changes

- add tests cache on/off switch
- openapi scripts support json files
- update docc scripts
- openapi-security uses stoplight/spectral:latest
- more bats tests

Author: GErP83

.github/workflows/extra_soundness.yml

@@ -15,6 +15,10 @@ on:
         type: boolean
         description: "Boolean to enable run tests with .build cache."
         default: false
+      tests_cache_enabled:
+        type: boolean
+        description: "Boolean to enable .build cache usage inside the run tests job."
+        default: true
       run_tests_swift_versions:
         type: string
         description: "List of Swift versions to test with."
@@ -126,11 +130,13 @@ jobs:
           ssh-keyscan github.com >> ~/.ssh/known_hosts
 
       - name: Install zstd
+        if: ${{ inputs.tests_cache_enabled }}
         run: |
           sudo apt-get update -y
           sudo apt-get install -y zstd
 
       - name: Restore .build
+        if: ${{ inputs.tests_cache_enabled }}
         id: "restore-build"
         uses: actions/cache/restore@v4
         with:
@@ -142,11 +148,16 @@ jobs:
         run: swift build --build-tests
 
       - name: Cache .build
-        if: steps.restore-build.outputs.cache-hit != 'true'
+        if: ${{ inputs.tests_cache_enabled && steps.restore-build.outputs.cache-hit != 'true' }}
         uses: actions/cache/save@v4
         with:
           path: .build
           key: "swiftpm-tests-build-${{ runner.os }}-${{ matrix.swift }}-${{ github.event.pull_request.base.sha || github.event.after }}"
 
       - name: Run unit tests
-        run: swift test --skip-build --parallel
+        run: |
+          if [ "${{ inputs.tests_cache_enabled }}" = "true" ]; then
+            swift test --skip-build --parallel
+          else
+            swift test --parallel
+          fi

README.md

@@ -26,7 +26,7 @@ This workflow provides configurable, robust checks and testing:
 * **Optional Local Swift Dependency Checks**: Checks for accidental `.package(path:)` usage.
 * **Optional Swift Headers Check**: Validates Swift source file headers using a strict 5-line format and respects `.swiftheaderignore`.
 * **Optional DocC Warnings Check**: Runs DocC analysis with `--warnings-as-errors` and fails on warnings.
-* **Optional Swift Test Execution**: Runs tests using **`.build` caching** for efficiency.
+* **Optional Swift Test Execution**: Runs tests with optional **`.build` caching** for efficiency.
 * **Optional Swift Package Validation**: Validates Swift package structure, settings, and conventions to ensure consistency.
 * **Multi-Version Support**: Tests across multiple Swift versions, configurable via input (defaulting to `["6.0", "6.1"]`).
 * **SSH Support**: Includes steps to set up **SSH credentials** (via the `SSH_PRIVATE_KEY` secret) for projects relying on private Git dependencies.
@@ -38,7 +38,8 @@ This workflow provides configurable, robust checks and testing:
 | `local_swift_dependencies_check_enabled` | Enables local Swift dependency check | `false` |
 | `headers_check_enabled` | Enables Swift headers validation | `false` |
 | `docc_warnings_check_enabled` | Enables DocC warnings check | `false` |
-| `run_tests_with_cache_enabled` | Enables Swift tests with `.build` cache | `false` |
+| `run_tests_with_cache_enabled` | Enables the Swift test job | `false` |
+| `tests_cache_enabled` | Enables `.build` cache restore/save in the Swift test job | `true` |
 | `run_tests_swift_versions` | Swift versions to test | `["6.1","6.2"]` |
 | `swift_package_validation_enabled` | Runs Swift package validation in the repository. | `false` |
 
@@ -53,6 +54,7 @@ jobs:
       headers_check_enabled: true
       docc_warnings_check_enabled: true
       run_tests_with_cache_enabled: true
+      tests_cache_enabled: true
       run_tests_swift_versions: '["6.1","6.2"]'
       swift_package_validation_enabled: true
 ```
@@ -257,14 +259,16 @@ curl -s $(baseUrl)/check-local-swift-dependencies.sh | bash
 
 #### Purpose
 
-Runs a security scan of an OpenAPI specification using OWASP ZAP.
+Runs fast static OpenAPI security lint checks using Spectral.
 
 #### Behavior
 
 * Executes inside Docker
 * Accepts an OpenAPI file or directory (default: `openapi`)
 * Relative `-f` paths are resolved from the git repository root first, then current working directory
-* For file paths, supports `.yml`/`.yaml` extension fallback
+* For file paths, supports `.yml`/`.yaml`/`.json` extension fallback
+* For directory paths, resolves `openapi.yaml`, then `openapi.yml`, then `openapi.json`
+* Performs static linting only (no running API server required)
 * Skips execution if no OpenAPI specification can be resolved
 
 #### Parameters
@@ -298,12 +302,17 @@ Validates an OpenAPI specification for schema correctness.
 * Runs the OpenAPI validator in Docker
 * Accepts an OpenAPI file or directory (default: `openapi`)
 * Relative `-f` paths are resolved from the git repository root first, then current working directory
-* For file paths, supports `.yml`/`.yaml` extension fallback
+* For file paths, supports `.yml`/`.yaml`/`.json` extension fallback
+* For directory paths, resolves `openapi.yaml`, then `openapi.yml`, then `openapi.json`
+* Supports debug tracing via `-d` (prints resolved paths and command trace)
+* Supports `--detailed` to run additional Spectral diagnostics when validation fails
 * Skips execution if no OpenAPI specification can be resolved
 
 #### Parameters
 
 * `-f <path>` – OpenAPI file or directory path
+* `-d` – enable debug tracing
+* `--detailed` – run additional detailed diagnostics on validation failure
 
 #### Ignore files
 
@@ -498,11 +507,15 @@ Installs the Swift OpenAPI Generator CLI tool.
 #### Behavior
 
 * Builds from source
-* Supports version pinning
+* Installs the latest available tag by default
+* Supports version pinning via `-v`
+* Validates required tools (`git`, `curl`, `tar`, `swift`, `install`)
+* Uses fail-fast download behavior for release archives
 
 #### Parameters
 
 * `-v <version>` – install a specific version
+* `-h` – show usage help
 
 #### Ignore files
 
@@ -593,7 +606,7 @@ Serves OpenAPI documentation locally using Docker.
 * Accepts an OpenAPI file or directory (default: `openapi`)
 * Relative `-f` paths are resolved from the git repository root first, then current working directory
 * If a file is provided, mounts its parent directory
-* For file paths, supports `.yml`/`.yaml` extension fallback
+* For file paths, supports `.yml`/`.yaml`/`.json` extension fallback
 * Runs Nginx in the foreground
 * Exposes documentation over HTTP
 

examples/tests.yml

@@ -43,5 +43,6 @@ jobs:
       local_swift_dependencies_check_enabled : true
       docc_warnings_check_enabled : true
       run_tests_with_cache_enabled : true
+      tests_cache_enabled : true
       headers_check_enabled : true
       run_tests_swift_versions: '["6.1","6.2"]'

scripts/check-docc-warnings.sh

@@ -40,6 +40,7 @@ PACKAGE_FILE="Package.swift"
 INJECT_MARKER='// [docc-plugin-placeholder]'
 # Dependency line injected immediately after the marker
 DOCC_DEP='        .package(url: "https://github.com/apple/swift-docc-plugin", from: "1.4.0"),'
+DOCC_PLUGIN_INJECTED=false
 
 # Git safety (local runs only)
 #
@@ -72,6 +73,31 @@ reset_git_after_analysis() {
     fi
 }
 
+restore_injected_package_manifest() {
+    if [ "${DOCC_PLUGIN_INJECTED}" != "true" ]; then
+        return 0
+    fi
+
+    rm -f "$PACKAGE_FILE.tmp"
+
+    if [ -n "${GITHUB_ACTIONS:-}" ]; then
+        return 0
+    fi
+
+    if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+        log "Restoring ${PACKAGE_FILE} after failed DocC analysis"
+        git checkout -- "$PACKAGE_FILE" || true
+    fi
+}
+
+cleanup_on_exit() {
+    local rc=$?
+    if [ "$rc" -ne 0 ]; then
+        restore_injected_package_manifest
+    fi
+}
+trap cleanup_on_exit EXIT
+
 # Ensures that swift-docc-plugin is available to SwiftPM.
 #
 # This function injects the dependency using a fixed marker
@@ -125,6 +151,7 @@ ensure_docc_plugin() {
     ' "$PACKAGE_FILE" >"$PACKAGE_FILE.tmp"
 
     mv "$PACKAGE_FILE.tmp" "$PACKAGE_FILE"
+    DOCC_PLUGIN_INJECTED=true
 
     # Validate manifest after mutation
     swift package dump-package >/dev/null ||

scripts/check-openapi-security.sh

@@ -1,41 +1,37 @@
 #!/usr/bin/env bash
-# OpenAPI Security Check (OWASP ZAP)
+# OpenAPI Security Lint (Spectral)
 #
-# This script runs an OWASP ZAP API security scan against an OpenAPI
-# specification located in the repository.
+# This script runs fast static security lint checks against an OpenAPI
+# specification using Spectral in Docker.
 #
 # It is designed to be:
-# - Safe for CI (no side effects)
+# - Fast for CI and local runs
 # - Optional (exits successfully if no OpenAPI spec is present)
-#
-# The scan helps identify common API security issues early in the pipeline.
+# - Static (no running API server required)
 
 set -euo pipefail
 
 # Logging helpers
-# All output goes to stderr for consistent CI logs
 log() { printf -- "** %s\n" "$*" >&2; }
 error() { printf -- "** ERROR: %s\n" "$*" >&2; }
 fatal() {
     error "$@"
     exit 1
 }
 
-# Resolve script directory
-# This allows the script to be run from any subdirectory.
 SCRIPT_SOURCE="${BASH_SOURCE[0]-$0}"
 SCRIPT_DIR="$(cd -- "$(dirname -- "${SCRIPT_SOURCE}")" && pwd)"
 
 OPENAPI_PATH="openapi"
+RULESET_FILE=""
+RULESET_CONTAINER_PATH="/tmp/spectral-security-ruleset.yaml"
 
 resolve_repo_root() {
-    # Prefer git root for local execution and subdirectory calls.
     if root="$(git rev-parse --show-toplevel 2>/dev/null)"; then
         printf '%s\n' "${root}"
         return 0
     fi
 
-    # Fallback for checked-out scripts under a conventional ./scripts layout.
     if [ -d "${SCRIPT_DIR}/../.git" ]; then
         (
             cd -- "${SCRIPT_DIR}/.."
@@ -44,7 +40,6 @@ resolve_repo_root() {
         return 0
     fi
 
-    # Last resort for piped execution (for example: curl | bash).
     pwd
 }
 
@@ -58,6 +53,13 @@ Options:
 EOF
 }
 
+cleanup() {
+    if [ -n "${RULESET_FILE}" ]; then
+        rm -f "${RULESET_FILE}"
+    fi
+}
+trap cleanup EXIT
+
 while getopts ":f:h" flag; do
     case "${flag}" in
         f) OPENAPI_PATH="${OPTARG}" ;;
@@ -71,10 +73,8 @@ while getopts ":f:h" flag; do
 done
 
 if [[ "${OPENAPI_PATH}" = /* ]]; then
-    # Absolute paths are used as-is.
     OPENAPI_ABS_PATH="${OPENAPI_PATH}"
 else
-    # Relative paths prefer repository root, then current working directory.
     REPO_ROOT="$(resolve_repo_root)"
     REPO_OPENAPI_PATH="${REPO_ROOT}/${OPENAPI_PATH}"
     CWD_OPENAPI_PATH="$(pwd)/${OPENAPI_PATH}"
@@ -88,13 +88,20 @@ else
     fi
 fi
 
-# Allow extension fallback between .yml and .yaml.
+# Allow extension fallback among .yml, .yaml, and .json.
 if [ ! -e "${OPENAPI_ABS_PATH}" ]; then
-    # If the requested extension does not exist, try the sibling extension.
     if [[ "${OPENAPI_ABS_PATH}" == *.yml ]] && [ -f "${OPENAPI_ABS_PATH%.yml}.yaml" ]; then
         OPENAPI_ABS_PATH="${OPENAPI_ABS_PATH%.yml}.yaml"
+    elif [[ "${OPENAPI_ABS_PATH}" == *.yml ]] && [ -f "${OPENAPI_ABS_PATH%.yml}.json" ]; then
+        OPENAPI_ABS_PATH="${OPENAPI_ABS_PATH%.yml}.json"
     elif [[ "${OPENAPI_ABS_PATH}" == *.yaml ]] && [ -f "${OPENAPI_ABS_PATH%.yaml}.yml" ]; then
         OPENAPI_ABS_PATH="${OPENAPI_ABS_PATH%.yaml}.yml"
+    elif [[ "${OPENAPI_ABS_PATH}" == *.yaml ]] && [ -f "${OPENAPI_ABS_PATH%.yaml}.json" ]; then
+        OPENAPI_ABS_PATH="${OPENAPI_ABS_PATH%.yaml}.json"
+    elif [[ "${OPENAPI_ABS_PATH}" == *.json ]] && [ -f "${OPENAPI_ABS_PATH%.json}.yaml" ]; then
+        OPENAPI_ABS_PATH="${OPENAPI_ABS_PATH%.json}.yaml"
+    elif [[ "${OPENAPI_ABS_PATH}" == *.json ]] && [ -f "${OPENAPI_ABS_PATH%.json}.yml" ]; then
+        OPENAPI_ABS_PATH="${OPENAPI_ABS_PATH%.json}.yml"
     fi
 fi
 
@@ -105,23 +112,45 @@ elif [ -d "${OPENAPI_ABS_PATH}" ]; then
         OPENAPI_SPEC_FILE="${OPENAPI_ABS_PATH}/openapi.yaml"
     elif [ -f "${OPENAPI_ABS_PATH}/openapi.yml" ]; then
         OPENAPI_SPEC_FILE="${OPENAPI_ABS_PATH}/openapi.yml"
+    elif [ -f "${OPENAPI_ABS_PATH}/openapi.json" ]; then
+        OPENAPI_SPEC_FILE="${OPENAPI_ABS_PATH}/openapi.json"
     else
-        log "❗ OpenAPI spec not found in directory ${OPENAPI_ABS_PATH} — skipping security scan."
+        log "❗ OpenAPI spec not found in directory ${OPENAPI_ABS_PATH} — skipping security lint."
         exit 0
     fi
 else
-    log "❗ OpenAPI path not found — skipping security scan."
+    log "❗ OpenAPI path not found — skipping security lint."
     exit 0
 fi
 
-# Run OWASP ZAP API scan in a Docker container
-#
-# - Mounts the OpenAPI file into the container
-# - Uses the OpenAPI specification as the scan target
-# - Fails the script if security issues are detected
-#
-# The container is removed after execution to keep the environment clean
-docker run --rm --name "check-openapi-security" \
-    -v "${OPENAPI_SPEC_FILE}:/app/openapi.yaml" \
-    -t zaproxy/zap-stable:latest zap-api-scan.py \
-    -t /app/openapi.yaml -f openapi
+RULESET_FILE="$(mktemp "${TMPDIR:-/tmp}/spectral-security-ruleset.XXXXXX.yaml")"
+cat >"${RULESET_FILE}" <<'EOF'
+extends:
+  - spectral:oas
+rules:
+  security-requirement-defined:
+    description: "Define security requirements at root and/or operation level."
+    severity: error
+    given:
+      - "$"
+    then:
+      field: security
+      function: truthy
+  no-http-server-urls:
+    description: "Server URLs should use HTTPS."
+    severity: error
+    given: "$.servers[*].url"
+    then:
+      function: pattern
+      functionOptions:
+        match: "^https://"
+EOF
+
+OPENAPI_SPEC_BASENAME="$(basename "${OPENAPI_SPEC_FILE}")"
+docker run --rm --name "check-openapi-security-lint" \
+    -v "${OPENAPI_SPEC_FILE}:/app/${OPENAPI_SPEC_BASENAME}" \
+    -v "${RULESET_FILE}:${RULESET_CONTAINER_PATH}" \
+    stoplight/spectral:latest lint "/app/${OPENAPI_SPEC_BASENAME}" \
+    --fail-severity error \
+    --display-only-failures \
+    --ruleset "${RULESET_CONTAINER_PATH}"