What is OpenAPI/Swagger?
OpenAPI (formerly Swagger) is the contract that describes your REST endpoints, parameters, schemas, and responses. Because it is the source of truth for many teams, scanning it uncovers security and quality issues before code is deployed. Learn more on the official OpenAPI documentation.
Common issues in OpenAPI definitions
- Missing authentication: operations that lack security schemes or scopes.
- Unclear error responses: absent RFC 7807 structure or inconsistent status codes.
- Incomplete pagination: unbounded list endpoints that enable scraping.
- Sparse documentation: empty descriptions, no examples, and missing contact info.
How APISAST scans OpenAPI files
APISAST parses JSON or YAML specs and applies 29+ static checks across security, documentation, and performance. It validates auth, scopes, rate limiting headers, pagination, and RFC 7807 errors, then produces remediation tips keyed to the line number.
For a broader product view, see the API security scanner page.
Compliance and standards
- • RFC 7807 error bodies with type, title, status, detail, and instance.
- • Semantic versioning and deprecation flags for change control.
- • HTTPS enforcement and secure server definitions.
- • Consistent response schemas and examples for every status code.
Comparing open source and commercial scanners
Open source linters are great for syntax checks but often lack security depth. Commercial scanners add rule packs, governance, and support. APISAST blends the speed of static linting with security coverage mapped to the OWASP API Security Top 10, plus exportable reports for stakeholders.
If you need an overview of static vs dynamic coverage, read the API security scanner comparison or explore API security SAST tools for process details.