MuleSoft recently added API governance standards to the Anypoint Platform, allowing users to apply governance rulesets to APIs to ensure design consistency. It provides several rulesets by default, such as OWASP API Security Top 10, Anypoint API Best Practices, Open API Security Best Practices Governance Rulesets, and others. API Governance helps improve an organization’s API quality by identifying conformance issues and taking steps to resolve them.

Implementing API Governance and MuleSoft API security best practices ensures standardization in API design throughout the organization and promotes adherence to industry-standard best practices and guidelines to ensure the security and quality of APIs.

API Governance is connected with the following Anypoint Platform components:

  1. Anypoint Design Centre, where governance rulesets are applied to API definitions (as dependencies)
  2. Anypoint Exchange, where governance rulesets are cataloged and discovered.

Governance profiles

A governance profile can be attached with several rulesets that can be applied to a selected set of APIs. The API definitions are validated against the governance rulesets. A governance profile has two statuses – Normal and At Risk, based on the percentage of conformant APIs in the governance profile.

  1. Normal: More than 70% of APIs are conformant
  2. At Risk: Less than 70% of APIs are conformant

Governance rulesets

Governance rulesets are collections of rules, or guidelines, that can be applied over the metadata extracted from any REST API definition in the Anypoint Platform. Some examples of governance rulesets are internal and external best practice guidelines, such as naming conventions, and industry-specific government standards, such as ensuring that an API carrying sensitive data is encrypted.

Applying governance rulesets to specified APIs

After identifying the APIs in the Exchange to be governed, governance profiles are created. Governance profiles enable the application of multiple sets of rulesets to specified APIs.

Creating a governance profile using the API Governance console

  • After opening the API Governance tab present in the Anypoint Platform, click on New Profile.
  • Follow the steps to create an API governance profile:
    • General Information: Enter a profile name, description(optional), and other details.
    • Rulesets: Based on your industry standard, select one or more rulesets to govern your APIs.
    • Filter Criteria: Rulesets are applied to a subset of APIs based on the filter criteria (API type, tags, categories, etc.).
  • Note: If you do not select filter criteria, your governance profile is applied to all your APIs in the Exchange. Also, the filter criteria are applied to any APIs that are added to the Exchange in the future.
    • Notifications: Enable or disable automatic notifications for this profile. By default, send email notifications are enabled.
    • Review: Review your profile configurations and click Create.

Update a governance profile using the API Governance console

  • In the console, under the Profiles tab of API Governance, click the more options menu symbol at the end of the profile and select Edit.
  • Navigate through the UI using the Next and Previous buttons and update the profile configurations as required.
  • Review your configurations and click Update Profile.

NOTE: After applying changes, all APIs are updated to indicate how many APIs your governance profile includes based on your updated filter criteria.

Deleting a governance profile using the API Governance console

  1. In API Governance, under the Profiles tab of the console, click the additional options menu button at the end of the profile and select Delete.
  2. Click Yes, Delete.

Sending conformance notifications

Notifications can be sent automatically by configuring them in the API Governance console. Alternatively, you can send the notifications manually from a governance profile.

Each email notification includes the following:

  • The name of the API that is not conformant
  • Which governance rulesets the API failed
  • The number and types of rules that failed (violation, warning, and information)
  • Links to API details in the Exchange and code in the Design Centre

API conformance

API conformance indicates whether a validated API definition passes all the required rules in one or more governance rulesets. If an API definition is included in multiple governance profiles, it must pass all the rulesets in all those profiles to be conformant.

Note: API conformance applies only to API definitions published in the Exchange as REST APIs.

Status information on the console

The latest status information is available on the console. The user can also:

  • View a numeric summary of their governance profiles, API conformance, and nonconformance by severity.
  • View, filter, and search a summary list of their governance profiles or validated APIs and export conformance reports in CSV format.
  • Select from the more options menu to export reports and view, edit, and delete profiles.

API conformance across governance profiles

API conformance status indicates whether the API definitions included in the governance profiles pass all applied governance rulesets. The status can be interpreted as follows:

  • Conformant: The APIs pass all applied governance rulesets.
  • Not Conformant: The APIs fail at least one governance ruleset.
  • Not Validated: The APIs are not validated because they are not included in a governance profile.

Nonconformance Severity

Nonconformance severity is categorized by the percentage of passed rulesets among all required rulesets

  • High Severity: 0 – 40% of rulesets passed
  • Medium Severity: 41% – 80% of rulesets passed
  • Low Severity: 81% – 99% of rulesets passed

Conformance status indicates the status of your API definitions’ conformance to selected rulesets, as configured in your governance profiles.

Apply consistent rules at design time

This enables developers to apply governance rulesets at design time in Anypoint API Designer.

  • API developers or architects can apply the governance rulesets directly to API definitions as dependencies in the API Designer during the API design phase.
  • Add rulesets to the API project.
  • View conformance issues and filter by level of severity.
  • Expand the Project Errors section of the text editor to view nonconformance messages.

Viewing Conformance Status in Exchange

The conformance status can be viewed in the Exchange for APIs validated by API governance. If an API is validated:A conformance badge is displayed for a selected API version.A Conformance column shows conformance for each validated version of the API on the Manage Versions page.

To view a conformance status in the Exchange:

  • Select an API asset in the Exchange.
  • A conformance badge is displayed beside the lifecycle state badge.
  • To see conformance by version, click Manage Versions.
  • The Conformance column shows the governance conformance status for each validated version.

Benefits of MuleSoft API Governance

  • Enables developers to apply governance rulesets at design time
  • Produces consistent API specs across enterprises
  • Improves API quality and security
  • API design with Anypoint best practices and Open API best practices
  • Ensures design-time conformance
  • Reduces risks related to OWASP API Security Top 10


Anypoint API Governance makes it easy for development teams to adopt API governance. Developers can apply the standards by accessing the existing profiles from Anypoint Exchange. These profiles can be added as dependencies in the API Designer during development. If an API does not conform with existing compliance requirements, architects from central IT teams can notify developers via email from the API Governance console. Hence it ensures the standard checks of the API across the organization.

Explore MuleSoft API integration with Nous experts. Learn how we help businesses leverage the MuleSoft platform to transform their digital business.

Further reading:

API governance default rulesets can be found in the links provided below for further details:

API governance – Default rulesets:

Prakash K M
Senior Software Engineer - Enterprise Integration

Ready to get started?

Contact us Close