Guidelines and linting rules for OWASP API Security Top 10#582
Merged
rartych merged 5 commits intocamaraproject:mainfrom Feb 6, 2026
Merged
Guidelines and linting rules for OWASP API Security Top 10#582rartych merged 5 commits intocamaraproject:mainfrom
rartych merged 5 commits intocamaraproject:mainfrom
Conversation
Updated the API linting implementation guideline to indicate that the document is deprecated and to refer to the new Reusable Workflows Implementation Guide.
…tricted Resource Consumption OWASP API4
Kevsy
reviewed
Feb 3, 2026
Kevsy
previously approved these changes
Feb 3, 2026
Collaborator
Kevsy
left a comment
There was a problem hiding this comment.
Tiny typo (see above) otherwise LGTM
Co-authored-by: Kevin Smith <Kevsy@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
What this PR does / why we need it:
Spectral ruleset rules from the Stoplight API Stylebook implements checks for the OWASP API Security Top 10 2023.
This PR adds selected rules relevant to CAMARA APIs to CAMARA API Linting Rules Documentation in chapter 5.
It proposes modification of severity for specific rules.
For rules:
owasp:api4:2023-array-limit- Schema of type array must specify maxItems.owasp:api4:2023-integer-limit-legacy- Schema of type integer must specify minimum and maximum.owasp:api4:2023-integer-format- Schema of type integer must specify format (int32 or int64).owasp:api4:2023-string-limit- Schema of type string must specify maxLength or enum.it is proposed to temporarily set the severity to warning with the target value error (in future CAMARA meta-release after 2026).
The clarifications related to prevention of unrestricted resource consumption in property definitions (that are checked by these 4 rules above) are added to CAMARA API Design Guide. Up to now not clear requirements were releated only to object definitions and were not validated in CAMARA API specifications.
Therefore it is proposed to validate these requirements in future CAMARA meta-release (not 2026), but make API teams aware with warning severity of linting.
CAMARA OpenAPI Linting Rules Implementation Guideline document is deprecated since centralized linting workflows are already implemented.
Which issue(s) this PR fixes:
Fixes #539
Does this PR introduce a breaking change?
Special notes for reviewers:
The feedback from teams working on esp. stable APIs is expected.
Changelog input
Additional documentation