Is your feature request related to a problem? Please describe.
When I run a full CATS scan vs. my application, I get many false positive results. For example:
Scenario: Send a happy flow bypassing authentication. Removed headers [Authorization]
Expected Result: Should return 401, 403
Result: error
Result Details: Response does NOT match expected result. Response code is NOT from a list of expected codes for this FUZZER: expected [401, 403], actual [200]
Contract Path: /.well-known/openid-configuration
Fuzzer: BypassAuthentication
Describe the solution you'd like
I'd like to specify, either in configuration and/or as a command line option, the ability to supply a tag and either include or exclude tests/fuzzers on endpoints matching the tag.
For example, I'd like to specify that I want to skip BypassAuthentication tests for endpoints with a tag like "x-public-endpoint: true" or "x-authentication-required: false".
Describe alternatives you've considered
Add a lengthy --skippaths list to the command line with a list of all my public endpoints
I rejected this because of unwieldiness and because it's too difficult to maintain and keep up-to-date, when the openapi specification is supposed to be the source of truth.
Additional context
I'm not initially suggesting a specific implementation; you have better context on your desired user experience.
Is your feature request related to a problem? Please describe.
When I run a full CATS scan vs. my application, I get many false positive results. For example:
Describe the solution you'd like
I'd like to specify, either in configuration and/or as a command line option, the ability to supply a tag and either include or exclude tests/fuzzers on endpoints matching the tag.
For example, I'd like to specify that I want to skip BypassAuthentication tests for endpoints with a tag like "x-public-endpoint: true" or "x-authentication-required: false".
Describe alternatives you've considered
Add a lengthy --skippaths list to the command line with a list of all my public endpoints
I rejected this because of unwieldiness and because it's too difficult to maintain and keep up-to-date, when the openapi specification is supposed to be the source of truth.
Additional context
I'm not initially suggesting a specific implementation; you have better context on your desired user experience.