Governance Pipeline Auditor auditor.apicommons.org

Lint your linting.

Governance Pipeline Auditor scans a repo’s Spectral API-governance CI setup and scores it against an 8-point maturity rubric — then hands back a prioritized punch-list of concrete fixes. It’s the sequel to Spectral Reporter: that reports on your API, this reports on your pipeline. The rubric comes straight from the API Evangelist paper “The State of Spectral in API Pipelines,” a census of 1,005 real public pipelines.

npx @api-common/governance-pipeline-auditor . --min-score 5

8-point rubric

Gates the PR · custom ruleset · owned home · pinned tooling · security layer · real gate · path-filtered · machine-readable report.

Prioritized punch-list

Every failed signal becomes a concrete fix, ordered by governance impact, each with a one-line why and a docs link.

Gate on the score

A composite GitHub Action writes the score to your job summary and fails the build under --min-score.

Anti-pattern flags

Calls out the specific smells from the paper — default ruleset, @latest, lint-after-merge, toothless continue-on-error.

Live demo

Paste your .github/workflows/*.yml that runs Spectral (and, optionally, your .spectral.yaml ruleset), then score it — all in your browser, with the exact scorer the CLI uses.

Workflow YAML

Ruleset (optional)

Audit preview

The 8-point rubric

One point per signal. It deliberately measures only the mechanical surface a workflow file exposes — the automatable quarter of governance. It says nothing about whether a human wrote the rules on purpose.

SignalQuestion it answers
Gates the PRDoes governance fire before the merge, not after?
Custom rulesetAre the rules the organization’s, not the tool’s defaults?
Owned ruleset homeDo the rules live in a dedicated dir or a shared/remote source?
Pinned toolingIs the enforcing tool pinned to a chosen version (SHA)?
Security layerAre OWASP/security rules present, not just style?
Real gateDoes it fail the build on error rather than only annotate?
Path-filteredDoes it run only when the spec/ruleset changes?
Machine-readable reportDoes it emit SARIF / a readable report / PR comment?

Install & usage

Run it now (no install)

# Audit the current repo and print the score + punch-list
npx @api-common/governance-pipeline-auditor .

# Short alias, JSON output, and a gate
npx @api-common/governance-pipeline-auditor . --json
npx @api-common/governance-pipeline-auditor . --min-score 5

# Write a self-contained HTML report
npx @api-common/governance-pipeline-auditor . --html governance-audit.html

Install as a dev dependency

npm install --save-dev @api-common/governance-pipeline-auditor

Flags

In GitHub Actions

- uses: api-commons/governance-pipeline-auditor@v1
  with:
    path: .
    min-score: 5      # fail the job below 5/8
    html: governance-audit.html
- uses: actions/upload-artifact@v4
  with:
    name: governance-audit
    path: governance-audit.html

The scorer is a pure, dependency-free function shared verbatim between the CLI, the Action, and this page — so the score you see here is byte-for-byte what CI produces. Free and open under the Apache-2.0 license. When you want experts in the loop, .