MuleSoft recently added API governance standards to the Anypoint Platform, allowing users to apply
governance rulesets to APIs to ensure design consistency. It provides several rulesets by default, such as
OWASP API Security Top 10, Anypoint API Best Practices, Open API Security Best Practices Governance
Rulesets, and others. API Governance helps improve an organization's API quality by identifying conformance
issues and taking steps to resolve them.
Implementing API Governance and MuleSoft API security best practices ensures standardization in API design
throughout the organization and promotes adherence to industry-standard best practices and guidelines to
ensure the security and quality of APIs.
API Governance is connected with the following Anypoint Platform components:
- Anypoint Design Centre, where governance rulesets are applied to API definitions (as dependencies)
- Anypoint Exchange, where governance rulesets are cataloged and discovered.
A governance profile can be attached with several rulesets that can be applied to a selected set of APIs.
The API definitions are validated against the governance rulesets. A governance profile has two statuses
Normal and At Risk, based on the percentage of conformant APIs in the governance profile.
- Normal: More than 70% of APIs are conformant
- At Risk: Less than 70% of APIs are conformant
Governance rulesets are collections of rules, or guidelines, that can be applied over the metadata extracted
from any REST API definition in the Anypoint Platform. Some examples of governance rulesets are internal and
external best practice guidelines, such as naming conventions, and industry-specific government standards,
such as ensuring that an API carrying sensitive data is encrypted.
Applying governance rulesets to specified APIs
After identifying the APIs in the Exchange to be governed, governance profiles are created. Governance
profiles enable the application of multiple sets of rulesets to specified APIs.
Creating a governance profile using the API Governance console
- After opening the API Governance tab present in the Anypoint Platform, click on New
Follow the steps to create an API governance profile:
General Information: Enter a profile name, description(optional), and other
- Rulesets: Based on your industry standard, select one or more rulesets to
govern your APIs.
- Filter Criteria: Rulesets are applied to a subset of APIs based on the filter
criteria (API type, tags, categories, etc.).
Note: If you do not select filter criteria, your governance profile is applied to all your APIs in
the Exchange. Also, the filter criteria are applied to any APIs that are added to the Exchange in
Notifications: Enable or disable automatic notifications for this profile. By
default, send email notifications are enabled.
- Review: Review your profile configurations and click Create.
Update a governance profile using the API Governance console
- In the console, under the Profiles tab of API Governance, click the more options menu symbol at the end
of the profile and select Edit.
- Navigate through the UI using the Next and Previous buttons and update
the profile configurations as required.
- Review your configurations and click Update Profile.
NOTE: After applying changes, all APIs are updated to indicate how many APIs your governance profile
includes based on your updated filter criteria.
Deleting a governance profile using the API Governance console
- In API Governance, under the Profiles tab of the console, click the additional options menu button at
the end of the profile and select Delete.
- Click Yes, Delete.
Sending conformance notifications
Notifications can be sent automatically by configuring them in the API Governance console. Alternatively,
you can send the notifications manually from a governance profile.
Each email notification includes the following:
- The name of the API that is not conformant
- Which governance rulesets the API failed
- The number and types of rules that failed (violation, warning, and information)
- Links to API details in the Exchange and code in the Design Centre
API conformance indicates whether a validated API definition passes all the required rules
in one or more governance rulesets. If an API definition is included in multiple governance profiles, it
must pass all the rulesets in all those profiles to be conformant.
Note: API conformance applies only to API definitions published in
the Exchange as REST APIs.
Status information on the console
The latest status information is available on the console. The user can also:
- View a numeric summary of their governance profiles, API conformance, and nonconformance by severity.
- View, filter, and search a summary list of their governance profiles or validated APIs and export
conformance reports in CSV format.
- Select from the more options menu to export reports and view, edit, and delete profiles.
API conformance across governance profiles
API conformance status indicates whether the API definitions included in the governance profiles pass all
applied governance rulesets. The status can be interpreted as follows:
- Conformant: The APIs pass all applied governance rulesets.
- Not Conformant: The APIs fail at least one governance ruleset.
Not Validated: The APIs are not validated because they are not included in a governance
Nonconformance severity is categorized by the percentage of passed rulesets among all required rulesets
- High Severity: 0 - 40% of rulesets passed
- Medium Severity: 41% - 80% of rulesets passed
- Low Severity: 81% - 99% of rulesets passed
Conformance status indicates the status of your API definitions' conformance to selected rulesets, as
configured in your governance profiles.
Apply consistent rules at design time
This enables developers to apply governance rulesets at design time in Anypoint API Designer.
- API developers or architects can apply the governance rulesets directly to API definitions as
dependencies in the API Designer during the API design phase.
- Add rulesets to the API project.
- View conformance issues and filter by level of severity.
- Expand the Project Errors section of the text editor to view nonconformance messages.
Viewing Conformance Status in Exchange
The conformance status can be viewed in the Exchange for APIs validated by API governance. If an API is
A conformance badge is displayed for a selected API version.
A Conformance column shows conformance for each validated version of the API on the
Manage Versions page.
To view a conformance status in the Exchange:
- Select an API asset in the Exchange.
- A conformance badge is displayed beside the lifecycle state badge.
- To see conformance by version, click Manage Versions.
- The Conformance column shows the governance conformance status for each validated
Benefits of MuleSoft API Governance
- Enables developers to apply governance rulesets at design time
- Produces consistent API specs across enterprises
- Improves API quality and security
- API design with Anypoint best practices and Open API best practices
- Ensures design-time conformance
- Reduces risks related to OWASP API Security Top 10
Anypoint API Governance makes it easy for development teams to adopt API governance. Developers can apply
the standards by accessing the existing profiles from Anypoint Exchange. These profiles can be added as
dependencies in the API Designer during development. If an API does not conform with existing compliance
requirements, architects from central IT teams can notify developers via email from the API Governance
console. Hence it ensures the standard checks of the API across the organization.
Explore MuleSoft API integration with Nous experts. Learn how we help businesses leverage the MuleSoft
platform to transform their digital business.
API governance default rulesets can be found in the links provided below for further details:
API governance – Default rulesets: