Add API design checks.

ioggstream · ioggstream · commit 572a160918cc · 2022-10-19T22:32:26.000+02:00
diff --git a/src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml b/src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml
@@ -43,6 +43,31 @@ Implementation:
       isImplemented: false
       evidence: ""
       comments: ""
+    API design validation:
+      risk: Creation of insecure or non-compliant API.
+      measure: |
+        Design contract-first APIs using an interface description language such as OpenAPI, AsyncAPI or SOAP
+        and validate the specification using specific tools.
+        Checks should be integrated in IDEs and CI/CD pipelines.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 2
+      usefulness: 4
+      level: 2
+      implementation:
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/stoplight-spectral
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/api-oas-checker
+      references:
+        samm2:
+        - V-ST-1-A
+        iso27001-2017:
+        - 8.25  # Secure development lifecycle
+        - 8.27  # Secure system architecture and engineering principles
+        - 8.28  # Secure coding
+      isImplemented: false
+      evidence: ""
+      comments: ""
     Source Control Protection:
       risk: Intentional or accidental alterations in critical branches like master.
       measure: >-
diff --git a/src/assets/YAML/default/implementations.yaml b/src/assets/YAML/default/implementations.yaml
@@ -640,4 +640,18 @@ implementations:
     tags: [authentication, authorization, secrets, infrastructure]
     url: https://github.com/hashicorp/vault
     description: |
-      A tool for secrets management, encryption as a service, and privileged access management
+      A tool for secrets management, encryption as a service, and privileged access management.
+  stoplight-spectral:
+    name: Spectral
+    tags: [linting, api, documentation]
+    url: https://github.com/stoplightio/spectral
+    description: |
+      Spectral is a flexible JSON/YAML linter built with extensibility in mind.
+      It uses JSON/YAML path rules to describe the problems you want to find.
+  api-oas-checker:
+    name: API OAS Checker
+    tags: [linting, api, documentation]
+    url: https://github.com/italia/api-oas-checker
+    description: |
+      A tool to check OpenAPI specifications using a comprehensive ruleset based
+      on API best practices.
