Scanning your catalogs and spaces

How to use the governance service to run validation scans on your catalogs and spaces. You can run scans on both the APIs and the products within your catalogs and spaces.

Before you begin

One of the following roles is required to be able to run validation scans:
  • Organization Administrator
  • Owner
  • Custom role with the Settings: Manage permission.

About this task

The governance service in IBM® API Connect can be used to validate and enforce organizational governance policies and best practices to your API development process. The governance service contains the following types of rulesets:

The governance service contains the following types of rulesets:
API
  • Provider organization rulesets - these are custom rulesets that contain the rules that are created in, and are specific to, your provider organization for validating APIs.
  • Global rulesets - these are pre-configured IBM and Spectral rulesets that contain the rules that are shared with your provider organization for validating APIs, and cannot be edited. Note that the Spectral ruleset names are prefixed by spectral-, and that their version matches the version of that ruleset that's available in Spectral.
Product
  • Provider organization rulesets - these are custom rulesets that contain the rules that are created in, and are specific to, your provider organization for validating products.
  • Global rulesets - these are pre-configured custom rulesets that contain the rules that are shared with your provider organization for validating products, and cannot be edited.

You can create your own provider organization rulesets to validate your Swagger, OpenAPI, and AsyncAPI documents against, as well as product documents, or use any global rulesets that are provided by default. For more information about configuring rulesets, see Configuring governance in the API Manager.

Governance in API Connect is based on the open-source Spectral linter; for more information about Spectral, see https://docs.stoplight.io/docs/spectral/674b27b261c3c-overview.

Validation scanning can be run on one or more API or product documents, or on a single catalog or space. The following instructions describe how to run validation scans on a catalog or space by using the API Manager UI, or the toolkit CLI. For information about how to run validation scans on one or more API or product documents, see Validating an API or product document by using governance.

Note:
  • You can select only one catalog or space to run each validation scan on. However, you can run multiple scans at the same time.
  • You can also run a validation scan from within a catalog or space. Open the catalog or space that you want to scan, and then select the Governance tab. Ensure Scans is selected, click API or Product depending on what you want to scan, and then click New scan, and follow the scan wizard.
  • Validation scanning by catalog or space is not available in the API Designer UI.
CAUTION:
Scanning catalogs or spaces that contain more than a hundred API or product documents, and using a large number of rulesets for the scan, can take hours to complete, and might time out before completion depending on the workload on your server. Only one document can be scanned at a time, and the more rulesets that are applied, the longer each individual scan will take. In this scenario consider selecting only a few rulesets for each scan.

Procedure

  • Running a validation scan by using the API Manager UI.
    1. In the side menu bar, click The governance icon is the outline of a shield in white, on a black background. Governance.
      The Governance page is displayed.
    2. Ensure the Scans tab is selected, click API or Product depending on what you want to scan, and click New scan.
      The New validation scan wizard opens.
    3. Select the catalog that you want to scan, and click Next.
    4. Optional: If spaces are enabled on the catalog, you can then select the space that you want to scan, and click Next.
    5. Select one or more rulesets, and click Next.
      If there are matching tags in the APIs and in the rulesets, the validation process preselects which rulesets to use for the scan. However, you can override this preselection with rulesets of your choice. For information about how to add tags, see Configuring governance in the API Manager, and Adding tags to an API.
    6. Select one or more rules, and click Next.
    7. Enter a title for the scan, or accept the default title, and click Start scan.
      You scan is started, and appears in the list of scans in the Catalog and space validation table. The scan Status is initially set to Queued, then changes to In progress, and then changes to Complete when it's finished. Note that scans containing a lot of data can take a long time to complete.
    8. When your scan is finished, you have the following options:
      • You can see a Summary of the scan in the table. If there were findings in the report, the summary displays the number of Errors, Warnings, or Hints in the validation, and also how many Rulesets were run in the scan.
      • You can click on the scan Title, or click the options menu icon options menu icon of three vertical dots next to the scan and select View, to view the scan dashboard. The dashboard shows a scorecard summary of the scan, as well as detailed information about any messages and their severity.
  • Running a validation scan by using the toolkit CLI.
    1. Create a JSON COMPLIANCE_REQUEST_FILE that specifies the location of the catalog or space and the rulesets to use during the validation scan.
      For example:
      {
        "collectionUrl": "https://server/api/catalogs/org/catalog",
        "config": {
          "rulesets": [
            {
              "rulesetName": "spectral-oas",
              "disabled": ["info-contact"]
            },
            {
              "rulesetName": "spectral-owasp",
              "disabled": []
            }
          ]
        }
      }
      
      Where:
      • collectionUrl is the URL of the catalog or space that contains the API documents that you want to run a validation scan on, where server is the server URL, org is the name or ID of the provider organization, and catalog is the name or ID of the catalog or space. For example https://localhost:3003/api/catalogs/alpha/sandbox.
      • rulesets contains a list of the rulesets to be applied to the APIs during the validation scan.

        For each ruleset in the list, you can optionally add the disabled property with a comma-delimited list of rules to ignore during validation.

    2. Log in to the toolkit as the owner or an admin of your provider organization.
    3. In the governance mode, run the compliance:scan command:
      apic --mode governance compliance:scan --scope org --org target_org --server mgmt_endpoint_url COMPLIANCE_REQUEST_FILE
      Where:
      • scope is the scope of the scan, and must be set to org for a catalog or space validation scan.
      • target_org is the name of the provider organization that contains the catalog or space that you want to scan.
      • mgmt_endpoint_url is the management server URL that you use for logging in to the toolkit.
      • COMPLIANCE_REQUEST_FILE is the path and filename of the JSON file that contains the configuration details for the validation scan. For example, ./documents/validate-apis.json.
      This command runs a scan on your APIs.
      To run a scan on your products, you must add the optional parameter of --scan_type with a value of product to the command. For example:
      apic --mode governance compliance:scan --scope org --org my_org --server my_server ./documents/validate-products.json --scan_type product
      You can use the value api to scan only APIs, or product to scan only products. If omitted, only APIs are scanned.
      The following optional parameter enables you to refine the results of this command.
      • --scantitle scan_title is an optional flag that changes the retrieved scan's title to the value that you provide.
      For example:
      apic --mode governance compliance:scan --scope org --org my_org --server my_server ./documents/validate-apis.json --scantitle scan1
    4. After the scan is finished, the results of the scan are printed to the screen. For more information about toolkit scan commands, see Using the toolkit CLI to scan your catalogs and spaces.

Results

Your validation scan is now listed in the Catalog and space validation table in the API Manager UI.

What to do next

When your scan is complete, the following options are available from within the dashboard UI:
  • Click Export to export all of the scan data as a .csv file.
  • Click Re-run scan to generate a new scan report based on the same configuration data. Each run of the same scan generates a new report.
  • The date and time of each scan report is displayed at the beginning of the dashboard, and if you have run more than one scan, you can select which scan report you want to view from the Scanned date list.
  • From the options menu options menu icon of three vertical dots, you can select Rename or Delete.
  • You can view each of the scorecard charts in tabular form, and download that data as .csv files.
  • You can use the filter options on the table of messages to display the data that you require, and you can also change the sort order of the columns.