API Governance Overview

Anypoint API Governance is a component of the Anypoint Platform that enables you to apply governance rules to your APIs as part of the API lifecycle.

With API Governance you can:

  • Improve your organization’s API quality: Identify conformance issues in published API definitions and take steps to resolve them.

  • Share governance best practices: Publish governance rulesets in Anypoint Exchange to share with other developers.

  • Apply consistent rules at design time: Apply governance rulesets at design time in Anypoint API Designer.

  • Enforce governance within your DevOps organization: Automate the application of standards to your API contract and definition within your CI/CD pipeline.

Governance Console

In the API Governance console, add governance rulesets to governance profiles to apply the governance rulesets to multiple APIs across your organization. The API Governance console then provides you with an overview of conformance for all validated APIs. You can monitor your APIs' conformance and notify developers to help improve the conformance.

Screenshot of the API Governance console
1 View a numeric and visual summary of your governance profiles, governance status, conformance status, and nonconformance by severity.
2 View, filter, and search a summary list of your governance profiles or validated APIs.
3 Export conformance reports in CSV format.
4 Add a new profile.
5 Select from the more options menu to export reports and view, edit, and delete profiles.

Governance in Exchange and Design Center

API Governance is integrated with Exchange and Design Center.

  • In Exchange, developers can view published APIs' conformance status details, discover provided rulesets, and publish custom rulesets.

  • In Design Center API Designer, developers or architects can check API conformance in the API design phase by applying governance rulesets directly to API definitions as dependencies.

Screenshot of rulesets applied as dependencies in API Designer
1 Add rulesets to your API project.
2 View conformance issues and filter by level of severity.
3 Expand the Project Errors section of the text editor to view nonconformance messages.

API Governance Concepts

Following are the concepts you need to know to use API Governance.

Governance Profiles

A governance profile applies chosen governance rulesets to a selected group of APIs. The API definitions are validated against the governance rulesets.

Governance Profile Status

You can view profile statuses in the console. Governance profile statuses are based on the percentage of conformant APIs in the profile:

  • Normal: More than 70% of APIs are conformant.

  • At Risk: Less than 70% of APIs are conformant.

Governance Rulesets

Governance rulesets are collections of rules, or guidelines, that can be applied over the metadata extracted from API definitions in the Anypoint Platform. Some examples of governance rulesets are internal and external best practice guidelines, such as naming conventions, and industry-specific government standards, such as making sure your APIs that have sensitive data are encrypted (HTTPS).

MuleSoft provides several rulesets in Exchange, such as Anypoint API Best Practices, OpenAPI Best Practices, OWASP API Security Top 10, and Authentication Security Best Practices governance rulesets. You can discover rulesets published in Exchange by filtering the search in Exchange by the Rulesets type. See Search for Assets.

Governed APIs

APIs are governed if they are identified by the selection criteria of at least one of the governance profiles. If an API is governed, all versions of that API are considered one governed API. Subscription limits are set based on your organization’s purchased capacity and the UI gives information on usage and alerts when you are nearing or exceeding your subscription capacity.

Governance Status

Governance status on the console shows the number of governed APIs, total number of APIs of supported API types, and subscription limit information.

API Conformance

API conformance indicates whether a validated API definition passes all of the required rules in one or more governance rulesets. If an API definition is included in multiple governance profiles, it must pass all of the rulesets in all of those profiles to be conformant.

API Conformance Status

API conformance status indicates whether the API definitions that are included in your governance profiles pass all applied governance rulesets:

  • Conformant: The APIs pass all applied governance rulesets.

  • Not Conformant: The APIs fail at least one governance ruleset.

  • Not Validated: The APIs are not validated because they are not included in a governance profile.

Versions of an API might have different conformance statuses. Total version conformance status counts are shown in the API Governance console and conformance status indicators are shown for API versions in API Governance and in Exchange.

API conformance applies only to API types supported by API Governance, such as REST API and AsyncAPI.

Nonconformance Severity

Nonconformance severity is categorized by percentage of passed rulesets among all required rulesets.

High Severity

0 - 40% rulesets passed

Medium Severity

41% - 80% rulesets passed

Low Severity

81% - 99% rulesets passed

Project Errors

Project errors are shown in the Design Center API Designer text editor page. The Project Errors section of the page shows functional issues and nonconformance messages found in the API definition that is open in the text editor.

API Governance Usage Reports

You can view usage reports to gain insight into your monthly usage of API Governance. See Viewing Usage Reports for API Governance.

Was this article helpful? Thanks for your feedback!
View on GitHub