x-cpod-domain: risk_compliance
Risk & Compliance
Vulnerabilities, controls, and risk items the org is tracking.
Try in explorer
client.risk · client.vulnerabilities · client.complianceControlsVulnerability
A known weakness on an asset, often tied to a CVE.
REST path
/api/v1/vulnerabilitiesOperations
listgetcreateupdateresolveSDK
// list — returns only your records; add filters/search:
await client.risk.vulnerabilities.list()
// create:
await client.risk.vulnerabilities.create({
id: "rec_01HXEXAMPLE",
tenant_id: "example tenant_id",
created_at: "2026-01-01T00:00:00Z",
updated_at: "2026-01-01T00:00:00Z",
app_id: "example app_id",
created_by: "rec_01HXEXAMPLE",
})| Field | Type | Description |
|---|---|---|
| id* | uuid | Server-assigned ULID with type prefix (e.g. per_…). |
| tenant_id* | string | Tenant scope — auto-stamped from the caller's JWT. |
| app_id | string | App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present. |
| created_at* | date-time | Server stamp. |
| updated_at* | date-time | Server stamp; updated on every patch. |
| created_by | uuid | Person id from the caller's JWT (sub). |
| updated_by | uuid | Person id from the last writer's JWT (sub). |
| source | string | Provenance tag — defaults to 'edm'. |
| source_type | enum | Where the write originated. Defaults to 'api'.frontendbackendserversystemapi |
| is_deleted | boolean | Soft-delete flag. Excluded from default list queries. |
| deleted_at | date-time | Stamped when soft-deleted; null otherwise. |
| deleted_by | uuid | Person id who soft-deleted; null otherwise. |
| schema_version | number | Document schema version. Bumped on incompatible writes. |
| cve_id | string | Common Vulnerabilities and Exposures identifier. Null for vulnerabilities that do not have an assigned CVE (e.g. misconfigurations, proprietary scanner findings |
| title | string | Short, descriptive title summarizing the vulnerability. |
| description | string | Detailed technical description of the vulnerability, including attack vector, prerequisites, and potential impact. |
| severity | string | Severity classification of this vulnerability. Typically aligned with CVSS severity bands. |
| cvss_score | number | CVSS base score (0.0 to 10.0). Null when no CVSS score is available. |
| cvss_vector | string | CVSS vector string describing the vulnerability characteristics (e.g. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). |
| affected_asset_id | uuid | UUID of the asset affected by this vulnerability. The asset type is indicated by affectedAssetType. |
| affected_asset_type | string | Discriminator indicating which entity type affectedAssetId refers to: a TechnologyAsset, PhysicalAsset, or CloudResource. |
| status | string | Current remediation status. 'accepted_risk' requires documented justification and periodic review. 'false_positive' removes the item from active tracking. |
| discovered_at | date-time | ISO 8601 timestamp when this vulnerability was first discovered by the scanning tool or reported. |
| remediated_at | date-time | ISO 8601 timestamp when the vulnerability was confirmed as remediated. Set by the platform or manually by a security engineer. |
| due_date | date-time | Remediation deadline based on severity SLA policy. Critical vulnerabilities typically have a 7-day SLA, high a 30-day SLA. |
| assigned_to | uuid | UUID of the Person responsible for remediating this vulnerability. |
| source | string | Name of the scanner or tool that discovered this vulnerability (e.g. Tenable). |
ComplianceControl
A control statement against a framework (SOC 2, ISO 27001, etc.).
REST path
/api/v1/compliance-controlsOperations
listgetcreateupdateSDK
// list — returns only your records; add filters/search:
await client.risk.complianceControls.list()
// create:
await client.risk.complianceControls.create({
id: "rec_01HXEXAMPLE",
tenant_id: "example tenant_id",
created_at: "2026-01-01T00:00:00Z",
updated_at: "2026-01-01T00:00:00Z",
app_id: "example app_id",
created_by: "rec_01HXEXAMPLE",
})| Field | Type | Description |
|---|---|---|
| id* | uuid | Server-assigned ULID with type prefix (e.g. per_…). |
| tenant_id* | string | Tenant scope — auto-stamped from the caller's JWT. |
| app_id | string | App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present. |
| created_at* | date-time | Server stamp. |
| updated_at* | date-time | Server stamp; updated on every patch. |
| created_by | uuid | Person id from the caller's JWT (sub). |
| updated_by | uuid | Person id from the last writer's JWT (sub). |
| source | string | Provenance tag — defaults to 'edm'. |
| source_type | enum | Where the write originated. Defaults to 'api'.frontendbackendserversystemapi |
| is_deleted | boolean | Soft-delete flag. Excluded from default list queries. |
| deleted_at | date-time | Stamped when soft-deleted; null otherwise. |
| deleted_by | uuid | Person id who soft-deleted; null otherwise. |
| schema_version | number | Document schema version. Bumped on incompatible writes. |
| framework | string | The compliance or regulatory framework this control belongs to. 'custom' is for organization-specific internal controls not mapped to a standard framework. |
| control_id | string | Framework-native control identifier (e.g. 'CC6.1' for SOC2, 'A.9.2.1' for ISO 27001, 'PR.AC-1' for NIST CSF, 'Req 8.3' for PCI DSS). |
| title | string | Short title of the control as defined in the framework or customized for internal use. |
| description | string | Detailed description of what this control requires and how the organization has implemented or plans to implement it. |
| category | string | Control category or domain within the framework (e.g. 'Access Control', 'Encryption', 'Incident Response', 'Change Management'). |
| owner | uuid | UUID of the Person responsible for implementing and maintaining this control. The control owner provides evidence and attests to control effectiveness. |
| status | string | Current implementation status. 'partial' means the control is partially implemented and remediation work is ongoing. 'not_applicable' requires documented justif |
| evidence | json | Evidence artifacts collected to demonstrate this control is implemented and operating effectively. |
| last_assessed_at | date-time | ISO 8601 timestamp of the most recent control assessment or evidence review. |
| next_review_at | date-time | ISO 8601 timestamp when this control is next scheduled for review or re-assessment. |
| linked_asset_ids | json | UUIDs of TechnologyAssets to which this control applies. Used to scope the control to specific systems and generate per-asset compliance dashboards. |
| framework_id | uuid | ID of the Framework this control belongs to. |
| control_ref | string | Framework-specific control reference number. |
| name | string | Short name of the control. |
| objective | string | Control objective statement. |
| implementation_guidance | string | Recommended steps for implementing this control. |
| implementation_maturity | enum | Current maturity level of this control's implementation.not_implementedpartialimplementedoptimized |
| effectiveness | number | Effectiveness score between 0 and 1. |
| owner_id | uuid | ID of the Person who owns this control. |
| next_review_date | date-time | Date when this control is next due for review. |
| evidence_ids | json | IDs of Evidence records that support this control. |
| mapped_control_ids | json | IDs of controls in other frameworks that this control maps to. |
| mitigated_risk_ids | json | IDs of Risk records that this control mitigates. |
| related_document_ids | json | IDs of related documents. |
| knowledge_entity_id | uuid | Bridge to the Knowledge Graph entity for this control. |
| custom_fields | json | Tenant-defined additional fields. |
| tags | json | Free-form tags for filtering. |
RiskItem
A tracked risk with likelihood, impact, and mitigation.
REST path
/api/v1/risk-itemsOperations
listgetcreateupdateSDK
// list — returns only your records; add filters/search:
await client.risk.riskItems.list()
// create:
await client.risk.riskItems.create({
id: "rec_01HXEXAMPLE",
tenant_id: "example tenant_id",
created_at: "2026-01-01T00:00:00Z",
updated_at: "2026-01-01T00:00:00Z",
app_id: "example app_id",
created_by: "rec_01HXEXAMPLE",
})| Field | Type | Description |
|---|---|---|
| id* | uuid | Server-assigned ULID with type prefix (e.g. per_…). |
| tenant_id* | string | Tenant scope — auto-stamped from the caller's JWT. |
| app_id | string | App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present. |
| created_at* | date-time | Server stamp. |
| updated_at* | date-time | Server stamp; updated on every patch. |
| created_by | uuid | Person id from the caller's JWT (sub). |
| updated_by | uuid | Person id from the last writer's JWT (sub). |
| source | string | Provenance tag — defaults to 'edm'. |
| source_type | enum | Where the write originated. Defaults to 'api'.frontendbackendserversystemapi |
| is_deleted | boolean | Soft-delete flag. Excluded from default list queries. |
| deleted_at | date-time | Stamped when soft-deleted; null otherwise. |
| deleted_by | uuid | Person id who soft-deleted; null otherwise. |
| schema_version | number | Document schema version. Bumped on incompatible writes. |
| title | string | Short, descriptive title of the risk. |
| description | string | Detailed description of the risk, including the threat source, vulnerability exploited, and potential business impact. |
| category | string | Business category of the risk. Used to route risks to the appropriate risk owner team and generate category-specific risk dashboards. |
| likelihood | string | Qualitative likelihood rating representing the probability that this risk will materialize. Maps to numeric values 1–5 for risk score computation. |
| impact | string | Qualitative impact rating representing the magnitude of harm if this risk materializes. Maps to numeric values 1–5 for risk score computation. |
| risk_score | number | Computed risk score (likelihood × impact), where each dimension maps to 1–5. Range is 1 (lowest) to 25 (highest). Set by the platform whenever likelihood or imp |
| status | string | Current treatment status. 'mitigating' means active work is underway to reduce the risk. 'accepted' means the risk has been formally accepted by an authorized s |
| owner | uuid | UUID of the Person responsible for managing and reporting on this risk item. |
| linked_vulnerability_ids | json | UUIDs of Vulnerability records that contribute to or evidence this risk. |
| linked_control_ids | json | UUIDs of ComplianceControl records that mitigate or address this risk. |
| mitigation_plan | string | Documented plan for mitigating or treating this risk, including actions, timelines, and responsible parties. |
| due_date | date-time | Target date by which this risk should be mitigated, accepted, or closed. |