About API Governance

Artyom Subbotin
MuleSoft Architect

Anypoint API Governance is a component of the Anypoint Platform that enables you to apply governance rules to your APIs as part of the API lifecycle. API Governance helps you improve your organization’s API quality by allowing you to identify conformance issues and take steps to resolve them.

What are the benefits of API Governance?

  • Enable developers to apply governance rulesets at design time.

  • Produce consistent API specs across enterprises.

  • Improved API Quality and Security.

  • API design with Anypoint best practices and OpenAPI best practices.

  • Ensure Design-Time conformance.

  • Reduce Top 10 OWASP security risks

Govern Your APIs

Step 1 - Identify APIs
To apply rulesets to specific APIs, you need to identify the API assets in Exchange using tags or categories. In this example, we have 1 API with the tag “sample-api.”

Step 2 - Configure governance profile.
Create a Governance Profile:
a. In API Governance, click New Profile;
b. Enter general information about your Profile:

c. Choose predefined by Mulesoft rulesets - it provides several rulesets in Exchange, such as Anypoint API Best Practices, OpenAPI Best Practices, OWASP API Security Top 10, and Authentication Security Best Practices governance rulesets. Also, it’s possible to create custom governance rulesets based on rulesets that are already in Exchange:

d. Apply filter criterias for specific APIs group:

e. Configure notifications if needed:

f. Review and create profile:

Step 3 - Monitor governance conformance status
Check the profile report and improve your APIs based on the suggested changes:

Governance profile statuses are based on the percentage of conformant APIs in the profile:

  • Normal: More than 70% of APIs are conformant;

  • At Risk: Less than 70% of APIs are conformant.

API conformance status indicates whether the API definitions that are included in your governance profiles pass all applied governance rulesets:

  • Conformant: The APIs pass all applied governance rulesets;

  • Not Conformant: The APIs fail at least one governance ruleset;

  • Not Validated: The APIs are not validated because they are not included in a governance profile.

Nonconformance severity is categorized by the percentage of passed governance rulesets among all applied governance rulesets:

  • High Severity: 0 - 40% Governance rulesets passed;

  • Medium Severity: 41% - 80% Governance rulesets passed;

  • Low Severity: 81% - 99% Governance rulesets passed.

After reviewing the results, conformance issues can be fixed either in Design Center or Anypoint Studio.