Configuring governance in the Cloud Manager
How to add governance rulesets in the Cloud Manager to validate and enforce organizational governance policies and best practices across your API development process.
Before you begin
Before you can run validation scans you must have governance enabled on your management subsystem by your system administrator. See Enabling governance on Kubernetes for more information. If governance is enabled in your deployment, the Governance icon is displayed in the side menu bar. If you are only a catalog or space member of a provider organization, a Governance tab is visible in the catalog menu.
The governance service is available to all user roles.
About this task
- API
-
- Global rulesets - these are custom rulesets that you can keep private, or you can make available to some or all of your provider organizations for validating APIs.
- Default rulesets - these are default rulesets that are built-in to API Connect, and contain pre-configured rules that are available to all of your provider organizations for validating APIs, and cannot be edited.
- Product
-
- Global rulesets - these are custom rulesets that you can keep private, or you can make available to some or all of your provider organizations for validating products.
The governance service is based on the open source Spectral linter; for more information about Spectral, see https://docs.stoplight.io/docs/spectral/674b27b261c3c-overview.
- Governance in API Connect supports the
creation of custom rulesets that contain rules that use only the built-in
Spectral core functions, as defined in https://docs.stoplight.io/docs/spectral/cb95cf0d26b83-core-functions. The use of custom functions, for example rules that use functions that you
created yourself in JavaScript files, is not supported. Also note that the following
Spectral OpenAPI rules aren't supported as they might identify false positives:
oas2-unused-definition
oas3-unused-component
- Some of the Spectral rules within the Default rulesets
contain the property
recommended: false
, which means that those rules are ignored during validation. However, if you create a new ruleset from one of these rulesets by using the Save as new ruleset option, therecommended
property isn't transferred to the new ruleset. Therefore, all the rules are used in the validation, unless you delete those rules from the ruleset. The Spectral ruleset names are prefixed with spectral-. - Dereferencing, which means not introspecting a referenced definition within an API, is not supported in the governance service. Instead, a referenced object can be explicitly validated by using custom rules.
- You can also configure governance rulesets directly in a provider organization. For more information, see Configuring governance in the API Manager.
Procedure
Results
What to do next
When you finish editing your ruleset, you can publish it to your provider organizations. Click the options menu icon either next to the ruleset that you want to publish, or from within the ruleset viewer. Select Publish, and then click Publish again to confirm. The status of your ruleset changes from Draft to Published, and can now be used to validate API and product documents. For more information, see Validating an API document by using governance.
You can also use a published ruleset to validate an API or product document in the Cloud Manager. Click Validate, upload a document file to validate, and then select the rulesets and rules that you want to use for the validation. If the API that you want to validate includes a tag that has a matching tag in one or more rulesets, then those rulesets are automatically selected for the scan. However, you can edit the ruleset selection to your requirements. The results of the validation are displayed in a scorecard.
- After a ruleset is published, the ruleset information and rules can no longer be edited. If you need to update this information, you must create a new version by clicking the options menu icon either next to the ruleset that you want to edit, or from within the ruleset viewer, and selecting Save as new ruleset.
- By default, rulesets are published to all of your provider organizations. If you want to change which provider organizations can use your rulesets, you must edit the visibility after publishing.
- Private - the ruleset is not visible and cannot be used by any provider organization.
- Public - the ruleset is visible and can be used by all provider organizations.
- Custom - the ruleset is visible to and can be used by only the provider organizations that are designated by you.