extends: [[spectral:oas, all]] rules: # SEPM uses Bearer token authentication symantec-bearer-auth: description: SEPM API must define Bearer authentication scheme severity: warn given: "$.components.securitySchemes" then: field: BearerAuth function: truthy # Operation IDs must use camelCase symantec-operation-id-camel-case: description: Operation IDs must use camelCase naming convention severity: warn given: "$.paths[*][get,post,put,patch,delete]" then: field: operationId function: pattern functionOptions: match: "^[a-z][a-zA-Z0-9]+$" # Summaries must use Title Case symantec-summary-title-case: description: Operation summaries must use Title Case severity: warn given: "$.paths[*][get,post,put,patch,delete].summary" then: function: pattern functionOptions: match: "^[A-Z][A-Za-z0-9 ]+$" # All operations (except auth) must have security defined symantec-security-required: description: Non-authentication endpoints must require Bearer token severity: warn given: "$.paths[?(@property != '/identity/authenticate')][get,post,put,patch,delete]" then: field: security function: truthy # 401 response must be defined symantec-auth-response: description: All operations must document 401 Unauthorized response severity: warn given: "$.paths[*][get,post,put,patch,delete].responses" then: field: '401' function: truthy # GET list endpoints should support pagination symantec-pagination-parameters: description: List endpoints should support pageSize and pageIndex query parameters severity: hint given: "$.paths[?(@property.endsWith('s') || @property.endsWith('computers'))].get" then: field: parameters function: truthy # Operations must have tags symantec-operation-tags: description: All operations must have at least one tag severity: warn given: "$.paths[*][get,post,put,patch,delete]" then: field: tags function: truthy