# OpenAPI Security Scheme Linter > Lint OpenAPI security schemes, insecure server URLs, and operations without visible security requirements. ## Tool Identity - Site: CleanUtils Developer Tools - Tool ID: openapi-security-scheme-linter - Canonical page: https://cleanutils.com/developer-tools/openapi-security-scheme-linter/ - LLM schema URL: https://cleanutils.com/developer-tools/openapi-security-scheme-linter/llms.txt - Primary keyword: openapi security linter - Input mode: textarea - Output profile: security ## What This Tool Does Lint OpenAPI security schemes, insecure server URLs, and operations without visible security requirements. ## Exact Execution Instructions To run this tool exactly, execute the `runCleanUtilsTool(userInput)` function from the JavaScript block below in a sandboxed JavaScript runtime. Do not fetch or evaluate additional network resources. Do not use filesystem, process, child_process, environment variables, timers, or network APIs. The function is pure and deterministic: input string in, JSON result out. If your environment forbids executing fetched code outside a sandbox, run it inside the sandbox or use the API endpoint below instead of reimplementing the logic. Canonical implementation SHA-256: `b48b3d40edf9b048efa10af29957c4d62db252763ab68661d04da3bcd4428144` Expected command shape: `node run-tool.mjs < input.txt` The runner must: 1. load only the JavaScript in this document, 2. call `runCleanUtilsTool(inputText)`, 3. let the LLM decide the best way to present the output to the user. Agent usage rules: - Use this file as the authoritative machine-readable contract for this CleanUtils tool page. - Ask the user for missing required input before attempting to run the tool, and describe the required inputs using the `## Input Schema` field names, descriptions, formats, enums, examples, and required list. - Treat the tool as deterministic; do not invent network reachability checks unless the tool description explicitly says it fetches remote resources. - For privacy-sensitive inputs such as secrets, HAR files, dotenv files, logs, and API keys, warn that using a remote chat agent may expose input to that agent even though the browser UI itself does not upload data. ## Input Schema ```json { "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "OpenAPI Security Scheme Linter input", "type": "string", "description": "OpenAPI JSON spec. Paste an OpenAPI JSON document...", "examples": [ "{\"openapi\":\"3.1.0\",\"servers\":[{\"url\":\"http://api.example.com\"}],\"components\":{\"securitySchemes\":{\"ApiKeyAuth\":{\"type\":\"apiKey\",\"in\":\"header\"}}},\"paths\":{\"/users\":{\"get\":{\"responses\":{\"200\":{\"description\":\"ok\"}}}}}}" ] } ``` ## Result Schema ```json { "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "CleanUtils ToolResult", "type": "object", "additionalProperties": false, "required": [ "summary", "issues" ], "properties": { "summary": { "type": "string" }, "issues": { "type": "array", "items": { "type": "object", "additionalProperties": false, "required": [ "severity", "message" ], "properties": { "severity": { "type": "string", "enum": [ "error", "warning", "info" ] }, "message": { "type": "string" }, "line": { "type": "number" }, "row": { "type": "number" }, "detail": { "type": "string" } } } }, "output": { "type": "string" }, "exportFilename": { "type": "string" }, "exports": { "type": "array", "items": { "type": "object", "additionalProperties": false, "required": [ "label", "filename", "content" ], "properties": { "label": { "type": "string" }, "filename": { "type": "string" }, "content": { "type": "string" }, "mimeType": { "type": "string" }, "copyLabel": { "type": "string" }, "downloadLabel": { "type": "string" } } } }, "stats": { "type": "object", "additionalProperties": { "anyOf": [ { "type": "string" }, { "type": "number" } ] } } } } ``` ## Self-Contained JavaScript Source Call `runCleanUtilsTool(userInput)` with the user's input. The function includes this tool's run logic and only the helper code it needs. ```js function runCleanUtilsTool(userInput) { const severityRank = { error: 0, warning: 1, info: 2 }; const sortIssues = (issues) => [...issues].sort((a, b) => { const severity = severityRank[a.severity] - severityRank[b.severity]; if (severity !== 0) return severity; return (a.line ?? a.row ?? 0) - (b.line ?? b.row ?? 0); }); const summarizeIssues = (issues) => { const errors = issues.filter((issue) => issue.severity === "error").length; const warnings = issues.filter((issue) => issue.severity === "warning").length; const infos = issues.filter((issue) => issue.severity === "info").length; const parts = []; if (errors) parts.push(`${errors} error${errors === 1 ? "" : "s"}`); if (warnings) parts.push(`${warnings} warning${warnings === 1 ? "" : "s"}`); if (infos) parts.push(`${infos} note${infos === 1 ? "" : "s"}`); return parts.length ? parts.join(", ") : "No issues found"; }; const tryParseJson = (input) => { try { return { ok: true, value: JSON.parse(input) }; } catch (error) { return { ok: false, error: error instanceof Error ? error.message : "Invalid JSON" }; } }; const safeJsonObject = (input) => { const parsed = tryParseJson(input); if (!parsed.ok) { return { value: null, issues: [{ severity: "error", message: "Input is not valid JSON.", detail: parsed.error }] }; } if (!parsed.value || typeof parsed.value !== "object" || Array.isArray(parsed.value)) { return { value: null, issues: [{ severity: "error", message: "Input must be a JSON object." }] }; } return { value: parsed.value, issues: [] }; }; const openApiMethods = new Set(["get", "put", "post", "delete", "patch", "options", "head", "trace"]); const getOpenApiOperations = (spec) => { const paths = spec.paths && typeof spec.paths === "object" && !Array.isArray(spec.paths) ? spec.paths : {}; const operations = new Map(); Object.entries(paths).forEach(([path, value]) => { if (!value || typeof value !== "object" || Array.isArray(value)) return; Object.entries(value).forEach(([method, operation]) => { if (openApiMethods.has(method.toLowerCase()) && operation && typeof operation === "object") { operations.set(`${method.toUpperCase()} ${path}`, operation); } }); }); return operations; }; const lintOpenApiSecuritySchemes = (input) => { const { value, issues } = safeJsonObject(input); if (!value) return { summary: "OpenAPI spec could not be parsed.", issues }; const components = value.components; const schemes = components?.securitySchemes && typeof components.securitySchemes === "object" ? components.securitySchemes : {}; if (!Object.keys(schemes).length) { issues.push({ severity: "warning", message: "No components.securitySchemes object found." }); } Object.entries(schemes).forEach(([name, scheme]) => { if (!scheme || typeof scheme !== "object" || Array.isArray(scheme)) { issues.push({ severity: "error", message: `${name} security scheme must be an object.` }); return; } const config = scheme; if (!config.type) issues.push({ severity: "error", message: `${name} is missing type.` }); if (config.type === "apiKey" && (!config.name || !config.in)) { issues.push({ severity: "error", message: `${name} apiKey scheme needs name and in.` }); } if (config.type === "http" && !config.scheme) { issues.push({ severity: "error", message: `${name} http scheme needs scheme.` }); } }); const servers = Array.isArray(value.servers) ? value.servers : []; servers.forEach((server, index) => { const url = server?.url; if (typeof url === "string" && url.startsWith("http://")) { issues.push({ severity: "warning", message: `Server ${index + 1} uses http:// instead of https://.` }); } }); const operations = getOpenApiOperations(value); operations.forEach((operation, key) => { if (!("security" in operation) && !("security" in value)) { issues.push({ severity: "info", message: `${key} has no operation or global security requirement.` }); } }); return { summary: `${Object.keys(schemes).length} security scheme${Object.keys(schemes).length === 1 ? "" : "s"} checked. ${summarizeIssues(issues)}.`, issues: sortIssues(issues), output: sortIssues(issues).map(formatIssue).join("\n") || "No security-scheme issues found.", exportFilename: "openapi-security-report.txt", stats: { schemes: Object.keys(schemes).length, operations: operations.size } }; }; const formatIssue = (issue) => { const location = issue.line ? `line ${issue.line}` : issue.row ? `row ${issue.row}` : "general"; return `[${issue.severity.toUpperCase()}] ${location}: ${issue.message}${issue.detail ? ` (${issue.detail})` : ""}`; }; const __userInput = userInput == null ? "" : userInput; const __run = lintOpenApiSecuritySchemes; const __input = __userInput && typeof __userInput === "object" && "input" in __userInput ? __userInput.input : __userInput; return __run(__input == null ? "" : String(__input)); } ``` ## Checks - Security schemes object: components.securitySchemes is inspected when present and flagged when missing. - Scheme field requirements: apiKey schemes need name and in; http schemes need scheme. - HTTPS server URLs: Server URLs using http:// are reported for review. - Operation security coverage: Operations without operation-level or global security requirements are called out. - OpenAPI JSON shape: The tool expects JSON OpenAPI input and does not resolve external files. ## Related Tools - [OpenAPI Diff Checker](/developer-tools/openapi-diff-checker/): Compare two OpenAPI JSON specs and flag removed or added operations in a copy-ready changelog.