This blog demonstrates the API governance feature using API Manager UI in API Connect v10.0.6+.
Why API governance?
What is API Governance?
API Governance is a feature of IBM API Connect that can be used to validate and enforce organizational guidelines, policies, and standards to define how APIs should be designed, developed, deployed, and managed. It brings control and governance to various topics, including data formats, authentication and authorization, rate limiting, error handling, versioning, documentation, and testing.
The API governance service in API Connect lets you create one or more custom rulesets, each containing a collection of rules that can then be used to check Swagger, OpenAPI, and AsyncAPI documents. Governance rulesets and rules are independent of the APIs, managed as a separate class of artifacts in the API Manager with their own lifecycle and version management.
You can run validation scans on individual APIs during development, but also on your catalogs and spaces to check one or more of the existing APIs that they contain.
The result of a scan is a Scorecard Report with -
- Quantifiable Results
- Actionable Insights
Why do we need API Governance?
- Does your iPaaS allow custom policies and procedures to ensure security expectations are enforced within the organization?
- What measures does your product provide to enforce secure development practices in our organization?
- Are all APIs designed in such a way that return codes and response messages do not expose information about the API and underlying systems?
- Do any APIs restrict the passing of sensitive data (e.g. PII, access keys) to the body or headers?
These are all real questions asked by customers evaluating API Connect in the last 3 months (so the market is asking for it).
By linking the contract and data and automating the evaluation of those APIs against, for example, known security vulnerabilities or issues helps to ensure that APIs are consistent, secure, reliable, scalable, and easy to use for developers and consumers. Compliance with API rulesets can help improve interoperability, reduce development costs, and enhance the overall user experience.
What are the benefits of API Governance?
- Developer Engagement: In a competitive API landscape improved API quality, consistency, and standardization of the API Contracts can make your APIs more attractive and easier to engage with during Developer Portal discovery and adoption.
- Security: API governance requires robust and consistent security measures to be enforced. Identity and access management, encryption, and authentication protocols can all be enforced by API governance.
- Compliance: API governance can ensure your APIs comply with relevant regulations and standards, such as GDPR, HIPAA, PCI DSS, SOC 2 and others.
- Documentation: Comprehensive documentation of API specifications and workflows is part of API governance. It helps to ensure consistency and transparency across the entire API lifecycle.
RuleSets and Rules
A ruleset contains a collection of rules that can be used to check Swagger, OpenAPI, and AsyncAPI documents. There are two types of ruleset in the API governance service:
- Provider organization rulesets: these are custom rulesets that contain the rules that are created in, and are specific to, your provider organization.
- Global rulesets: these are pre-configured IBM and Spectral rulesets that contain the rules that are shared with your provider organization and cannot be edited. Examples include IBM header validation, IBM security validation and OWASP vulnerability scanning.
A rule defines an individual validation test to be applied to APIs and the rule author can define the severity of a rule failure. An example rule might be “check if the default API key is used”.
Rulesets and rules are immutable once published and are themselves governed by version and lifecycle controls.
Rulesets and rules are expressed as YAML.
Sample APIs to use
Validating and Testing
Validating an API document using UI
https://www.ibm.com/docs/en/api-connect/saas?topic=definition-validating-api-document-by-using-api-governance
To test an API against a rule:
MultiVersions API Test:
In this example, we have an API "API for governance showcase" version 0.9.0 which does not match the validation criteria
The validation test shows 2 findings!
In the new version of this API 1.0.0, the validation comments have been fixed
The validation test on the new version is successful
Validating a Catalog using UI
Create new ruleset/rules
Create a new ruleset using UI
https://www.ibm.com/docs/en/api-connect/saas?topic=apis-configuring-api-governance-in-api-manager#api_governance_config_apim__create_new
How to enable Governance
To enable API Governance in API Connect v10.0.6+ :
Enable on Kubernetes
Enable on VMware
More information
API governance official documentation
Try it with CLI:
Refer to this blog to try API Governance using CLI API Governance Exercising - Using CLI
Prepared by: