Operation objects do not have the 'produces' field defined for GET operations
Description
This policy checks to ensure that for every GET operation in an OpenAPI (version 2.0) file, there is a 'produces' field defined. The 'produces' field specifies the MIME type of the responses an operation can produce. If it is not defined, it may lead to ambiguity or incorrect handling of the response by the client. This could potentially create issues regarding the security and functionality of the API.
Code Example
yaml
paths:
'/pet':
get:
summary: Info for a specific pet
operationId: showPetById
tags:
- pets
parameters:
- name: petId
in: path
required: true
description: The id of the pet to retrieve
type: string
produces: # adding the produces field here
- application/json
responses:
'200':
description: Expected response to a valid request
schema:
$ref: '#/definitions/pets'Remediation
OpenAPI
To fix this issue, you need to define the 'produces' field for GET operations in your OpenAPI v2.0 files.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1272 |
| Severity | LOW |
| IaC Type | OpenAPI |
| Frameworks | OpenAPI |
| Checkov ID | CKV_OPENAPI_16 |