Risks API

Manage your organization’s risks, their assessment, and mitigation strategies.

GET /risks/

List all risks with optional filtering.

Query Parameters

Parameter	Type	Description
state[]	array	Filter by state: acceptable, not_mitigated, mitigated, transferred.
owner[]	array	Filter by owner user IDs.
manager[]	array	Filter by manager user IDs.
labels[]	array	Filter by label IDs. Use none for risks without labels.
impact[]	array	Filter by impact level.
probability[]	array	Filter by probability level.

Array parameters

To filter by multiple values, repeat the parameter with [] brackets for each value. For example, to filter risks by multiple states:

?state[]=acceptable&state[]=not_mitigated

Get Risks

curl --location 'https://YOUR_KORDON_DOMAIN/api/v1/risks/' \
--header 'Authorization: Bearer YOUR-TOKEN'

Example with filters:

curl --location 'https://YOUR_KORDON_DOMAIN/api/v1/risks/?state[]=not_mitigated&impact[]=high' \
--header 'Authorization: Bearer YOUR-TOKEN'

Example response

{
    "data": [
        {
            "id": "67ed9437-b3ec-4459-a02c-bdb30b4e2a16",
            "assets": [],
            "controls": [],
            "description": "<p>Risk Description</p>",
            "impact": 0,
            "labels": [],
            "manager": {
                "id": "1bccedd9-ade7-42f9-ae6b-6ec7664bb6e4",
                "name": "Maksym"
            },
            "mitigated_impact": 0,
            "mitigated_probability": 0,
            "mitigations": [],
            "owner": {
                "id": "1bccedd9-ade7-42f9-ae6b-6ec7664bb6e4",
                "name": "Maksym"
            },
            "owner_id": "1bccedd9-ade7-42f9-ae6b-6ec7664bb6e4",
            "probability": 0,
            "residual_score": 0,
            "score": 0,
            "state": "acceptable",
            "tasks": [],
            "title": "One risk to rule them all",
            "updated_at": "2024-05-06T15:26:06+00:00"
        }
    ]
}

GET /risks/:id

Get a single risk by ID.

curl --location 'https://YOUR_KORDON_DOMAIN/api/v1/risks/67ed9437-b3ec-4459-a02c-bdb30b4e2a16' \
--header 'Authorization: Bearer YOUR_TOKEN' \
--data ''

Example response

Status 200

{
    "data": {
        "id": "67ed9437-b3ec-4459-a02c-bdb30b4e2a16",
        "assets": [],
        "controls": [],
        "description": "<p>Risk description</p>",
        "impact": 0,
        "labels": [],
        "manager": {
            "id": "1bccedd9-ade7-42f9-ae6b-6ec7664bb6e4",
            "name": "Maksym"
        },
        "mitigated_impact": 0,
        "mitigated_probability": 0,
        "mitigations": [],
        "owner": {
            "id": "1bccedd9-ade7-42f9-ae6b-6ec7664bb6e4",
            "name": "Maksym"
        },
        "owner_id": "1bccedd9-ade7-42f9-ae6b-6ec7664bb6e4",
        "probability": 0,
        "residual_score": 0,
        "score": 0,
        "state": "acceptable",
        "tasks": [],
        "title": "One risk to rule them all",
        "updated_at": "2024-05-06T15:26:06+00:00"
    }
}

PATCH /risks/:id

Update an existing risk.

curl --location --request PATCH 'https://YOUR_KORDON_DOMAIN/api/v1/risks/1a9c9bee-f5de-411d-bbd6-30f7fca37ae6' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer YOUR_TOKEN' \
--data '{
    "title": "New risk title"
}'

Example response will have the full data of the now updated object.

Status: 200

{
    "data": {
        "id": "1a9c9bee-f5de-411d-bbd6-30f7fca37ae6",
        "assets": [],
        "controls": [],
        "description": "",
        "impact": 0,
        "labels": [],
        "manager": {
            "id": "98dcb717-al70-4c89-8246-0bb026wc215b",
            "name": "Jaana Manana"
        },
        "mitigated_impact": 0,
        "mitigated_probability": 0,
        "mitigations": [],
        "owner": {
            "id": "05wa1387-a987-3cyt-y2df-9e41u8569aed",
            "name": "Martin Lootus"
        },
        "owner_id": "05wa1387-a987-3cyt-y2df-9e41u8569aed",
        "probability": 0,
        "residual_score": 0,
        "score": 0,
        "state": "acceptable",
        "tasks": [],
        "title": "New risk title",
        "updated_at": "2024-08-28T14:52:49+00:00"
    }
}

DELETE /risks/:id

Delete a risk.

curl --location --request DELETE 'https://YOUR_KORDON_DOMAIN/api/v1/risks/67ed9437-b3ec-4459-a02c-bdb30b4e2a16' \
--header 'Authorization: Bearer YOUR-TOKEN' \
--data ''

Response of a deletion request will include the id of the just deleted object.

Example response:

Status 200

{
    "data": {
        "id": "67ed9437-b3ec-4459-a02c-bdb30b4e2a16"
    }
}

POST /risks/

Create a new risk.

Required parameters:

title, manager_id, owner_id

Optional parameters:

impact, probability, description, label_ids

curl --location 'https://YOUR_KORDON_DOMAIN/api/v1/risks/' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer YOUR_TOKEN' \
--data '{
    "title": "Risk title",
    "manager_id": "98dcb717-al70-4c89-8246-0bb026wc215b",
    "owner_id": "05wa1387-a987-3cyt-y2df-9e41u8569aed",
    "impact": 1,
    "probability": 5,
    "label_ids": [],
    "description": "<p>The description</p>"
}'

Example response:

Response of a creation request will include the full data of the created object.

Status 200

{
    "data": {
        "id": "572d56ad-1e9a-4460-85dc-129d2154b06f",
        "assets": [],
        "controls": [],
        "description": "<p>The description</p>",
        "impact": 1,
        "labels": [],
        "manager": {
            "id": "98dcb717-al70-4c89-8246-0bb026wc215b",
            "name": "Jaana Manana"
        },
        "mitigated_impact": 1,
        "mitigated_probability": 5,
        "mitigations": [],
        "owner": {
            "id": "05wa1387-a987-3cyt-y2df-9e41u8569aed",
            "name": "Martin Lootus"
        },
        "owner_id": "05wa1387-a987-3cyt-y2df-9e41u8569aed",
        "probability": 5,
        "residual_score": 5,
        "score": 5,
        "state": "acceptable",
        "tasks": [],
        "title": "Risk title",
        "updated_at": "2024-08-28T14:46:46+00:00"
    }
}

Managing Risk Connections

Risks can be connected to Requirements, Controls, Vendors, Assets, Business Processes, and Findings.

PATCH /risks/:id/connections

Update the connections for a risk.

Connection Parameters

Parameter	Type	Description
requirement_ids	array	IDs of requirements to connect
control_ids	array	IDs of controls to connect
vendor_ids	array	IDs of vendors to connect
asset_ids	array	IDs of assets to connect
business_process_ids	array	IDs of business processes to connect
finding_ids	array	IDs of findings to connect

Partial Updates

Only connection types included in the request are updated. Omitted connection types remain unchanged.

Replacing Connections

When updating a connection type, you must include all IDs you want connected, not just the new ones.

• To add a connection: include all existing IDs plus the new ID
• To remove a connection: include all IDs except the one to remove
• To remove all connections of a type: include an empty array []

Invalid IDs are ignored.

Example: Update risk connections

curl --location PATCH \
--url "https://YOUR_KORDON_DOMAIN/api/v1/risks/67ed9437-b3ec-4459-a02c-bdb30b4e2a16/connections" \
--header "Authorization: Bearer YOUR-TOKEN" \
--header "Content-Type: application/json" \
--data '{
    "connections": {
        "control_ids": [
            "18211d00-904f-4ca9-a212-1e616a687d83"
        ],
        "asset_ids": [
            "0fb11fe0-85de-423d-ba63-b76598a9c743",
            "16615652-dcea-4250-8068-ab19e0dc046d"
        ],
        "vendor_ids": [
            "b00f71e5-9cb4-4995-96e6-0e5710f85e0a"
        ]
    }
}'

Example Response

Status: 200

The response returns the full risk object with all updated connections.