OpenAPI document linting
Tip
The 
Speakeasy VS Code extension provides syntax highlighting and autocompletion for editing the lint.yaml file, as well as linting for OpenAPI documents and other supported file types.
In addition to running validation, Speakeasy lints OpenAPI documents to ensure stylistic validity. By default, the linter runs using a recommended set of rules, which can be extended with the available ruleset. Custom rules can also be written using the Spectral format.
The Speakeasy Linter offers:
- Linting and validation of OpenAPI 3.x documents
- Access to 70+ rules
- Quick start with five out-the-box rulesets:
speakeasy-recommended,speakeasy-generation,speakeasy-openapi,vacuum, andowasp - Reconfiguration of Speakeasy default rules and rulesets
- Configuration of custom rulesets
- Definition of new rules using the Spectral rule format
- Support for custom functions written in Go and JavaScript
Usage
Three options are available for running linting:
- Run manually via the Speakeasy CLI:
- Integrate into a Speakeasy workflow:
Running speakeasy run lints the document as part of the workflow and generates an HTML report accessible from a link in the command output.
- Use the Speakeasy VS Code extension in the IDE.
By default, these options use the speakeasy-recommended ruleset to ensure OpenAPI documents meet the Speakeasy quality bar.
Configuration
OpenAPI spec linting is fully configurable. Create custom rulesets by selecting from predefined sets or writing new rules. These custom linting rules work throughout the workflow.
Immediately before SDK generation, the speakeasy-generation ruleset is always applied to ensure compatibility with the code generator.
Configure linting in a lint.yaml document in the .speakeasy folder. The .speakeasy folder can be located in the same directory as the OpenAPI document, the working directory for running the speakeasy lint or speakeasy run commands, or the home directory.
Example linting configuration in a lint.yaml file:
A lint.yaml document defines a collection of rulesets that can be chained together or used independently. Define any built-in Speakeasy rulesets, create new rules, modify existing rules, or remix available rules to suit specific needs.
Use rulesets in these ways:
- Set the
defaultRulesetin thelint.yamlto use by default. This ruleset applies when no ruleset is specified using thelintcommand orworkflow.yamlfile. - Pass a ruleset name to the
lintcommand with the-rargument, for example,speakeasy lint openapi -r barRuleset -s openapi.yaml. - Define the ruleset for a particular source in the
workflow.yamlfile.
Custom rules
Create custom rules most easily using the Spectral rule format , which defines the rule and its properties as an object.
This format works for overriding built-in rules or defining new rules.
For more complex rules beyond pattern matching or field existence checking, define custom Go or JavaScript functions.
Custom Go/JavaScript functions
Speakeasy linting builds on vacuum and supports custom Go or JavaScript functions in rules. The vacuum documentation explains writing custom functions in JavaScript and Go .
After creating custom functions, place them in a directory named functions in the .speakeasy folder (e.g. .speakeasy/functions/foo.js).
Available rules
The rules available to the Speakeasy Linter are listed below and can be used in custom rulesets or to match and modify default rules in the lint.yaml file.
Rule ID
openapi-tags-alphabetical
Default Severity
info
Description
Tags must be in alphabetical order.
tag-description
Default Severity
warn
Description
Tag must have a description defined.
no-$ref-siblings
Default Severity
error
Description
$ref values cannot be placed next to other properties (like a description).
oas3-unused-component
Default Severity
warn
Description
Check for unused components and bad references.
owasp-auth-insecure-schemes
Default Severity
error
Description
Authentication scheme is considered outdated or insecure.
no-http-verbs-in-path
Default Severity
warn
Description
Path segments must not contain an HTTP verb.
operation-4xx-response
Default Severity
warn
Description
Make sure operations return at least one
error response to help with bad requests.
duplicated-entry-in-enum
Default Severity
error
Description
Enum values must not have duplicate entries.
operation-tags
Default Severity
warn
Description
Operation
are missing or empty.
owasp-define-error-responses-401
Default Severity
warn
Description
OWASP API Security recommends defining schemas for all responses, even
oas2-anyOf
Default Severity
error
Description
was introduced in OpenAPI 3.0, cannot be used in OpenAPI 2.0 specs
owasp-define-error-responses-429
Default Severity
warn
Description
OWASP API Security recommends defining schemas for all responses, even
.
owasp-no-credentials-in-url
Default Severity
error
Description
URL parameters must not contain credentials such as API key, password, or secret.
duplicate-tag
Default Severity
error
Description
Tag names must be unique when converted to class, field, or file names.
validate-parameters
Default Severity
error
Description
Validate parameters are unique and have a non-empty
property when converted to field names.
oas2-operation-formData-consume-check
Default Severity
warn
Description
Operations with
parameter must include
or
in their
property.
oas2-discriminator
Default Severity
error
Description
Discriminators are used correctly in schemas.
oas2-operation-security-defined
Default Severity
error
Description
values must match a scheme defined in
.
oas2-oneOf
Default Severity
error
Description
was introduced in OpenAPI 3.0, cannot be used in OpenAPI 2.0 specs.
operation-tag-defined
Default Severity
warn
Description
Operation tags must be defined in global tags.
oas3-example-external-check
Default Severity
warn
Description
Examples cannot use
and
together.
oas2-api-host
Default Severity
info
Description
OpenAPI
must be present and a non-empty string.
owasp-protection-global-unsafe
Default Severity
error
Description
API should be protected by a
rule at either global or operation level.
oas3-schema
Default Severity
error
Description
OpenAPI 3.0 specification is invalid.
path-params
Default Severity
error
Description
Path parameters must be defined and valid.
owasp-string-limit
Default Severity
error
Description
String size should be limited to mitigate resource exhaustion attacks.
owasp-no-http-basic
Default Severity
error
Description
Security scheme uses HTTP Basic. Use a more secure authentication method like OAuth 2.0.
oas2-host-not-example
Default Severity
warn
Description
Host URL should not point at example.com.
validate-enums
Default Severity
warn
Description
Validate enums are valid for type generation.
validate-paths
Default Severity
error
Description
Validate paths conform to RFC 3986.
duplicate-properties
Default Severity
error
Description
Property names must be unique and not empty within an operation when converted to field names.
validate-composite-schemas
Default Severity
error
Description
Ensure
,
, and
don't contain duplicate references.
owasp-protection-global-unsafe-strict
Default Severity
info
Description
Check if the operation is protected at operation level. Otherwise, check the global
property.
owasp-security-hosts-https-oas3
Default Severity
error
Description
All server interactions MUST use HTTPS, meaning server URLs should begin
.
owasp-jwt-best-practices
Default Severity
error
Description
JWTs must explicitly declare support for RFC 8725 in the description.
owasp-define-error-responses-500
Default Severity
warn
Description
OWASP API Security recommends defining schemas for all responses, even
.
description-duplication
Default Severity
info
Description
Description duplication check.
no-script-tags-in-markdown
Default Severity
error
Description
Markdown descriptions must not have
tags.
owasp-rate-limit-retry-after
Default Severity
error
Description
Ensure that any
response contains a
header.
oas3-valid-schema-example
Default Severity
warn
Description
If an example has been used, check the schema is valid.
typed-enum
Default Severity
warn
Description
Enum values must respect the specified type.
operation-operationId
Default Severity
error
Description
Every operation must contain an
.
operation-parameters
Default Severity
error
Description
Operation parameters are unique and non-repeating.
validate-requests
Default Severity
error
Description
Validate request content types are valid MIME types.
validate-document
Default Severity
error
Description
Document must have a
or
object.
no-ambiguous-paths
Default Severity
error
Description
Paths need to resolve unambiguously from one another.
oas3-api-servers
Default Severity
warn
Description
Check for valid API servers definition.
info-contact
Default Severity
warn
Description
Info section is missing contact details.
paths-kebab-case
Default Severity
warn
Description
Path segments must only use kebab case (no underscores or uppercase).
openapi-tags
Default Severity
warn
Description
Top-level spec
must not be empty and must be an array.
owasp-array-limit
Default Severity
error
Description
Array size should be limited to mitigate resource exhaustion attacks.
oas-schema-check
Default Severity
error
Description
All document schemas must have a valid type defined.
license-url
Default Severity
info
Description
License should contain a URL.
oas2-schema
Default Severity
error
Description
OpenAPI 2.0 specification is invalid.
operation-success-response
Default Severity
warn
Description
Operation must have at least one
or
response.
owasp-no-api-keys-in-url
Default Severity
error
Description
API key has been detected in a URL.
info-description
Default Severity
error
Description
Info section is missing a description.
oas3-missing-example
Default Severity
warn
Description
Ensure everything that can have an example contains one.
oas3-host-trailing-slash
Default Severity
warn
Description
Server URL should not contain a trailing slash.
owasp-string-restricted
Default Severity
error
Description
String must specify a
, RegEx
,
, or
.
owasp-no-additionalProperties
Default Severity
warn
Description
By default, JSON Schema allows additional properties, which can potentially lead to mass assignment issues.
contact-properties
Default Severity
info
Description
Contact details are incomplete.
validate-security
Default Severity
error
Description
Validate security schemes are correct.
operation-operationId-unique
Default Severity
error
Description
Every operation must have a unique
.
validate-types
Default Severity
error
Description
Ensure data types are valid for generation.
validate-consts-defaults
Default Severity
warn
Description
Ensure
and
values match their type.
operation-singular-tag
Default Severity
warn
Description
Operation cannot have more than a single tag defined.
oas2-api-schemes
Default Severity
warn
Description
OpenAPI host
must be present and a non-empty array.
validate-anyof
Default Severity
warn
Description
should only contain types that are compatible with each other.
duplicate-schemas
Default Severity
hint
Description
Inline object schemas must be unique.
missing-examples
Default Severity
hint
Description
Examples should be provided where possible.
no-eval-in-markdown
Default Severity
error
Description
Markdown descriptions must not have
statements.
oas2-host-trailing-slash
Default Severity
warn
Description
Host URL should not contain a trailing slash.
owasp-no-numeric-ids
Default Severity
error
Description
Use random IDs that cannot be guessed. UUIDs are preferred.
duplicate-schema-name
Default Severity
error
Description
Schema names must be unique when converted to class names.
validate-responses
Default Severity
error
Description
Validate response content types are valid MIME types.
path-not-include-query
Default Severity
error
Description
Path must not include query string.
path-declarations-must-exist
Default Severity
error
Description
Path parameter declarations must not be empty, for example,
is invalid.
owasp-constrained-additionalProperties
Default Severity
warn
Description
By default, JSON Schema allows additional properties, which can potentially lead to mass assignment issues.
operation-description
Default Severity
warn
Description
Operation description checks.
owasp-integer-format
Default Severity
error
Description
Integers should be limited to mitigate resource exhaustion attacks.
owasp-integer-limit
Default Severity
error
Description
Integers should be limited with
or
values to mitigate resource exhaustion attacks.
validate-deprecation
Default Severity
error
Description
Ensure correct usage of
and
extensions.
validate-json-schema
Default Severity
error
Description
Validate OpenAPI document against JSON Schema.
validate-content-type
Default Severity
error
Description
Validate content type schemas.
owasp-define-error-validation
Default Severity
warn
Description
Missing error response for
,
, or
. Ensure all errors are documented.
owasp-rate-limit
Default Severity
error
Description
Define proper rate limiting to avoid attackers overloading the API.
oas3-parameter-description
Default Severity
warn
Description
Parameter description checks.
oas3-host-not-example.com
Default Severity
warn
Description
Server URL should not point at example.com.
component-description
Default Severity
warn
Description
Component description check.
oas3-operation-security-defined
Default Severity
error
Description
values must match a scheme defined in
.
path-keys-no-trailing-slash
Default Severity
warn
Description
Path must not end with a slash.
duplicate-operation-name
Default Severity
error
Description
Duplicate operation names can cause SDK method name collisions. An SDK method name combines two parts:
and
, forming
. The
is derived from
but can be overridden with
; if neither is provided, it falls back to a name generated from the HTTP path and HTTP method. The optional
comes from
; if absent,
may be used.
info-license
Default Severity
info
Description
Info section should contain a license.
owasp-protection-global-safe
Default Severity
info
Description
Check if the operation is protected at operation level. Otherwise, check the global
property.
operation-operationId-valid-in-url
Default Severity
error
Description
must use URL-friendly characters.
validate-servers
Default Severity
error
Description
Validate servers, variables, and
extension.
validate-extensions
Default Severity
error
Description
Validate
extension usage.
oas2-unused-definition
Default Severity
warn
Description
Check for unused definitions and bad references.
oas2-parameter-description
Default Severity
warn
Description
Parameter description checks.
Available rulesets
The rulesets available to the Speakeasy Linter are listed below and can be chained in custom rules. These rulesets will be used by default when custom linting configuration is not provided.
speakeasy-recommended
The Speakeasy Linter uses the speakeasy-recommended ruleset by default when no custom ruleset is provided. This ruleset is recommended to ensure OpenAPI documents meet the Speakeasy quality bar.
Rule ID
duplicate-schema-name
duplicate-operation-name
duplicate-properties
validate-anyof
validate-document
validate-enums
validate-extensions
validate-json-schema
validate-parameters
validate-requests
validate-responses
validate-composite-schemas
validate-security
validate-servers
validate-types
validate-paths
validate-deprecation
duplicate-tag
validate-consts-defaults
validate-content-type
duplicate-schemas
missing-examples
path-params
path-declarations-must-exist
path-not-include-query
oas3-operation-security-defined
typed-enum
no-eval-in-markdown
no-script-tags-in-markdown
operation-operationId-unique
operation-success-response
oas3-unused-component
oas3-host-not-example.com
operation-operationId
duplicated-entry-in-enum
operation-tag-defined
speakeasy-generation
The speakeasy-generation ruleset is used when generating an SDK from an OpenAPI document. This set of rules must pass to successfully generate an SDK from an OpenAPI document. This ruleset can’t be overridden or reconfigured when using the generator.
Use the speakeasy-generation ruleset as appropriate to configure the linter to ensure an OpenAPI document is ready for generation.
Rule ID
duplicate-schema-name
duplicate-operation-name
duplicate-properties
validate-anyof
validate-document
validate-enums
validate-extensions
validate-json-schema
validate-parameters
validate-requests
validate-responses
validate-composite-schemas
validate-security
validate-servers
validate-types
validate-paths
validate-deprecation
duplicate-tag
validate-consts-defaults
validate-content-type
path-params
path-declarations-must-exist
path-not-include-query
oas3-operation-security-defined
typed-enum
no-eval-in-markdown
no-script-tags-in-markdown
operation-operationId-unique
speakeasy-openapi
The speakeasy-openapi ruleset is a minimal set of rules recommended to ensure OpenAPI documents are generally valid and ready to be used by most of the OpenAPI ecosystem.
Rule ID
validate-anyof
validate-document
validate-json-schema
validate-parameters
validate-requests
validate-responses
validate-composite-schemas
validate-security
validate-servers
validate-types
validate-paths
validate-deprecation
validate-consts-defaults
validate-content-type
duplicate-schemas
missing-examples
path-params
path-declarations-must-exist
path-not-include-query
oas3-operation-security-defined
typed-enum
no-eval-in-markdown
no-script-tags-in-markdown
operation-operationId-unique
operation-success-response
oas3-unused-component
oas3-host-not-example.com
operation-operationId
duplicated-entry-in-enum
operation-tag-defined
vacuum
The vacuum ruleset is provided by the vacuum project , which the Speakeasy Linter is built on top of. This set of rules is recommended to ensure OpenAPI documents meet the vacuum quality bar.
Rule ID
operation-success-response
operation-operationId-unique
operation-operationId
operation-parameters
operation-singular-tag
operation-tag-defined
path-params
contact-properties
info-contact
info-description
info-license
license-url
openapi-tags-alphabetical
openapi-tags
operation-tags
operation-description
component-description
operation-operationId-valid-in-url
path-declarations-must-exist
path-keys-no-trailing-slash
path-not-include-query
tag-description
no-$ref-siblings
oas3-unused-component
oas2-unused-definition
oas2-api-host
oas2-api-schemes
oas2-discriminator
oas2-host-not-example
oas3-host-not-example.com
oas2-host-trailing-slash
oas3-host-trailing-slash
oas2-parameter-description
oas3-parameter-description
oas3-operation-security-defined
oas2-operation-security-defined
typed-enum
duplicated-entry-in-enum
no-eval-in-markdown
no-script-tags-in-markdown
description-duplication
oas3-api-servers
oas2-operation-formData-consume-check
oas2-anyOf
oas2-oneOf
no-ambiguous-paths
no-http-verbs-in-path
paths-kebab-case
operation-4xx-response
oas2-schema
oas3-schema
oas3-valid-schema-example
oas3-missing-example
oas3-example-external-check
oas-schema-check
owasp
The owasp ruleset is recommended to ensure OpenAPI documents meet the Open Worldwide Application Security Project (OWASP) quality bar.
Rule ID
owasp-protection-global-unsafe
owasp-protection-global-unsafe-strict
owasp-protection-global-safe
owasp-define-error-responses-401
owasp-define-error-responses-500
owasp-rate-limit
owasp-rate-limit-retry-after
owasp-define-error-responses-429
owasp-array-limit
owasp-jwt-best-practices
owasp-auth-insecure-schemes
owasp-no-numeric-ids
owasp-no-http-basic
owasp-define-error-validation
owasp-no-api-keys-in-url
owasp-no-credentials-in-url
owasp-string-limit
owasp-string-restricted
owasp-integer-format
owasp-integer-limit
owasp-no-additionalProperties
owasp-constrained-additionalProperties
owasp-security-hosts-https-oas3
Last updated on