Ensure that securityDefinitions is defined and not empty

Error: OpenAPI securityDefinitions is not defined or is empty
Bridgecrew Policy ID: BC_OPENAPI_1
Checkov Check ID: CKV_OPENAPI_1
Severity: HIGH

Suggest Edits

OpenAPI securityDefinitions is not defined or is empty

Description

securityDefinitions in OpenAPI/Swagger 2.0 files allow you to define the authentication types that your API supports. Having no authentication exposes your APIs to attacks and having no documented authentication type makes it more difficult to understand accessing your API.

Fix - Buildtime

OpenAPI

Ensure that your OpenAPI 2.0 spec includes a securityDefinitions section. For example:

securityDefinitions:
  BasicAuth:
    type: basic
  ApiKeyAuth:
    type: apiKey
    in: header
    name: apiKey
  OAuth2:
    type: oauth2
    flow: implicit
    authorizationUrl: https://swagger.io/api/oauth/dialog
    tokenUrl: https://swagger.io/api/oauth/token
    scopes:
      read: read
      write: write

Updated 5 months ago