No OpenAPI/Swagger spec found
Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 2 points from that category, once per scan, no matter how many places it turns up.
What it detects
This looks like a web API project, but there is no openapi.yaml/json or swagger.yaml/json anywhere in the repo, and no spec-generator dependency either. Without a machine-readable contract, client integration, mock servers, and API documentation all depend on someone reading the route source by hand. This is a heuristic and stays informational: plenty of small or internal APIs never need a formal spec.
Why it matters
Without an OpenAPI or Swagger spec, every consumer of this API has to read the route source to know what exists, what a valid request looks like, and what a response contains. That slows down every integration, makes it easy for the actual implementation to drift from whatever informal docs exist, and blocks off-the-shelf tooling: contract testing, mock servers, generated client SDKs, and API gateways all expect a machine-readable spec.
How to fix it
Generate a spec from the existing routes rather than hand-writing one from scratch: swagger-jsdoc or tsoa for Express/TypeScript, drf-yasg for Django REST Framework, flasgger for Flask, or the framework-native support in NestJS (@nestjs/swagger) and FastAPI (built in). Commit the generated openapi.yaml or serve it from a /docs route, and wire it into CI so route changes that are not reflected in the spec fail a check.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo