Some API’s will be open by their very nature - register for example, there is a convention in OAS to use security to denote that having no security is intentional. Is there any plan to support this or suggest an alternative.
1 Like
Great question.
Yes this is known and supported.
“security:” is flagged by API Audit because while it is used to denote no security scheme, it is also sometimes a mistake where someone forgot to include the security scheme.
So as a precaution, API Audit draws attention to it, to flag it for review.
Solution
You can overwrite this default behavior using the API Audit extension
x-42c-accept-empty-security
Just keep in mind you’ll then need to manually track, review and check that any empty security requirements are indeed intentional!
1 Like