False positive in CKV_OPENAPI_3: "Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files"

[ioggstream]

Description

False positive on CKV_OPENAPI_3: "Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files"

When

I process The following OAS3 securityScheme

components:
  securitySchemes:
    JWTBearer:
      type: http
      scheme: bearer
      bearerFormat: JWT 

I expect

No issues, since there's no way to know whether it's sent over an unencrypted channel from within securitySchemes

See https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py#L29

The check should then be done at the servers: level (e.g., if the application is over http://).

Instead

I got

Check: CKV_OPENAPI_3: "Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files"
        FAILED for resource: components
        File: /app/openapi.yaml:298-301
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/api-policies/openapi-policies/ensure-that-security-schemes-dont-allow-cleartext-credentials-over-unencrypted-channel

                298 |       type: http
                299 |       scheme: bearer
                300 |       bearerFormat: JWT

Notes

Version (please complete the following information):

• 3.2.64

Additional context

According to OAS, the type: http does not reference the transport layer nor the HTTP version.