API Reference

Controls & Findings Endpoint

Query compliance framework controls, view assessment status, retrieve findings, and manage control-level evidence through the API.

Updated March 20266 min read

On this page

Controls Overview

The Controls API provides access to compliance framework controls — the individual requirements your organization must satisfy. Each control belongs to a framework, has a unique identifier, title, description, category, and current assessment status based on your latest scan results.

  • Base path: /api/compliance
  • Controls are organized by framework
  • Each control includes: id, control_id, title, description, category, status
  • Status values: passed, failed, not_assessed, not_applicable

GET /api/compliance/frameworks

List all compliance frameworks available to the tenant. Returns each framework's ID, name, version, total control count, and description. Framework access may be limited by your license tier and framework assignment configuration.

  • Response: array of { "id": "uuid", "name": "SOC 2", "version": "2024", "total_controls": 49 }
  • Filtered by tenant's license tier and framework access settings
  • Available to all authenticated roles

GET /api/compliance/frameworks/{id}/controls

List all controls for a specific framework. Returns control details including the control identifier, title, description, category, and current status. For CMMC, supports an optional level query parameter to filter by maturity level.

  • Response: array of { "id": "uuid", "control_id": "CC1.1", "title": "...", "category": "...", "status": "passed" }
  • CMMC filtering: ?level=1 returns L1 only, ?level=2 returns L1+L2
  • Includes maturity_level field for frameworks that support it
  • Sortable by control_id, category, or status

GET /api/compliance/controls/{id}

Get detailed information about a single control, including its full description, related evidence, latest scan findings, and remediation suggestions. This is the drill-down endpoint for control detail views.

  • Response includes: control metadata, linked evidence artifacts, latest finding details
  • Remediation suggestions with step-by-step guidance
  • Evidence list with type (auto/manual), created date, and file references
  • Assessment history showing status changes over time

UCF Controls

The UCF (Unified Control Framework) API provides access to universal controls that cross-map across frameworks. Assess a universal control once and the result propagates to all mapped framework controls.

  • GET /api/ucf/domains — list all UCF domains with control counts
  • GET /api/ucf/controls/{id} — get a universal control with all framework mappings
  • GET /api/ucf/scorecard — aggregate UCF compliance scorecard
  • GET /api/ucf/coverage/{framework} — see which UCF controls cover a specific framework

Assessments

Create and manage manual assessments against UCF universal controls. Assessments record a compliance status (compliant, partially_compliant, non_compliant, not_assessed) along with optional notes and evidence references.

  • POST /api/ucf/assessments — create assessment: { "universal_control_id": "uuid", "status": "compliant", "details": "..." }
  • GET /api/ucf/assessments — list all assessments for the tenant
  • Assessments propagate to all mapped framework controls via UCF
  • Assessment history maintained for audit trail
Scans & Evidence EndpointReports Endpoint
← Back to Documentation