Tool integration

Spectral Integration Guide

Open-source API linter for OpenAPI, AsyncAPI, and any JSON/YAML document

Get a Free API Key

Integrate Spectral with Vulnetix. Lint OpenAPI and AsyncAPI specifications for security misconfigurations and best practice violations, then upload SARIF findings to Vulnetix.

YAML / JSON / OpenAPI / AsyncAPICLI toolSARIFJSON

Install & scan

$ # Zero-install via npx
npx @stoplight/spectral-cli --version

# Or install globally
npm install -g @stoplight/spectral-cli
$ npx @stoplight/spectral-cli lint api.yaml   --ruleset spectral.yml   --format sarif   --output spectral.sarif

Run Spectral in CI

Scan on every push and upload the results to Vulnetix:

- name: Lint API specification with Spectral
  run: npx @stoplight/spectral-cli lint api.yaml --format sarif --output spectral.sarif

- name: Upload to Vulnetix
  run: vulnetix upload --file spectral.sarif

How Vulnetix compares — better together

Vulnetix does not replace Spectral. Keep running it. Vulnetix sits on top of Spectral — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

CapabilityVulnetixSpectral
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation~ Static linting of API description documents (OpenAPI/AsyncAPI), not application source code
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engineNever runs against a live application; it analyzes spec files only, not runtime behavior
Container & imageImage CVEs, base image, Dockerfile
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git history
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What Spectral does well

Where Vulnetix adds to it: Spectral governs API design quality statically at authoring time; it is not a scanner. Vulnetix consolidates real vulnerability findings from SAST, SCA, DAST, container, IaC and secrets scanners into one prioritised, deduplicated queue with exploit-intel (EPSS/KEV/LEV), reachability and versioned VEX — layers Spectral has no equivalent of. They are complementary: Spectral keeps API contracts clean upstream while Vulnetix orchestrates the security findings across the whole stack.

No migration, no rip-and-replace. Spectral keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise Spectral results in Vulnetix

Upload Spectral SARIF, JSON output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

Spectral documentation ↗  ·  Source repository ↗

Wire Spectral into your CI/CD pipeline →