Configuring governance in the API Manager
How to add custom governance rulesets to your API development process, to validate and enforce organizational governance policies and best practices in your provider organization.
Before you begin
- Organization Administrator
- Owner
- Custom role with the
Settings: Manage
permission.
About this task
The governance service is an add-on to IBM® API Connect that can be used to validate and enforce organizational governance policies and best practices in your API development process. You configure governance by creating one or more custom rulesets that contain a collection of rules that can then be used to check Swagger, OpenAPI, and AsyncAPI documents, as well as product documents. You can also run validation scans on your catalogs and spaces; for more information, see Scanning your catalogs and spaces.
- API
-
- Provider organization rulesets - these are custom rulesets that contain the rules that are created in, and are specific to, your provider organization for validating APIs.
- Global rulesets - these are pre-configured IBM and Spectral rulesets that contain the rules that are shared with your provider organization for validating APIs, and cannot be edited. Note that the Spectral ruleset names are prefixed with spectral-, and that their version matches the version of that ruleset that's available in Spectral.
- Product
-
- Provider organization rulesets - these are custom rulesets that contain the rules that are created in, and are specific to, your provider organization for validating products.
- Global rulesets - these are pre-configured custom rulesets that contain the rules that are shared with your provider organization for validating products, and cannot be edited.
Governance in API Connect is based on the open source Spectral linter; for more information about Spectral, see https://docs.stoplight.io/docs/spectral/674b27b261c3c-overview.
- Governance in API Connect supports the
creation of custom rulesets that contain rules that use only the built-in
Spectral core functions, as defined in https://docs.stoplight.io/docs/spectral/cb95cf0d26b83-core-functions. The use of custom functions, for example rules that use functions that you
created yourself in JavaScript files, is not supported. Also note that the following
Spectral OpenAPI rules aren't supported as they might identify false positives:
oas2-unused-definition
oas3-unused-component
- Some of the Spectral rules within the Global rulesets
contain the property
recommended: false
, which means that those rules are ignored during validation. However, if you create a new ruleset from one of these rulesets by using the Save as new ruleset option, therecommended
property isn't transferred to the new ruleset. Therefore, all the rules are used in the validation, unless you delete those rules from the ruleset. The Spectral ruleset names are prefixed with spectral-. - Dereferencing, which means not introspecting a referenced definition within an API, is not supported in the governance service. Instead, a referenced object can be explicitly validated by using custom rules.
Procedure
Results
What to do next
When you finish editing your ruleset, you can publish it to your provider organization. Click the options menu icon either next to the ruleset that you want to publish, or from within the ruleset viewer. Select Publish, and then click Publish again to confirm. The status of your ruleset changes from Draft to Published, and can now be used by developers to validate their API and product documents. For more information, see Validating an API document by using governance.
To validate an API or product document by using a published ruleset, click Validate, select the APIs or products to validate, then select the rulesets and rules that you want to use, and click Validate again. If the API that you want to validate includes a tag that has a matching tag in one or more rulesets, then those rulesets are automatically selected for the scan. However, you can edit the ruleset selection to your requirements. The results of the validation are displayed in a scorecard.
You can also run validation scans on your catalogs and spaces; for more information, see Scanning your catalogs and spaces.
- After a ruleset is published, the ruleset information and rules can no longer be edited. If you need to update this information, you must create a new version by clicking the options menu icon either next to the ruleset that you want to edit, or from within the ruleset viewer, and selecting Save as new ruleset.