You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Very often API define a health endpoint which is not protected by any kind of auth.
Our security-defined rule always reports this as a problem.
Surely, it can be ignored with ignore file but this is a problem for users who constantly onboard new APIs.
Configurable rule can't be used here as it doesn't cover security defined on different levels (operation vs root).
Describe the solution you'd like
Add support for exceptions config option to the rule:
rules:
security-defined:
severity: errorexceptions:
- path: '/health'method: GET
Describe alternatives you've considered
I used exceptions as we use this term in path-segment-plural rule. Let me know if you have better suggestions.
Another alternative is to have a simpler list of exceptions (only path)
I like the first approach better as it allows fine-grained exceptions. However, I'd make the method property plural to be able to specify several methods. Also, we can make it optional and ignore an entire path if there are no methods specified.
If you define security on the operation or path item as security: [] it means security is explicitly defined as no security, it won't trigger the rule.
@RomanHotsiy do you think we still need this adjustment? Is there a case that couldn't be easily covered by the empty security as @adamaltman suggests?
Is your feature request related to a problem? Please describe.
Very often API define a health endpoint which is not protected by any kind of auth.
Our
security-defined
rule always reports this as a problem.Surely, it can be ignored with ignore file but this is a problem for users who constantly onboard new APIs.
Configurable rule can't be used here as it doesn't cover security defined on different levels (operation vs root).
Describe the solution you'd like
Add support for
exceptions
config option to the rule:Describe alternatives you've considered
I used
exceptions
as we use this term inpath-segment-plural
rule. Let me know if you have better suggestions.Another alternative is to have a simpler list of exceptions (only path)
What do you think?
The text was updated successfully, but these errors were encountered: