Risk & Compliance

The Risk domain manages three entity types: Vulnerability (a specific security finding), ComplianceControl (a requirement from a framework like SOC 2 or ISO 27001), and RiskItem (a business-level risk that may aggregate multiple vulnerabilities or gaps). All three can be linked to assets, people, and groups via the Relationships domain.

Vulnerability Schema

Field	Type	Required	Description
`id`	`string`	auto	Prefixed ID: `vuln-{ulid}`
`title`	`string`	yes	Short title
`description`	`string`	no	Full description
`severity`	`enum`	yes	`critical` \| `high` \| `medium` \| `low` \| `info`
`status`	`enum`	auto	`open` \| `in_progress` \| `resolved` \| `accepted`
`score`	`number`	no	CVSS v3 score (0.0 – 10.0)
`cve`	`string`	no	CVE identifier (e.g. `CVE-2024-12345`)
`asset_id`	`string`	no	`PhysicalAsset` or `CloudResource` ID
`assignee_id`	`string`	no	`Person` responsible for remediation
`dueAt`	`string`	no	ISO 8601 UTC remediation deadline
`resolvedAt`	`string`	auto	ISO 8601 UTC when status set to `resolved`
`tags`	`string[]`	no	Free-form tags
`createdAt`	`string`	auto	ISO 8601 UTC

ComplianceControl Schema

Field	Type	Required	Description
`id`	`string`	auto	Prefixed ID: `ctl-{ulid}`
`framework`	`string`	yes	Framework name (e.g. `SOC2`, `ISO27001`, `NIST`)
`controlId`	`string`	yes	Framework control ID (e.g. `CC6.1`)
`title`	`string`	yes	Control title
`description`	`string`	no	Full control requirement
`status`	`enum`	auto	`compliant` \| `non_compliant` \| `in_review` \| `not_applicable`
`ownerId`	`string`	no	`Person` responsible for this control
`lastAssessedAt`	`string`	auto	ISO 8601 UTC
`createdAt`	`string`	auto	ISO 8601 UTC

RiskItem Schema

Field	Type	Required	Description
`id`	`string`	auto	Prefixed ID: `rsk-{ulid}`
`title`	`string`	yes	Risk title
`description`	`string`	no	Risk description
`likelihood`	`enum`	yes	`rare` \| `unlikely` \| `possible` \| `likely` \| `almost_certain`
`impact`	`enum`	yes	`negligible` \| `minor` \| `moderate` \| `major` \| `catastrophic`
`status`	`enum`	auto	`open` \| `mitigated` \| `accepted` \| `closed`
`ownerId`	`string`	no	`Person` responsible for this risk
`createdAt`	`string`	auto	ISO 8601 UTC

Vulnerabilities

import { CpodClient } from '@cpod/sdk'
const sdk = CpodClient.fromEnv()
 
// List open critical vulnerabilities
const result = await sdk.risk.vulnerabilities.list({
  severity: 'critical',
  status: 'open',
  limit: 50,
})
 
const vuln = await sdk.risk.vulnerabilities.get('vuln-abc123')
 
const created = await sdk.risk.vulnerabilities.create({
  title: 'Outdated OpenSSL on prod-web-01',
  severity: 'high',
  cve: 'CVE-2024-0553',
  score: 7.5,
  asset_id: 'cld-abc123',
  assignee_id: 'per-abc123',
  due_at: '2024-08-01T00:00:00Z',
})
 
await sdk.risk.vulnerabilities.update('vuln-abc123', {
  status: 'resolved',
})
 
await sdk.risk.vulnerabilities.delete('vuln-abc123')

import asyncio
from cpod import AsyncCpodClient
 
async def main():
    async with AsyncCpodClient.from_env() as sdk:
        result = await sdk.risk.vulnerabilities.list(severity="critical", status="open")
        print(f"Found {len(result.data)} critical vulnerabilities")
 
        created = await sdk.risk.vulnerabilities.create(
            title="Outdated OpenSSL on prod-web-01",
            severity="high",
            cve="CVE-2024-0553",
            score=7.5,
            asset_id="cld-abc123",
            assignee_id="per-abc123",
        )
 
        await sdk.risk.vulnerabilities.update("vuln-abc123", status="resolved")
        await sdk.risk.vulnerabilities.delete("vuln-abc123")
 
asyncio.run(main())

import "github.com/cpod-ai/cpod-sdk-go/risk"
 
client := cpod.New(os.Getenv("CPOD_API_KEY"))
 
result, err := client.Risk.Vulnerabilities.List(ctx, risk.VulnListOptions{
    Severity: "critical",
    Status:   "open",
    Limit:    50,
})
 
created, err := client.Risk.Vulnerabilities.Create(ctx, risk.VulnCreateInput{
    Title:    "Outdated OpenSSL on prod-web-01",
    Severity: "high",
    Cve:      "CVE-2024-0553",
    Score:    7.5,
    AssetID:  "cld-abc123",
})
 
_, err = client.Risk.Vulnerabilities.Update(ctx, "vuln-abc123",
    risk.VulnUpdateInput{Status: "resolved"},
)
err = client.Risk.Vulnerabilities.Delete(ctx, "vuln-abc123")

Compliance Controls

// List all non-compliant SOC 2 controls
const controls = await sdk.risk.controls.list({
  framework: 'SOC2',
  status: 'non_compliant',
})
 
const control = await sdk.risk.controls.get('ctl-abc123')
 
const created = await sdk.risk.controls.create({
  framework: 'SOC2',
  controlId: 'CC6.1',
  title: 'Logical Access Controls',
  description: 'Access to information assets is restricted to authorised users.',
  ownerId: 'per-abc123',
})
 
await sdk.risk.controls.update('ctl-abc123', { status: 'compliant' })
await sdk.risk.controls.delete('ctl-abc123')

import asyncio
from cpod import AsyncCpodClient
 
async def main():
    async with AsyncCpodClient.from_env() as sdk:
        controls = await sdk.risk.controls.list(framework="SOC2", status="non_compliant")
 
        created = await sdk.risk.controls.create(
            framework="SOC2",
            control_id="CC6.1",
            title="Logical Access Controls",
            owner_id="per-abc123",
        )
 
        await sdk.risk.controls.update("ctl-abc123", status="compliant")
 
asyncio.run(main())

controls, err := client.Risk.Controls.List(ctx, risk.ControlListOptions{
    Framework: "SOC2",
    Status:    "non_compliant",
})
 
created, err := client.Risk.Controls.Create(ctx, risk.ControlCreateInput{
    Framework: "SOC2",
    ControlID: "CC6.1",
    Title:     "Logical Access Controls",
    OwnerID:   "per-abc123",
})
 
_, err = client.Risk.Controls.Update(ctx, "ctl-abc123",
    risk.ControlUpdateInput{Status: "compliant"},
)

Risk Items

const risks = await sdk.risk.items.list({ status: 'open', limit: 25 })
 
const item = await sdk.risk.items.create({
  title: 'Insufficient access review cadence',
  description: 'Quarterly access reviews are not being completed on schedule.',
  likelihood: 'likely',
  impact: 'major',
  ownerId: 'per-abc123',
})
 
await sdk.risk.items.update('rsk-abc123', { status: 'mitigated' })
await sdk.risk.items.delete('rsk-abc123')

import asyncio
from cpod import AsyncCpodClient
 
async def main():
    async with AsyncCpodClient.from_env() as sdk:
        risks = await sdk.risk.items.list(status="open", limit=25)
 
        item = await sdk.risk.items.create(
            title="Insufficient access review cadence",
            likelihood="likely",
            impact="major",
            owner_id="per-abc123",
        )
 
        await sdk.risk.items.update("rsk-abc123", status="mitigated")
 
asyncio.run(main())

risks, err := client.Risk.Items.List(ctx, risk.ItemListOptions{Status: "open", Limit: 25})
 
item, err := client.Risk.Items.Create(ctx, risk.ItemCreateInput{
    Title:      "Insufficient access review cadence",
    Likelihood: "likely",
    Impact:     "major",
    OwnerID:    "per-abc123",
})
 
_, err = client.Risk.Items.Update(ctx, "rsk-abc123",
    risk.ItemUpdateInput{Status: "mitigated"},
)
err = client.Risk.Items.Delete(ctx, "rsk-abc123")

Link a RiskItem to specific vulnerabilities or controls using the Relationships domain with relation type mitigates or evidences.

Assets Relationships