Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@stoplight/spectral
Advanced tools
A flexible object linter with out of the box support for OpenAPI v2 and v3.
A flexible JSON object linter with out of the box support for OpenAPI Specification 2 and 3
npm install @stoplight/spectral
Supports Node v8.3+ and modern browsers.
There are two key concepts in Spectral: Rules and Functions.
Think of a set of rules and functions as a flexible and customizable style guide for your JSON objects.
Spectral has a built-in set of functions which you can reference in your rules. This example uses the RuleFunction.PATTERN
to create a rule that checks that all property values are in snake case.
const { RuleFunction, Spectral } = require('@stoplight/spectral');
const spectral = new Spectral();
spectral.addRules({
snake_case: {
summary: 'Checks for snake case pattern',
// evaluate every property
given: '$..*',
then: {
function: RuleFunction.PATTERN,
functionOptions: {
match: '^[a-z]+[a-z0-9_]*[a-z0-9]+$',
},
},
},
});
const results = spectral.run({
name: 'helloWorld',
});
console.log(JSON.stringify(results, null, 4));
// => outputs a single result since `helloWorld` is not snake_case
// {
// "results": [
// {
// "name": "snake_case",
// "message": "must match the pattern '^[a-z]+[a-z0-9_]*[a-z0-9]+$'",
// "severity": 40,
// "severityLabel": "warn",
// "path": [
// "name"
// ]
// }
// ]
// }
Sometimes the built-in functions don't cover your use case. This example creates a custom function, customNotThatFunction
, and then uses it within a rule, openapi_not_swagger
. The custom function checks that you are not using a specific string (e.g., "Swagger") and suggests what to use instead (e.g., "OpenAPI").
const { Spectral } = require('@stoplight/spectral');
// custom function
const customNotThatFunction = (targetValue, options) => {
const { match, suggestion } = options;
if (targetValue && targetValue.match(new RegExp(match))) {
// return the single error
return [
{
message: `Use ${suggestion} instead of ${match}!`,
},
];
}
};
const spectral = new Spectral();
spectral.addFunctions({
notThat: customNotThatFunction,
});
spectral.addRules({
openapi_not_swagger: {
summary: 'Checks for use of Swagger, and suggests OpenAPI.',
// check every property
given: '$..*',
then: {
// reference the function we added!
function: 'notThat',
// pass it the options it needs
functionOptions: {
match: 'Swagger',
suggestion: 'OpenAPI',
},
},
},
});
const results = spectral.run({
description: 'Swagger is pretty cool!',
});
console.log(JSON.stringify(results, null, 4));
// => outputs a single result since we are using the term `Swagger` in our object
// {
// "results": [
// {
// "name": "openapi_not_swagger",
// "message": "Use OpenAPI instead of Swagger!",
// "severity": 40,
// "severityLabel": "warn",
// "path": [
// "description"
// ]
// }
// ]
// }
Spectral also includes a number of ready made rules and functions for OpenAPI Specification (OAS) 2 and 3 documents. This example uses the OAS 2 rules to lint a document.
You can also add to these rules to create a customized linting style guide for your OAS documents.
const { Spectral } = require('@stoplight/spectral');
const { oas2Functions, oas2Rules } = require('@stoplight/spectral/rulesets/oas2');
// an OASv2 document
var myOAS = {
// ... properties in your document
responses: {
'200': {
description: '',
schema: {
$ref: '#/definitions/error-response',
},
},
},
// ... properties in your document
};
// create a new instance of spectral with all of the baked in rulesets
const spectral = new Spectral();
spectral.addFunctions(oas2Functions());
spectral.addRules(oas2Rules());
spectral.addRules({
// .. extend with your own custom rules
});
// run!
const results = spectral.run(myOAS);
console.log(JSON.stringify(results, null, 4));
Note: The existing OAS rules are opinionated. There might be some rules that you prefer to change. We encourage you to create your rules to fit your use case. We welcome additions to the existing rulesets as well!
How is this different than Ajv?
Ajv is a JSON Schema validator, not a linter. Spectral does expose a schema
function that you can use in your rules to validate all or part of the target object with JSON Schema (Ajv is used under the hood). However, Spectral also provides a number of other functions and utilities that you can use to build up a linting ruleset to validates things that JSON Schema is not well suited for.
I want to lint my OpenAPI Specification documents but don't want to implement Spectral right now.
No problem! A hosted version of Spectral comes free with the Stoplight platform. Sign up for a free account here.
What is the difference between Spectral and Speccy?
With Spectral, lint rules can be applied to any JSON object, not just OAS 3 documents. The rule structure is different between the two. Spectral uses JSONPath path
parameters instead of the object
parameters (which are OAS-specific). Rules are also more clearly defined (thanks to TypeScript typings) and now require specifying a type
parameter. Some rule types have been enhanced to be a little more flexible along with being able to create your own rules based on the built-in and custom functions.
If you are interested in contributing to Spectral itself, check out our contributing docs [Coming soon!] to get started.
Also, most of the interesting projects are built with Spectral. Please consider using Spectral in a project or contribute to an existing one.
If you are using Spectral in your project and want to be listed in the examples section, we encourage you to open an issue.
path
you wantIf you have a bug or feature request, please open an issue here.
If you need help using Spectral or have a support question, please use the Stoplight Community forum. We've created an open source category for these questions. It's also a great place to share your implementations.
If you want to discuss something in private, you can reach out to Stoplight support at support@stoplight.io.
FAQs
[![Demo of Spectral linting an OpenAPI document from the CLI](./docs/img/readme-header.svg)](https://stoplight.io/api-governance?utm_source=github&utm_medium=spectral&utm_campaign=readme) [![CircleCI](https://img.shields.io/circleci/build/github/stoplight
The npm package @stoplight/spectral receives a total of 26,727 weekly downloads. As such, @stoplight/spectral popularity was classified as popular.
We found that @stoplight/spectral demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 34 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.