Compliance

Two parallel coverage views over the same training data. The OWASP view scores your workforce against the four OWASP Top 10 families (Web, API, Mobile, Client). The regulatory view scores the same training against external standards (PCI DSS, ISO/IEC 27001, SOC 2) by mapping each control to its underlying CWEs. Required scope: compliance:read.

Endpoints

MethodPathScopePurpose
GET/api/public/v1/compliance/summarycompliance:readOWASP coverage roll-up across all four frameworks.
GET/api/public/v1/compliance/frameworks/{frameworkId}compliance:readPer-module breakdown for one OWASP framework.
GET/api/public/v1/compliance/regulatory/summarycompliance:readCoverage roll-up for the regulatory frameworks.
GET/api/public/v1/compliance/regulatory/{frameworkId}compliance:readPer-control breakdown for one regulatory framework.

How coverage is calculated

An eligible user is any active organization member whose role is not org_admin. A user is counted as trained on a topic if they have at least one practice attempt with score ≥ passingScore (70) inside the last windowDays (365). A risk item (OWASP module or regulatory control) flips to status covered once the percentage of eligible users trained on it crosses your org's coverageThresholdPercent — defaults to 80, configurable via the admin UI between 50 and 100.

Framework identifiers

TypeIdentifierTitle
OWASPwebOWASP Top 10 (Web)
OWASPapiOWASP API Security Top 10
OWASPmobileOWASP Mobile Top 10
OWASPclientOWASP Client-Side Top 10
Regulatorypci-dssPCI DSS v4.0 — Requirement 6.2.4
Regulatoryiso-27001ISO/IEC 27001:2022 — Annex A secure development
Regulatorysoc-2SOC 2 — Trust Services Criteria (TSC 2017)

OWASP summary

One entry per OWASP framework. Use this for dashboard tiles.

GET /api/public/v1/compliance/summary
Authorization: Bearer scs_live_…

Response

{
  "frameworks": [
    {
      "frameworkId": "web",
      "title": "OWASP Top 10 (Web)",
      "totalRiskItems": 10,
      "coveredRiskItems": 7,
      "partialRiskItems": 2,
      "noActivityRiskItems": 1,
      "noContentRiskItems": 0,
      "eligibleUsers": 142,
      "trainedUsers": 118,
      "coveragePercent": 83.1,
      "avgScore": 86.4
    },
    {
      "frameworkId": "api",
      "title": "OWASP API Security Top 10",
      "totalRiskItems": 10,
      "coveredRiskItems": 5,
      "partialRiskItems": 3,
      "noActivityRiskItems": 2,
      "noContentRiskItems": 0,
      "eligibleUsers": 142,
      "trainedUsers": 91,
      "coveragePercent": 64.1,
      "avgScore": 79.2
    }
  ],
  "passingScore": 70,
  "coverageThresholdPercent": 80,
  "windowDays": 365,
  "generatedAt": "2026-05-29T13:42:11.318Z"
}
  • covered + partial + noActivity + noContent = totalRiskItems.
  • noContent means we have not shipped training for that risk item yet — treat it as a known gap, not a workforce failure.
  • avgScore is the mean of passing attempts within the window, expressed on a 0–100 scale.

Example

curl -sS \
  -H "Authorization: Bearer $SCH_API_KEY" \
  https://api.limeplate.com/api/public/v1/compliance/summary

OWASP framework detail

Drills into one framework — returns the per-module risk items, each with the constituent topics and CWEs. Returns 404 framework_not_found for any identifier outside web | api | mobile | client.

GET /api/public/v1/compliance/frameworks/web
Authorization: Bearer scs_live_…

Response

{
  "frameworkId": "web",
  "title": "OWASP Top 10 (Web)",
  "summary": {
    "frameworkId": "web",
    "title": "OWASP Top 10 (Web)",
    "totalRiskItems": 10,
    "coveredRiskItems": 7,
    "partialRiskItems": 2,
    "noActivityRiskItems": 1,
    "noContentRiskItems": 0,
    "eligibleUsers": 142,
    "trainedUsers": 118,
    "coveragePercent": 83.1,
    "avgScore": 86.4
  },
  "riskItems": [
    {
      "moduleId": "a01-broken-access-control",
      "title": "A01: Broken Access Control",
      "status": "covered",
      "topicsCount": 4,
      "eligibleUsers": 142,
      "trainedUsers": 124,
      "coveragePercent": 87.3,
      "avgScore": 88.1,
      "topics": [
        {
          "topicId": "idor",
          "title": "Insecure Direct Object References",
          "trainedUsers": 121,
          "totalAttempts": 318,
          "avgScore": 87.6,
          "cwes": ["CWE-639", "CWE-285"]
        }
      ]
    }
  ],
  "passingScore": 70,
  "coverageThresholdPercent": 80,
  "windowDays": 365,
  "generatedAt": "2026-05-29T13:42:11.318Z"
}
  • status is one of covered, partial, no-activity, no-content.
  • totalAttempts includes failed attempts within the window; trainedUsers counts only users with at least one passing attempt.

Example

curl -sS \
  -H "Authorization: Bearer $SCH_API_KEY" \
  https://api.limeplate.com/api/public/v1/compliance/frameworks/api

Regulatory summary

Same shape as the OWASP summary but for regulatory frameworks. Each entry carries version and subtitle so you can render the standard's identifying clause directly.

GET /api/public/v1/compliance/regulatory/summary
Authorization: Bearer scs_live_…

Response

{
  "frameworks": [
    {
      "frameworkId": "pci-dss",
      "title": "PCI DSS",
      "version": "v4.0",
      "subtitle": "Payment Card Industry Data Security Standard — Requirement 6 (Secure Systems and Software)",
      "totalControls": 6,
      "coveredControls": 4,
      "partialControls": 1,
      "noActivityControls": 1,
      "noContentControls": 0,
      "eligibleUsers": 142,
      "trainedUsers": 105,
      "coveragePercent": 73.9,
      "avgScore": 84.7
    },
    {
      "frameworkId": "iso-27001",
      "title": "ISO/IEC 27001",
      "version": "2022",
      "subtitle": "Annex A controls — secure development and application security",
      "totalControls": 6,
      "coveredControls": 5,
      "partialControls": 1,
      "noActivityControls": 0,
      "noContentControls": 0,
      "eligibleUsers": 142,
      "trainedUsers": 117,
      "coveragePercent": 82.4,
      "avgScore": 86.0
    }
  ],
  "passingScore": 70,
  "coverageThresholdPercent": 80,
  "windowDays": 365,
  "generatedAt": "2026-05-29T13:42:11.318Z"
}

Example

curl -sS \
  -H "Authorization: Bearer $SCH_API_KEY" \
  https://api.limeplate.com/api/public/v1/compliance/regulatory/summary

Regulatory framework detail

Per-control breakdown. Each control includes the upstream description as the standard publishes it and the CWE set we used to map training to the control. Returns 404 regulatory_framework_not_found for unknown identifiers.

GET /api/public/v1/compliance/regulatory/pci-dss
Authorization: Bearer scs_live_…

Response

{
  "frameworkId": "pci-dss",
  "title": "PCI DSS",
  "version": "v4.0",
  "subtitle": "Payment Card Industry Data Security Standard — Requirement 6 (Secure Systems and Software)",
  "summary": {
    "frameworkId": "pci-dss",
    "title": "PCI DSS",
    "version": "v4.0",
    "subtitle": "Payment Card Industry Data Security Standard — Requirement 6 (Secure Systems and Software)",
    "totalControls": 6,
    "coveredControls": 4,
    "partialControls": 1,
    "noActivityControls": 1,
    "noContentControls": 0,
    "eligibleUsers": 142,
    "trainedUsers": 105,
    "coveragePercent": 73.9,
    "avgScore": 84.7
  },
  "controls": [
    {
      "controlId": "6.2.4.a",
      "title": "Injection Attacks",
      "description": "Address attacks that inject untrusted data into commands or queries (Req 6.2.4.a).",
      "cwes": ["CWE-89", "CWE-78", "CWE-79", "CWE-94", "CWE-611", "CWE-917", "CWE-918"],
      "status": "covered",
      "topicsCount": 7,
      "eligibleUsers": 142,
      "trainedUsers": 128,
      "coveragePercent": 90.1,
      "avgScore": 88.6,
      "topics": [
        {
          "topicId": "sql-injection",
          "title": "SQL Injection",
          "trainedUsers": 131,
          "totalAttempts": 402,
          "avgScore": 89.4,
          "cwes": ["CWE-89"]
        }
      ]
    }
  ],
  "passingScore": 70,
  "coverageThresholdPercent": 80,
  "windowDays": 365,
  "generatedAt": "2026-05-29T13:42:11.318Z"
}

Example

curl -sS \
  -H "Authorization: Bearer $SCH_API_KEY" \
  https://api.limeplate.com/api/public/v1/compliance/regulatory/iso-27001