Skip to content

feat: add security-scopes-defined rule#2951

Open
DmitryAnansky wants to merge 2 commits into
mainfrom
feat/security-scopes-defined-rule
Open

feat: add security-scopes-defined rule#2951
DmitryAnansky wants to merge 2 commits into
mainfrom
feat/security-scopes-defined-rule

Conversation

@DmitryAnansky

@DmitryAnansky DmitryAnansky commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

What/Why/How?

Added security-scopes-defined rule.
It supports OpenAPI 2.0/3.x and AsyncAPI 2.6/3.0, suggests the closest defined scope for typos, and has an opt-in requireScopes option that requires OAuth2 security requirements to list at least one scope.

Reference

Testing

Screenshots (optional)

Check yourself

  • This PR follows the contributing guide
  • All new/updated code is covered by tests
  • Core code changed? - Tested with other Redocly products (internal contributions only)
  • New package installed? - Tested in different environments (browser/node)
  • Documentation update has been considered

Security

  • The security impact of the change has been considered
  • Code follows company security practices and guidelines

Note

Low Risk
Additive lint rule and preset defaults only; no runtime auth or API behavior changes, though recommended rulesets may surface new warnings on existing specs.

Overview
Adds a new built-in lint rule security-scopes-defined that validates OAuth2 scope names against what is declared in security schemes.

For OpenAPI 2.x/3.x and AsyncAPI 2.6, scopes referenced in security requirements must exist in the scheme’s declared scopes (across flows where applicable). AsyncAPI 3.0 uses a dedicated implementation that checks scheme scopes against flow availableScopes. Non-oauth2 schemes and missing scheme references are skipped (delegated to security-defined). Undefined scopes get typo suggestions via getSuggest; optional requireScopes can require at least one scope on OAuth2 requirements (or on AsyncAPI 3 schemes).

The rule is wired into OAS2/OAS3/Async2 rule sets (shared common rule) and Async3 (separate visitor), registered in built-in rule ID types, and enabled as warn in recommended / error in recommended-strict and all, off in minimal and spec. Docs, sidebar, ruleset templates, changeset, and snapshot tests are updated accordingly.

Reviewed by Cursor Bugbot for commit ed1ed08. Bugbot is set up for automated code reviews on this repo. Configure here.

@DmitryAnansky DmitryAnansky self-assigned this Jul 16, 2026
@changeset-bot

changeset-bot Bot commented Jul 16, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: ed1ed08

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@redocly/openapi-core Minor
@redocly/cli Minor
@redocly/respect-core Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 70.52% (🎯 69%) 7818 / 11086
🔵 Statements 70.21% (🎯 69%) 8138 / 11590
🔵 Functions 74.96% (🎯 73%) 1572 / 2097
🔵 Branches 62.07% (🎯 61%) 5275 / 8498
File Coverage
File Stmts Branches Functions Lines Uncovered Lines
Changed Files
packages/core/src/config/all.ts 100% 100% 100% 100%
packages/core/src/config/minimal.ts 100% 100% 100% 100%
packages/core/src/config/recommended-strict.ts 100% 100% 100% 100%
packages/core/src/config/recommended.ts 100% 100% 100% 100%
packages/core/src/config/spec.ts 100% 100% 100% 100%
packages/core/src/rules/async2/index.ts 100% 100% 100% 100%
packages/core/src/rules/async3/index.ts 100% 100% 100% 100%
packages/core/src/rules/async3/security-scopes-defined.ts 93.33% 71.42% 100% 100% 9
packages/core/src/rules/common/security-scopes-defined.ts 100% 83.33% 100% 100%
packages/core/src/rules/oas2/index.ts 100% 100% 100% 100%
packages/core/src/rules/oas3/index.ts 100% 100% 100% 100%
packages/core/src/types/redocly-yaml.ts 92.92% 84.9% 100% 92.7% 419, 451, 457, 501-508, 510, 669-674, 677-682
Generated in workflow #10739 for commit ed1ed08 by the Vitest Coverage Report Action

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Performance Benchmark (Lower is Faster)

CLI Version Bundle Lint Check Config
cli-latest ▓ 1.01x ± 0.01 ▓ 1.00x ± 0.01 ▓ 1.00x ± 0.01
cli-next ▓ 1.00x (Fastest) ▓ 1.00x (Fastest) ▓ 1.00x (Fastest)

@DmitryAnansky
DmitryAnansky requested a review from tatomyr July 17, 2026 12:16
@DmitryAnansky
DmitryAnansky marked this pull request as ready for review July 17, 2026 12:52
@DmitryAnansky
DmitryAnansky requested review from a team as code owners July 17, 2026 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant