short and sweet, no full stops, and less than 20 characters"
    recommended: true
    type: "style"
    given: "$.paths.*[?( @property === 'get' || @property === 'put' || @property === 'post' || @property === 'delete' || @property === 'options' || @property === 'head' || @property === 'patch' || @property === 'trace' )]"
    then:
      - field: summary
        function: pattern
        functionOptions:
          notMatch: "\\."
      - field: summary
        function: length
        functionOptions:
          max: 20

  schema-names-pascal-case:
    description: Schema names MUST be written in PascalCase
    message: '{{property}} is not PascalCase: {{error}}'
    recommended: true
    type: style
    given: '$.components.schemas.*~'
    then:
      function: pattern
      functionOptions:
        match: '^[A-Z][a-zA-Z0-9]*$'

  schema-names-pascal-case2:
    description: Schema names MUST be written in PascalCase
    message: '{{property}} is not PascalCase: {{error}}'
    recommended: true
    type: style
    given: '$.components.schemas.*~'
    then:
      function: casing
      functionOptions:
        type: pascal

  operationIds-kebab-case:
    description: Operation IDs MUST be written in kebab-case
    message: '{{property}} is not kebab-case: {{error}}'
    recommended: true
    type: style
    given: "$.paths.*[?( @property === 'get' || @property === 'put' || @property === 'post' || @property === 'delete' || @property === 'options' || @property === 'head' || @property === 'patch' || @property === 'trace' )]"
    then:
      field: operationId
      function: pattern
      functionOptions:
        match: "^([a-z0-9-]+)$"

  semver:
    severity: error
    recommended: true
    message: Please follow semantic versioning. {{value}} is not a valid version.
    given: $.info.version
    then:
      function: pattern
      functionOptions:
        match: "^([0-9]+.[0-9]+.[0-9]+)$"

  fhir-type-pascal-case:
    description: 'FHIR "types" must be PascalCase'
    message: '{{property}} is not PascalCase: {{error}}'
    severity: error
    recommended: true
    given: '$.paths[*]~'
    then:
      function: pattern
      functionOptions:
        match: "^(\\/)?[A-Z][a-zA-Z0-9]*(\\/)?"
	# Make sure every post/put/delete/patch endpoint has some sort of security
	rules:
	api-home:
	description: APIs MUST have a root path defined (`/`), to stop forcing all API consumers to visit documentation for basic interactions.
	severity: error
	given: $.paths
	then:
	field: /
	function: truthy

	paths-kebab-case:
	description: Should paths be kebab-case.
	message: '{{property}} should be kebab-case (lower case and separated with hyphens)'
	severity: warn
	given: $.paths[*]~
	then:
	function: pattern
	functionOptions:
	match: "^(\/\|[a-z0-9-.]+\|{[a-zA-Z0-9_]+})+$"

	paths-kebab-case2:
	description: Should paths be kebab-case.
	message: '{{property}} is not kebab-case: {{error}}'
	severity: warn
	recommended: true
	given: $.paths[*]~
	then:
	function: casing
	functionOptions:
	type: kebab
	separator:
	char: "/"

	no-http-basic:
	description: "Consider a more secure alternative to HTTP Basic."
	message: "HTTP Basic is a pretty insecure way to pass credentials around, please consider an alternative."
	severity: warn
	given: $.components.securitySchemes[*]
	then:
	field: scheme
	function: pattern
	functionOptions:
	notMatch: basic

	no-x-headers:
	description: "Please do not use headers with X-"
	message: "Headers cannot start with X-, so please find a new name for {{property}}. More: https://tools.ietf.org/html/rfc6648"
	given: "$..parameters.[?(@.in === 'header')].name"
	then:
	function: pattern
	functionOptions:
	notMatch: '^(x\|X)-'

	request-GET-no-body:
	description: A `GET` request MUST NOT accept a `body` parameter
	severity: error
	given: $.paths..get.parameters..in
	then:
	function: pattern
	functionOptions:
	notMatch: "/^body$/"

	headers-hyphenated-pascal-case:
	description: All `HTTP` headers MUST use `Hyphenated-Pascal-Case` notation
	severity: error
	given: "$..parameters[?(@.in == 'header')].name"
	message: "'HTTP' headers MUST follow 'Hyphenated-Pascal-Case' notation"
	type: style
	then:
	function: pattern
	functionOptions:
	match: "/^([A-Z][a-z0-9]-)*([A-Z][a-z0-9])+/"

	oas3-hosts-https-only:
	description: "ALL requests MUST go through `https` protocol only"
	formats:
	- oas3
	severity: error
	message: "Servers MUST be https and no other protocol is allowed."
	given: $.servers..url
	then:
	function: pattern
	functionOptions:
	match: "/^https:/"

	oas3-request-support-json:
	description: Every request SHOULD support `application/json` media type
	formats:
	- oas3
	severity: warn
	message: "{{description}}: {{error}}"
	given: $.paths.[*].requestBody.content[?(@property.indexOf('json') === -1)]^
	then:
	function: falsy

	operation-short-summary:
	description: "Operation summary should be short and sweet, no full stops, and less than 20 characters"
	recommended: true
	type: "style"
	given: "$.paths.*[?( @property === 'get' \|\| @property === 'put' \|\| @property === 'post' \|\| @property === 'delete' \|\| @property === 'options' \|\| @property === 'head' \|\| @property === 'patch' \|\| @property === 'trace' )]"
	then:
	- field: summary
	function: pattern
	functionOptions:
	notMatch: "\\."
	- field: summary
	function: length
	functionOptions:
	max: 20

	schema-names-pascal-case:
	description: Schema names MUST be written in PascalCase
	message: '{{property}} is not PascalCase: {{error}}'
	recommended: true
	type: style
	given: '$.components.schemas.*~'
	then:
	function: pattern
	functionOptions:
	match: '^[A-Z][a-zA-Z0-9]*$'

	schema-names-pascal-case2:
	description: Schema names MUST be written in PascalCase
	message: '{{property}} is not PascalCase: {{error}}'
	recommended: true
	type: style
	given: '$.components.schemas.*~'
	then:
	function: casing
	functionOptions:
	type: pascal

	operationIds-kebab-case:
	description: Operation IDs MUST be written in kebab-case
	message: '{{property}} is not kebab-case: {{error}}'
	recommended: true
	type: style
	given: "$.paths.*[?( @property === 'get' \|\| @property === 'put' \|\| @property === 'post' \|\| @property === 'delete' \|\| @property === 'options' \|\| @property === 'head' \|\| @property === 'patch' \|\| @property === 'trace' )]"
	then:
	field: operationId
	function: pattern
	functionOptions:
	match: "^([a-z0-9-]+)$"

	semver:
	severity: error
	recommended: true
	message: Please follow semantic versioning. {{value}} is not a valid version.
	given: $.info.version
	then:
	function: pattern
	functionOptions:
	match: "^([0-9]+.[0-9]+.[0-9]+)$"

	fhir-type-pascal-case:
	description: 'FHIR "types" must be PascalCase'
	message: '{{property}} is not PascalCase: {{error}}'
	severity: error
	recommended: true
	given: '$.paths[*]~'
	then:
	function: pattern
	functionOptions:
	match: "^(\\/)?[A-Z][a-zA-Z0-9]*(\\/)?"