Compliance
Two parallel coverage views over the same training data. The OWASP view scores your workforce against the four OWASP Top 10 families (Web, API, Mobile, Client). The regulatory view scores the same training against external standards (PCI DSS, ISO/IEC 27001, SOC 2) by mapping each control to its underlying CWEs. Required scope: compliance:read.
Endpoints
| Method | Path | Scope | Purpose |
|---|---|---|---|
GET | /api/public/v1/compliance/summary | compliance:read | OWASP coverage roll-up across all four frameworks. |
GET | /api/public/v1/compliance/frameworks/{frameworkId} | compliance:read | Per-module breakdown for one OWASP framework. |
GET | /api/public/v1/compliance/regulatory/summary | compliance:read | Coverage roll-up for the regulatory frameworks. |
GET | /api/public/v1/compliance/regulatory/{frameworkId} | compliance:read | Per-control breakdown for one regulatory framework. |
How coverage is calculated
An eligible user is any active organization member whose role is not org_admin. A user is counted as trained on a topic if they have at least one practice attempt with score ≥ passingScore (70) inside the last windowDays (365). A risk item (OWASP module or regulatory control) flips to status covered once the percentage of eligible users trained on it crosses your org's coverageThresholdPercent — defaults to 80, configurable via the admin UI between 50 and 100.
Framework identifiers
| Type | Identifier | Title |
|---|---|---|
| OWASP | web | OWASP Top 10 (Web) |
| OWASP | api | OWASP API Security Top 10 |
| OWASP | mobile | OWASP Mobile Top 10 |
| OWASP | client | OWASP Client-Side Top 10 |
| Regulatory | pci-dss | PCI DSS v4.0 — Requirement 6.2.4 |
| Regulatory | iso-27001 | ISO/IEC 27001:2022 — Annex A secure development |
| Regulatory | soc-2 | SOC 2 — Trust Services Criteria (TSC 2017) |
OWASP summary
One entry per OWASP framework. Use this for dashboard tiles.
GET /api/public/v1/compliance/summary
Authorization: Bearer scs_live_…Response
{
"frameworks": [
{
"frameworkId": "web",
"title": "OWASP Top 10 (Web)",
"totalRiskItems": 10,
"coveredRiskItems": 7,
"partialRiskItems": 2,
"noActivityRiskItems": 1,
"noContentRiskItems": 0,
"eligibleUsers": 142,
"trainedUsers": 118,
"coveragePercent": 83.1,
"avgScore": 86.4
},
{
"frameworkId": "api",
"title": "OWASP API Security Top 10",
"totalRiskItems": 10,
"coveredRiskItems": 5,
"partialRiskItems": 3,
"noActivityRiskItems": 2,
"noContentRiskItems": 0,
"eligibleUsers": 142,
"trainedUsers": 91,
"coveragePercent": 64.1,
"avgScore": 79.2
}
],
"passingScore": 70,
"coverageThresholdPercent": 80,
"windowDays": 365,
"generatedAt": "2026-05-29T13:42:11.318Z"
}covered+partial+noActivity+noContent=totalRiskItems.noContentmeans we have not shipped training for that risk item yet — treat it as a known gap, not a workforce failure.avgScoreis the mean of passing attempts within the window, expressed on a 0–100 scale.
Example
curl -sS \
-H "Authorization: Bearer $SCH_API_KEY" \
https://api.limeplate.com/api/public/v1/compliance/summaryOWASP framework detail
Drills into one framework — returns the per-module risk items, each with the constituent topics and CWEs. Returns 404 framework_not_found for any identifier outside web | api | mobile | client.
GET /api/public/v1/compliance/frameworks/web
Authorization: Bearer scs_live_…Response
{
"frameworkId": "web",
"title": "OWASP Top 10 (Web)",
"summary": {
"frameworkId": "web",
"title": "OWASP Top 10 (Web)",
"totalRiskItems": 10,
"coveredRiskItems": 7,
"partialRiskItems": 2,
"noActivityRiskItems": 1,
"noContentRiskItems": 0,
"eligibleUsers": 142,
"trainedUsers": 118,
"coveragePercent": 83.1,
"avgScore": 86.4
},
"riskItems": [
{
"moduleId": "a01-broken-access-control",
"title": "A01: Broken Access Control",
"status": "covered",
"topicsCount": 4,
"eligibleUsers": 142,
"trainedUsers": 124,
"coveragePercent": 87.3,
"avgScore": 88.1,
"topics": [
{
"topicId": "idor",
"title": "Insecure Direct Object References",
"trainedUsers": 121,
"totalAttempts": 318,
"avgScore": 87.6,
"cwes": ["CWE-639", "CWE-285"]
}
]
}
],
"passingScore": 70,
"coverageThresholdPercent": 80,
"windowDays": 365,
"generatedAt": "2026-05-29T13:42:11.318Z"
}statusis one ofcovered,partial,no-activity,no-content.totalAttemptsincludes failed attempts within the window;trainedUserscounts only users with at least one passing attempt.
Example
curl -sS \
-H "Authorization: Bearer $SCH_API_KEY" \
https://api.limeplate.com/api/public/v1/compliance/frameworks/apiRegulatory summary
Same shape as the OWASP summary but for regulatory frameworks. Each entry carries version and subtitle so you can render the standard's identifying clause directly.
GET /api/public/v1/compliance/regulatory/summary
Authorization: Bearer scs_live_…Response
{
"frameworks": [
{
"frameworkId": "pci-dss",
"title": "PCI DSS",
"version": "v4.0",
"subtitle": "Payment Card Industry Data Security Standard — Requirement 6 (Secure Systems and Software)",
"totalControls": 6,
"coveredControls": 4,
"partialControls": 1,
"noActivityControls": 1,
"noContentControls": 0,
"eligibleUsers": 142,
"trainedUsers": 105,
"coveragePercent": 73.9,
"avgScore": 84.7
},
{
"frameworkId": "iso-27001",
"title": "ISO/IEC 27001",
"version": "2022",
"subtitle": "Annex A controls — secure development and application security",
"totalControls": 6,
"coveredControls": 5,
"partialControls": 1,
"noActivityControls": 0,
"noContentControls": 0,
"eligibleUsers": 142,
"trainedUsers": 117,
"coveragePercent": 82.4,
"avgScore": 86.0
}
],
"passingScore": 70,
"coverageThresholdPercent": 80,
"windowDays": 365,
"generatedAt": "2026-05-29T13:42:11.318Z"
}Example
curl -sS \
-H "Authorization: Bearer $SCH_API_KEY" \
https://api.limeplate.com/api/public/v1/compliance/regulatory/summaryRegulatory framework detail
Per-control breakdown. Each control includes the upstream description as the standard publishes it and the CWE set we used to map training to the control. Returns 404 regulatory_framework_not_found for unknown identifiers.
GET /api/public/v1/compliance/regulatory/pci-dss
Authorization: Bearer scs_live_…Response
{
"frameworkId": "pci-dss",
"title": "PCI DSS",
"version": "v4.0",
"subtitle": "Payment Card Industry Data Security Standard — Requirement 6 (Secure Systems and Software)",
"summary": {
"frameworkId": "pci-dss",
"title": "PCI DSS",
"version": "v4.0",
"subtitle": "Payment Card Industry Data Security Standard — Requirement 6 (Secure Systems and Software)",
"totalControls": 6,
"coveredControls": 4,
"partialControls": 1,
"noActivityControls": 1,
"noContentControls": 0,
"eligibleUsers": 142,
"trainedUsers": 105,
"coveragePercent": 73.9,
"avgScore": 84.7
},
"controls": [
{
"controlId": "6.2.4.a",
"title": "Injection Attacks",
"description": "Address attacks that inject untrusted data into commands or queries (Req 6.2.4.a).",
"cwes": ["CWE-89", "CWE-78", "CWE-79", "CWE-94", "CWE-611", "CWE-917", "CWE-918"],
"status": "covered",
"topicsCount": 7,
"eligibleUsers": 142,
"trainedUsers": 128,
"coveragePercent": 90.1,
"avgScore": 88.6,
"topics": [
{
"topicId": "sql-injection",
"title": "SQL Injection",
"trainedUsers": 131,
"totalAttempts": 402,
"avgScore": 89.4,
"cwes": ["CWE-89"]
}
]
}
],
"passingScore": 70,
"coverageThresholdPercent": 80,
"windowDays": 365,
"generatedAt": "2026-05-29T13:42:11.318Z"
}Example
curl -sS \
-H "Authorization: Bearer $SCH_API_KEY" \
https://api.limeplate.com/api/public/v1/compliance/regulatory/iso-27001