List RSKs (the canonical risk register).

GET

/v1/risks

• Production
• Staging
• Local

Parameters

Query Parameters

id

Array<integer>

title_contains

string | null

description_contains

string | null

opened_by

array | null

updated_by

array | null

impact

array | null

Allowed values: Very Low Low Medium High Severe

likelihood

array | null

Allowed values: Remote Unlikely Possible Probable Imminent

initially_reported_urgency

array | null

Allowed values: Critical High Medium Low Info

type

array | null

Allowed values: Code Configuration Control Deficiency Policy Procedural Vulnerability Third-party

status

array | null

Allowed values: New Urgency Proposed Remediation Closure Proposed Closed

source

array | null

threat_objectives

array | null

Allowed values: Sabotage Data Disclosure Extortion Customer Targeting Resource Hijacking Fraud

urgency

array | null

Allowed values: Info Low Medium High Critical

created_date

array | null

updated_date

array | null

closed_date

array | null

discovered_date

array | null

due_date

array | null

expected_date

array | null

assigned_to

array | null

tags

array | null

page

integer | null format: int64

page_size

integer | null format: int64

order_by

string | null

free_text_contains

string | null

id_contains

string | null

Responses

200

List RSKs with register-context fields

Paginated response for the RSK register.

object

risks

Array<object>

default:

Register row for Organization Risks (RSKs). A Risk plus the relational data shown on the risk register: threat objectives, incident associations, tags, and comment count.

object

comments

required

Count of comments on this risk (not the comments themselves).

integer format: int64

incident_associations

required

Array<string>

Example

INC-00001

risk

required

The core view of an Organization Risk (RSK).

Relational data — threat objectives, comments, incident associations, and tags — is exposed on RiskRegisterEntry, not here.

object

assigned_to

One of:

null

null

object

A User as returned by the API.

Profile images are not embedded — clients fetch them from GET /api/v1/{icon} when icon is Some.

object

email

required

string

first_name

required

string

icon

Relative path to the user’s avatar endpoint, e.g. "users/{id}/avatar?v={hash}". None when the user has no avatar.

string | null

id

required

string format: uuid

last_name

required

string

closed_date

string | null format: date-time

control_statement

string | null

created_date

required

string format: date-time

deleted_date

string | null format: date-time

description

required

string

discovered_date

required

string format: date-time

due_date

string | null format: date-time

expected_date

string | null format: date-time

id

required

string

Example

RSK-00001

impact

One of:

null

null

string

string

Allowed values: Very Low Low Medium High Severe

impact_reasoning

string | null

initially_reported_urgency

One of:

null

null

string

string

Allowed values: Critical High Medium Low Info

likelihood

One of:

null

null

string

string

Allowed values: Remote Unlikely Possible Probable Imminent

likelihood_reasoning

string | null

opened_by

required

A User as returned by the API.

Profile images are not embedded — clients fetch them from GET /api/v1/{icon} when icon is Some.

object

email

required

string

first_name

required

string

icon

Relative path to the user’s avatar endpoint, e.g. "users/{id}/avatar?v={hash}". None when the user has no avatar.

string | null

id

required

string format: uuid

last_name

required

string

remediation_task

string | null

source

string | null

status

required

The status of a risk

string

Allowed values: New Urgency Proposed Remediation Closure Proposed Closed

title

required

string

type

required

string

Allowed values: Code Configuration Control Deficiency Policy Procedural Vulnerability Third-party

updated_by

required

A User as returned by the API.

Profile images are not embedded — clients fetch them from GET /api/v1/{icon} when icon is Some.

object

email

required

string

first_name

required

string

icon

Relative path to the user’s avatar endpoint, e.g. "users/{id}/avatar?v={hash}". None when the user has no avatar.

string | null

id

required

string format: uuid

last_name

required

string

updated_date

required

string format: date-time

urgency

One of:

null

null

string

Derived from likelihood and impact. Null when either is missing.

string

Allowed values: Info Low Medium High Critical

tags

required

Array<object>

object

content

required

string

creator_id

required

string format: uuid

id

required

string format: uuid

org_id

string | null format: uuid

threat_objectives

required

Array<object>

A relational struct that has a threat objective type and its relevancy to a risk.

PartialEq, Eq, and Hash are implemented manually to exclude created_date, which is metadata about when the relation was mutated — not part of the identity.

object

created_date

The time that this relation was mutated

string | null format: date-time

relevance

One of:

null

null

string

The relevancy of the threat objective to the risk. Typically a value of 1, or 2. While the relevancy is null the the database, implementations of retrieving this from postgres should ignore null values.

string

Allowed values: Moderate Substantial

threat_objective

required

The threat objective type

string

Allowed values: Sabotage Data Disclosure Extortion Customer Targeting Resource Hijacking Fraud

total

integer

0