SPIFFE · API Governance Rules

SPIFFE API Rules

Spectral linting rules defining API design standards and conventions for SPIFFE.

7 Rules error 4 warn 3
View Rules File View on GitHub

Rule Categories

spiffe

Rules

warn
spiffe-operation-summary-title-case
All operation summaries must use Title Case
$.paths[*][*].summary
warn
spiffe-tags-title-case
All tags must use Title Case
$.tags[*].name
error
spiffe-operation-id
All operations must have an operationId
$.paths[*][get,post,put,patch,delete]
error
spiffe-spiffe-path-versioned
SPIFFE endpoints must use the /spiffe/v1/ prefix
$.paths[*]~
error
spiffe-response-content-type
SPIFFE endpoints must return application/json
$.paths[*].get.responses.200.content
error
spiffe-trust-bundle-schema
Trust bundle response must include required SPIFFE fields
$.components.schemas.TrustBundle.required
warn
spiffe-no-auth-on-bundle-endpoint
SPIFFE bundle endpoint must be publicly accessible (no auth)
$.paths./spiffe/v1/bundle.get

Spectral Ruleset

Raw ↑ 
extends: spectral:oas
rules:
  spiffe-operation-summary-title-case:
    description: All operation summaries must use Title Case
    message: Operation summary "{{value}}" should be in Title Case
    severity: warn
    given: "$.paths[*][*].summary"
    then:
      function: pattern
      functionOptions:
        match: "^[A-Z][a-zA-Z0-9]*([ ][A-Z][a-zA-Z0-9]*)*$"

  spiffe-tags-title-case:
    description: All tags must use Title Case
    message: Tag "{{value}}" should be in Title Case
    severity: warn
    given: "$.tags[*].name"
    then:
      function: pattern
      functionOptions:
        match: "^[A-Z][a-zA-Z0-9]*([ ][A-Z][a-zA-Z0-9]*)*$"

  spiffe-operation-id:
    description: All operations must have an operationId
    message: Operation must have an operationId
    severity: error
    given: "$.paths[*][get,post,put,patch,delete]"
    then:
      field: operationId
      function: truthy

  spiffe-spiffe-path-versioned:
    description: SPIFFE endpoints must use the /spiffe/v1/ prefix
    message: SPIFFE bundle endpoint paths should use /spiffe/v1/ prefix per the specification
    severity: error
    given: "$.paths[*]~"
    then:
      function: pattern
      functionOptions:
        match: "^/spiffe/v[0-9]+"

  spiffe-response-content-type:
    description: SPIFFE endpoints must return application/json
    message: SPIFFE bundle endpoint must return application/json content type
    severity: error
    given: "$.paths[*].get.responses.200.content"
    then:
      field: "application/json"
      function: truthy

  spiffe-trust-bundle-schema:
    description: Trust bundle response must include required SPIFFE fields
    message: Trust bundle response must include keys, spiffe_refresh_hint, and spiffe_sequence
    severity: error
    given: "$.components.schemas.TrustBundle.required"
    then:
      function: schema
      functionOptions:
        schema:
          type: array
          contains:
            type: string
            enum: [keys, spiffe_refresh_hint, spiffe_sequence]

  spiffe-no-auth-on-bundle-endpoint:
    description: SPIFFE bundle endpoint must be publicly accessible (no auth)
    message: The SPIFFE trust bundle endpoint should not require authentication per the specification
    severity: warn
    given: "$.paths./spiffe/v1/bundle.get"
    then:
      field: security
      function: falsy