Examples

Use fixtures to understand the scanner.

These examples show the difference between a more agent-ready API and a risky API. They are also used by the static test harness.

Open scanner Run test harness

Good JSON

valid-simple-openapi.json

Designed to score higher. Includes explicit operation IDs, useful descriptions, enums, corrective errors, and declared security.

Open fixture

Good YAML

valid-simple-openapi.yaml

Same intent as the JSON fixture, used to validate YAML parsing and the shared scanner pipeline.

Open fixture

Risky JSON

dangerous-actions-openapi.json

Designed to trigger critical/high findings: refund without confirmation, unbounded amount, sensitive exports, deletion, and weak errors.

Open fixture

Good fixture characteristics

Clear operationId values.
Descriptions include when to use and when not to use.
Closed string fields use enum.
Error responses explain how to correct the call.
Security is declared.

Risky fixture characteristics

Financial refund action lacks human confirmation guidance.
amount is numeric but unbounded.
status is a string without enum.
Customer export exposes sensitive data.
Delete operation can be irreversible.
Error descriptions are too generic.

Expected test harness behavior

valid-simple-openapi.json scans successfully
valid-simple-openapi.yaml scans successfully
dangerous-actions-openapi.json scans successfully
invalid JSON fails cleanly
invalid YAML fails cleanly
agentready.json is generated
Markdown report is generated
dangerous fixture detects critical risks
good fixture scores higher than dangerous fixture