Skip to content

feat(core): add asyncapi security-defined lint rule#2759

Open
harshit078 wants to merge 91 commits into
Redocly:mainfrom
harshit078:add-asyncapi-rule
Open

feat(core): add asyncapi security-defined lint rule#2759
harshit078 wants to merge 91 commits into
Redocly:mainfrom
harshit078:add-asyncapi-rule

Conversation

@harshit078

@harshit078 harshit078 commented Apr 21, 2026

Copy link
Copy Markdown
Contributor

What/Why/How?

  • Added asyncapi-operation-security-defined rule for AsyncAPI 2.x which reports when a security scheme referenced from an operation or server security array is not defined in ``components.securitySchemes.

Reference

#2667

Testing

Screenshots (optional)

Check yourself

  • This PR follows the contributing guide
  • All new/updated code is covered by tests
  • Core code changed? - Tested with other Redocly products (internal contributions only)
  • New package installed? - Tested in different environments (browser/node)
  • Documentation update has been considered

Security

  • The security impact of the change has been considered
  • Code follows company security practices and guidelines

Note

Medium Risk
New error-level rule in recommended rulesets can break existing AsyncAPI CI; logic touches security semantics and server/channel applicability.

Overview
Adds a security-defined built-in rule for AsyncAPI 2.x and 3.x, aligned with the existing OpenAPI rule: it validates security scheme references and whether operations are covered by security.

For 2.x, operation/server security entries must name schemes under components.securitySchemes. Operations without their own security must be satisfied by all applicable servers (channel server bindings, traits included via new isAsyncOperationSecured).

For 3.x, security $refs must target #/components/securitySchemes/{name} and resolve; root operations get the same “operation or applicable servers” checks.

The rule is registered in minimal (warn), recommended / recommended-strict / all (error), with docs, sidebar, and a minor changeset noting that recommended AsyncAPI lint may newly fail. Typings and AsyncAPI visitors are extended to support the rule; AsyncAPI split CLI code gets a small AnyAsyncApiComponents typing tweak.

Reviewed by Cursor Bugbot for commit fb2fcb2. Bugbot is set up for automated code reviews on this repo. Configure here.

@changeset-bot

changeset-bot Bot commented Apr 21, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: fb2fcb2

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@redocly/openapi-core Minor
@redocly/cli Minor
@redocly/respect-core Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@harshit078 harshit078 changed the title feat: Add asyncapi-operation-security-defined lint rule feat(core): Add asyncapi-operation-security-defined lint rule Apr 24, 2026
@harshit078 harshit078 marked this pull request as ready for review April 24, 2026 07:51
@harshit078 harshit078 requested review from a team as code owners April 24, 2026 07:51
@harshit078 harshit078 changed the title feat(core): Add asyncapi-operation-security-defined lint rule feat(core): add asyncapi-operation-security-defined lint rule Apr 24, 2026

@vadyvas vadyvas left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest a slightly different approach:

  1. keep the AsyncAPI logic separate and do not reuse shared logic from the OAS rule
  2. use the same rule name, security-defined, for AsyncAPI as well, and register the AsyncAPI implementation in the AsyncAPI ruleset
  3. do not update the v1 docs in this PR

I think this would make the change smaller, clearer, and safer.

Thank you for the contribution, overall the PR looks good

Comment thread packages/core/src/rules/async2/asyncapi-operation-security-defined.ts Outdated
Comment thread packages/core/src/rules/common/security-scheme-references.ts Outdated
Comment thread packages/core/src/rules/async2/index.ts Outdated
Comment thread docs/@v1/guides/lint-asyncapi.md Outdated
Comment thread packages/core/src/config/__tests__/__snapshots__/config-resolvers.test.ts.snap Outdated
@harshit078 harshit078 requested a review from vadyvas April 30, 2026 12:45

@vadyvas vadyvas left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left a few comments, could you take a look?

'info-contact': InfoContact as Async2Rule,
'info-license-strict': InfoLicenseStrict as Async2Rule,
'operation-operationId': OperationOperationId as Async2Rule,
'security-defined': SecurityDefined,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add support for AsyncAPI 3 as well. Right now the rule only applies to AsyncAPI2

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay sure !

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code uses the rule name security-defined, but the docs still say asyncapi-operation-security-defined
Can you update related changes?

@@ -0,0 +1,83 @@
# asyncapi-operation-security-defined

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don’t add this rule to the v1 docs

Comment thread docs/@v1/v1.sidebars.yaml Outdated
Comment thread packages/core/src/rules/async2/index.ts
@tatomyr tatomyr changed the title feat(core): add asyncapi-operation-security-defined lint rule feat(core): add asyncapi security-defined lint rule Jun 12, 2026
Comment thread packages/core/src/typings/asyncapi3.ts Outdated
Comment thread packages/core/src/typings/asyncapi3.ts Outdated
Comment thread packages/core/src/typings/asyncapi3.ts Outdated
@harshit078 harshit078 requested a review from DmitryAnansky June 15, 2026 08:49
@github-actions

github-actions Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Performance Benchmark (Lower is Faster)

CLI Version Bundle Lint Check Config
cli-latest ▓ 1.00x (Fastest) ▓ 1.00x (Fastest) ▓ 1.00x ± 0.01
cli-next ▓ 1.00x ± 0.01 ▓ 1.01x ± 0.01 ▓ 1.00x (Fastest)

Comment thread packages/core/src/rules/async2/security-defined.ts Outdated
@harshit078

Copy link
Copy Markdown
Contributor Author

Hey @DmitryAnansky , I have fixed all comments and failing e2e tests and PR is good to review again. Thanks !

);
});

it('should call createTestContext for arazzo type using the spec form without `workflows` segment', async () => {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need those changes?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I missed the existing check which was already present hence I agree with you and I should remove this.

Comment thread packages/core/src/rules/async2/security-defined.ts
Comment thread packages/core/src/rules/async2/security-defined.ts
type SecuredOperation = Async2Operation | Async3Operation;
type SecuredTrait = Async2OperationTrait | Async3OperationTrait;

export function isOperationSecured(

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you move this function under the file packages/core/src/rules/utils.ts. Also, please take a look to the @DmitryAnansky 's comment regarding the name of the function.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Want higher recall? High effort reviews run extra passes and find more bugs. A team admin can switch effort levels in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 99f2ba7. Configure here.

Comment thread packages/core/src/rules/async3/security-defined.ts
@harshit078

Copy link
Copy Markdown
Contributor Author

Hey @Daryna-del , I have addressed all the comments left by you and cursor and also resolved the failing e2e tests. Can you review the recent changes again ? Thanks !

@harshit078 harshit078 requested a review from Daryna-del July 3, 2026 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants