Integrate Spectral with Vulnetix. Lint OpenAPI and AsyncAPI specifications for security misconfigurations and best practice violations, then upload SARIF findings to Vulnetix.
Install & scan
$ # Zero-install via npx npx @stoplight/spectral-cli --version # Or install globally npm install -g @stoplight/spectral-cli $ npx @stoplight/spectral-cli lint api.yaml --ruleset spectral.yml --format sarif --output spectral.sarif
Run Spectral in CI
Scan on every push and upload the results to Vulnetix:
- name: Lint API specification with Spectral run: npx @stoplight/spectral-cli lint api.yaml --format sarif --output spectral.sarif - name: Upload to Vulnetix run: vulnetix upload --file spectral.sarif
How Vulnetix compares — better together
Vulnetix does not replace Spectral. Keep running it. Vulnetix sits on top of Spectral — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
| Capability | Vulnetix | Spectral |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ~ Static linting of API description documents (OpenAPI/AsyncAPI), not application source code |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ Never runs against a live application; it analyzes spec files only, not runtime behavior |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✗ |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✗ |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Spectral does well
- The de-facto industry standard for API design governance — flexible JSON/YAML linter with baked-in support for OpenAPI v3.1/v3.0/v2.0, AsyncAPI v2.x, and Arazzo v1.0
- Fully customizable rulesets: extend the defaults or author org-wide style guides enforcing naming conventions, consistency, and security definitions
- Shift-left API security via the community spectral-owasp-ruleset, which flags OWASP API Top 10 issues (missing auth, weak security schemes) at design time in CI
- Lightweight open-source CLI with severity-graded output, easy to drop into any pipeline or pre-commit hook
Where Vulnetix adds to it: Spectral governs API design quality statically at authoring time; it is not a scanner. Vulnetix consolidates real vulnerability findings from SAST, SCA, DAST, container, IaC and secrets scanners into one prioritised, deduplicated queue with exploit-intel (EPSS/KEV/LEV), reachability and versioned VEX — layers Spectral has no equivalent of. They are complementary: Spectral keeps API contracts clean upstream while Vulnetix orchestrates the security findings across the whole stack.
No migration, no rip-and-replace. Spectral keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Spectral results in Vulnetix
Upload Spectral SARIF, JSON output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.