Automating API Governance with Scheduled Scans in API Connect v12.1.1
Draft!!
One of the biggest gaps in mature API programmes is governance that only runs on demand. If your linting rules or compliance checks only execute when someone remembers to run them — or only in your CI pipeline — you have blind spots. APIs get published with violations. Policies change and old APIs fall out of compliance. API Connect v12.1.1 addresses this with scheduled governance scans: the ability to attach a recurring schedule to any governance rule set so checks run automatically, continuously, and without human intervention.
In this article, I’ll explain why scheduled governance scans matter at scale, how to attach a recurring schedule to any governance scan in v12.1.1, the CLI steps to configure them, and best practices for recurring schedules.
Table of Contents
- Why Scheduled Governance Scans Matter at Scale
- How Scheduled Governance Scans Work in v12.1.1
- CLI/API Steps to Configure a Scheduled Scan
- Best Practices for Recurring Governance Schedules
- Example: Full Governance Scan Schedule Workflow
- Monitoring Scheduled Scan Results
Why Scheduled Governance Scans Matter at Scale
When you’re managing a handful of APIs, running governance checks manually or as part of a CI pipeline is manageable. But as your API programme grows, several problems emerge:
The “It Was Clean When It Shipped” Problem
Your CI pipeline checks OpenAPI compliance before deployment. But what happens 6 months later when a governance rule is updated and some of your 200 existing APIs no longer comply? Without scheduled scans, you only find out when an auditor does, or when you run a manual scan.
The “Nobody Remembers to Run It” Problem
Even with good intentions, teams deprioritise manual governance runs. Scheduled scans remove the human dependency entirely.
The “Different Teams, Different Pipelines” Problem
In decentralised API programmes, not all teams use the same CI system — or any CI system at all. Scheduled scans run against your API Connect registry directly, regardless of how the API was published or by whom.
Compliance and Audit Requirements
Many regulatory frameworks (financial services, healthcare, government) require evidence of ongoing compliance, not just point-in-time compliance. Scheduled scans generate the audit trail you need.
How Scheduled Governance Scans Work in v12.1.1
In API Connect v12.1.1, governance rule sets can have a schedule attached. When a schedule fires, the governance scan runs against all APIs (or a targeted subset) in the specified scope — catalog, space, or provider organisation.
Results are:
- Stored in the governance history
- Available in the API Manager UI
- Emitted as events (which can trigger alerts)
- Available via the REST API
You can schedule scans at multiple levels:
- Organisation level: All products across all catalogs in a provider org
- Catalog level: All products in a specific catalog
- Space level: All products in a specific space
CLI/API Steps to Configure a Scheduled Scan
Prerequisites
- API Connect v12.1.1.0 or later
apicCLI installed and authenticated- Governance rule sets already created (if you need to create one, see the IBM docs)
Step 1: List Available Governance Rule Sets
# Connect to your management server
apic --server ${MANAGEMENT_SERVER} --org ${PROVIDER_ORG} \
governance-rulesets:list --catalog ${CATALOG_NAME}
# Example output:
# NAME ID SCOPE
# api-security-rules abc123-ruleset-uuid catalog
# naming-conventions def456-ruleset-uuid catalog
# openapi-best-practices ghi789-ruleset-uuid catalog
Step 2: Create a Schedule for a Governance Ruleset
apic governance-rulesets:schedules:create \
--server ${MANAGEMENT_SERVER} \
--org ${PROVIDER_ORG} \
--catalog ${CATALOG_NAME} \
--ruleset ${RULESET_ID} \
--cron "0 2 * * *" \
--timezone "Europe/London" \
--scope catalog \
--enabled true
This creates a schedule that runs the governance scan at 02:00 UTC every day. The --cron expression uses standard cron syntax.
Step 3: Verify the Schedule Was Created
apic governance-rulesets:schedules:get \
--server ${MANAGEMENT_SERVER} \
--org ${PROVIDER_ORG} \
--catalog ${CATALOG_NAME} \
--ruleset ${RULESET_ID} \
--schedule ${SCHEDULE_ID}
Step 4: Run an On-Demand Scan to Test
Before relying on the schedule, verify the ruleset is working:
apic governance-rulesets:run \
--server ${MANAGEMENT_SERVER} \
--org ${PROVIDER_ORG} \
--catalog ${CATALOG_NAME} \
--ruleset ${RULESET_ID}
Step 5: Review Scan Results
apic governance-rulesets:results:list \
--server ${MANAGEMENT_SERVER} \
--org ${PROVIDER_ORG} \
--catalog ${CATALOG_NAME} \
--ruleset ${RULESET_ID} \
--format json
Via the REST API
If you’re integrating with an external scheduling system or building a custom UI:
# Create a schedule via REST API
curl -X POST \
"https://${MANAGEMENT_SERVER}/api/orgs/${ORG_ID}/governance-schedules" \
-H "accept: application/json" \
-H "authorization: Bearer ${TOKEN}" \
-H "content-type: application/json" \
-d '{
"ruleset_id": "abc123-ruleset-uuid",
"cron_expression": "0 2 * * *",
"timezone": "Europe/London",
"enabled": true,
"scope": {
"type": "catalog",
"id": "${CATALOG_ID}"
},
"notification": {
"on_failure": true,
"webhook_url": "https://your-alerting-system.example.com/webhook"
}
}'
Best Practices for Recurring Governance Schedules
1. Start with a Lightweight Schedule
Don’t schedule every ruleset to run every hour on day one. Start with daily scans, observe the results and alert volume, then adjust.
2. Separate Critical and Advisory Rules
Configure schedules differently for different rule severities:
- Critical rules (security, compliance): Run daily or more frequently
- Advisory rules (naming conventions, documentation): Run weekly
3. Use Non-Peak Hours
Schedule governance scans during low-traffic periods — typically early morning UTC (02:00-04:00) or late evening. Governance scans read API metadata, not traffic, so they have minimal performance impact, but you want to avoid contention with other administrative operations.
4. Set Up Alerting on Scan Failures
Configure webhook notifications so that failed scans (e.g., a ruleset that crashes mid-run) trigger alerts:
apic governance-rulesets:schedules:update \
--server ${MANAGEMENT_SERVER} \
--org ${PROVIDER_ORG} \
--catalog ${CATALOG_NAME} \
--ruleset ${RULESET_ID} \
--schedule ${SCHEDULE_ID} \
--notification-on-failure true \
--webhook-url "https://hooks.example.com/governance-failure"
5. Review Governance Trends Over Time
Don’t just fix violations and forget them. Use the governance history to track:
- Which APIs are repeat violators
- Whether overall violation rates are decreasing
- Whether new governance rules are causing unexpected failures
6. Scope Schedules Appropriately
Don’t run org-wide scans if you only need catalog-level checks. Smaller scopes run faster and produce more actionable results.
7. Document Your Governance Schedule Policy
Create a runbook that documents:
- Which rulesets run on which schedule and why
- Who receives governance failure notifications
- What constitutes a governance violation that requires immediate action vs. one that can be scheduled for remediation
Example: Full Governance Scan Schedule Workflow
Here’s a complete example combining everything:
#!/usr/bin/env bash
# Full governance schedule setup for a production catalog
MANAGEMENT_SERVER="mgmt-api.example.com"
PROVIDER_ORG="payments-provider"
CATALOG="production"
RULESET_ID="api-security-rules-v2"
# 1. Create daily security scan at 02:00 UTC
SCHEDULE_ID=$(apic governance-rulesets:schedules:create \
--server $MANAGEMENT_SERVER \
--org $PROVIDER_ORG \
--catalog $CATALOG \
--ruleset $RULESET_ID \
--cron "0 2 * * *" \
--timezone "UTC" \
--scope catalog \
--enabled true \
--output - \
--fields id \
--format json | jq -r '.[].id')
echo "Created schedule: $SCHEDULE_ID"
# 2. Enable failure notifications to your Slack webhook
apic governance-rulesets:schedules:update \
--server $MANAGEMENT_SERVER \
--org $PROVIDER_ORG \
--catalog $CATALOG \
--ruleset $RULESET_ID \
--schedule $SCHEDULE_ID \
--notification-on-failure true \
--webhook-url "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
# 3. Run immediately to verify
echo "Running on-demand scan to verify ruleset..."
apic governance-rulesets:run \
--server $MANAGEMENT_SERVER \
--org $PROVIDER_ORG \
--catalog $CATALOG \
--ruleset $RULESET_ID
echo "Done. Check results with:"
echo "apic governance-rulesets:results:list --server $MANAGEMENT_SERVER --org $PROVIDER_ORG --catalog $CATALOG --ruleset $RULESET_ID"
Monitoring Scheduled Scan Results
To monitor results programmatically:
# Get the latest scan result for a ruleset
apic governance-rulesets:results:list \
--server ${MANAGEMENT_SERVER} \
--org ${PROVIDER_ORG} \
--catalog ${CATALOG_NAME} \
--ruleset ${RULESET_ID} \
--limit 1 \
--format json | jq '.[0]'
This returns the most recent scan result including:
- Timestamp
- Number of violations found (by severity)
- List of violated rules with affected APIs
Summary
Scheduled governance scans in API Connect v12.1.1 are a game-changer for API programmes that need ongoing compliance assurance, not just point-in-time checks. By attaching schedules to your existing governance rule sets, you can ensure that new violations are caught automatically — regardless of how or when an API was published — and that your governance programme actually scales as your API portfolio grows.
Set up your first scheduled scan this week. Start small, monitor results, and iterate.
Screenshots to Capture
-
[Placeholder: /images/governance-ruleset-schedule-config.png] What to capture: The schedule creation dialog for a governance ruleset showing cron expression input, timezone selector, scope selection, and enabled toggle. Where: API Manager → Governance → Rulesets → Select a ruleset → Schedules tab → New Schedule
-
[Placeholder: /images/governance-scan-results-ui.png] What to capture: The governance scan results view showing violations grouped by severity (error, warning, info) with affected API names and rule descriptions. Where: API Manager → Governance → [Run a scan] → Results tab
-
[Placeholder: /images/governance-scan-history.png] What to capture: The governance history view showing past scan runs with timestamps, violation counts, and pass/fail status for each ruleset over time. Where: API Manager → Governance → History or scan results → History tab
-
[Placeholder: /images/governance-webhook-notification-config.png] What to capture: The webhook notification configuration for governance scan failures, showing the webhook URL field and notification triggers. Where: API Manager → Governance → Rulesets → Select ruleset → Schedules → Notification settings
Questions about governance as code or scheduled scans? Reach out on Twitter @cminion or open a discussion on GitHub.
