Security scopes of operations are not defined in securityDefinition
Description
This policy looks into the security definitions in OpenAPI 2.0 files to ensure that security scopes for operations are properly defined. If they are not properly defined, it could lead to insecure API endpoints, potentially leaving the application vulnerable to unauthorized access or breaches. This could result in unauthorized data access, manipulation, or even system takeover, hence it's crucial to ensure each operation has been mapped with the correct security scope.
Code Example
yaml
securityDefinitions:
my_oauth:
type: oauth2
scopes:
'read:stuff': Read access to the stuff
'write:stuff': Write access to the stuff
flow: implicit
authorizationUrl: https://oauth.example.com/authorizeRemediation
OpenAPI
To fix this issue in your OpenAPI (Swagger) file, define security scopes that allow you to set the level of access for each API operation. Specifically, include each security scope within the `securityDefinition` block.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1265 |
| Severity | MEDIUM |
| IaC Type | OpenAPI |
| Frameworks | OpenAPI |
| Checkov ID | CKV_OPENAPI_9 |