Importance of API Governance to Ensure API Conformance and Consistency

In this blog, we will walk through how to enable API Governance to ensure API conformance and consistency with MuleSoft. MuleSoft has recently introduced API Governance as a part of the Anypoint Platform and this will ensure that API design with best practices and guidelines, Top 10 OWASP security etc. API Governance provides a set of default rules that includes Anypoint best practices, OpenAPI Best practices, HTTP Enforcement etc.

With these rulesets, you don’t have to maintain the best practices and guidelines in the siloed documents and you can make use of default rulesets as well as you can define custom rulesets to ensure API conformance and consistency.

API Governance ensures the standardization of the APIs so that they are secure, consistent, compliant, reusable and easily discoverable. It is very important for organizations implementing Design First strategy to enable API Governance and APIs become core components of any business digital transformation and most of the enterprises consider the API as a Product. So API Governance becomes a more vital stage in API Lifecycle management.

It is very important and critical to ensure API Design, Security and Conformant of APIs at design time. This will ensure that API design is consistent, compliant and secured across your enterprise.

Below is the default ruleset that comes as a part of API Governance.

In an API Governance Console, you can add governance rulesets to your governance profiles and that will apply governance rulesets to multiple APIs within the organization.

Create Profile in Anypoint API Governance Console

Step 1 — In API Governance Console, create profile and provide general information like Profile Name and Purpose.

Step 2 — Select the rulesets that need to be associated with this profile.

Step 3 — Provide filter criteria. This step will ensure that what kind of APIs needs to be scanned with this profile. You have the option to filter the APIs on the basis of Tags, category, API Type etc.

Step 4 — Enable Notification. By default notification is enabled and it will generate email to developer in case APIs is marked as a Non Conformant.

Step 5 — Review the APIs. At the end review the APIs and create the profile.

In case, you haven’t created the profile in API Governance Console or APIs don’t match filter criteria, status of the API in Anypoint Exchange will be Not Validated.

Once the API Governance profile is created, all APIs within Anypoint Exchange that match the filter criteria will be scanned and API status will be either Conformant or Non Conformant.

There are three different statuses maintained as part of the Anypoint API Governance.

Not Validated — API is not validated against any profile. This might be due to no profile existing or no profile matching the criteria for this API.

Conformant — API has been validated and all rulesets have been satisfied.

Non Conformant — API has been validated and few or more rulesets have not been satisfied.

API Governance console also provides the overview of conformance report for all yours validated APIs and also monitor and send notification to developers about API conformance. In the API Governance console, you can see Nonconformance by Severity, API Conformance Status, what are the rulesets that have been violated.

It is also possible for developers to apply governance rules to the API definition in the Design Center during the design phase and this can be added as a dependency.

Why is API Governance important?

API Governance is one of the important stages of API Lifecycle management and it enables consistency across the APIs and allows the components to be reused. For an API Program to be successful within an organization, it is very important that everyone in the organization follows identical guidelines, security approach and best practices for API Design.

Can we integrate API Governance with CI/CD pipeline?

Yes, you can easily integrate API Governance for automated scan with CI/CD pipeline using Anypoint CLI. Here is the documentation

Where to find a list of Anypoint CLI commands for API Governance?

Here is the link

Can we apply API Governance to the existing APIs in the Anypoint Exchange?

Yes, it is possible to apply API Governance to existing API in the Anypoint Exchange. Once you create an API Governance profile, it will automatically scan all those APIs which match the profile filter criteria and mark the API as Conformant and Non-Conformant. You can see the report in the API Governance console.

Can we create custom rules for API Governance?

Yes, it is possible to create custom rules for API Governance. More details can be found here

Where to find details about API Governance default rulesets?

• Anypoint Best Practices
• Authentication Security Best Practices
• HTTPS Enforcement
• OpenAPI Best Practices
• OWASP API Security Top 10 2019 Checklist
• Required Examples

Can we reduce the severity or disable any rules from default rulesets?

Yes, it is possible to do so. Here is the documentation

How to monitor API Conformance status?

API Conformance status can be seen on API Governance Console. Here is the link providing more details

Can we send notification to developers in case the API is Non-Conformant?

Yes, we can configure notification on API Governance profile and it will automatically send notification to developers

Can we provide some ideas or recommendations for adding more custom rulesets to Anypoint API Governance?

Yes, we can submit the idea to MuleSoft using Idea Portal. Here is the link

How to fix validation errors that failed during API Governance scan?

Developers can check the violation in the API Governance Console and start fixing the errors in the Design Center.

What are the benefits of API Governance?

• Enable developers to apply governance rulesets at design time.
• Produce consistent API specs across the enterprises.
• Improved API Quality, Security and Conformance continuously.
• API design with Anypoint Best Practices and OpenAPI Best Practices.
• API Conformance at Design Time
• Ensure Design-Time conformance.
• Minimize Top 10 OWASP security risks.

Conclusion

MuleSoft has recently introduced the API Governance as a part of the Anypoint Platform that enables you to apply governance ruleset to your APIs that ensures API Consistency and provides default several ruleset such as a Top 10 OWASP API Security, Anypoint API Best Practices, OpenAPI Best Practices governance rulesets etc.

API Governance will ensure the APIs design across the enterprises is consistent and it is designed with API Best Practices and Guidelines and ensure the API Security and improve the quality of APIs.