Security requirement is not an OAuth2 requirement and must not define OAuth2 scopes

Issue ID: semantic-securityrequirement-nonoauth2scopes

Description

The security requirement in question defines OAuth2 scopes. However, it is not an OAuth2 security requirement, and thus must not define OAuth2 scopes.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this issue could look in your API definition:

{
    "schemes": [
        "https"
    ],
    // ...
    "securityDefinitions": {
        "regularSecurity": {
            "type": "basic"
        }
    },
    // ...
    "security": [
        {
            "regularSecurity": ["readOnly"]
        }
    ]
    // ...
}

Remediation

Make sure that only OAuth2 security requirements define OAuth2 scopes.

{
    "schemes": [
        "https"
    ],
    // ...
    "securityDefinitions": {
        "regularSecurity": {
            "type": "basic"
        }
    },
    // ...
    "security": [
        {
            "regularSecurity": []
        }
    ]
    // ...
}