Pro+Teams+ for Advanced Features
Gap Analysis API
Transform raw security findings into actionable compliance posture insights across multiple regulatory frameworks. The Gap Analysis API bridges the gap between technical security findings and compliance requirements.
11 Frameworks
HIPAA, CMMC, SOC2, ISO27001, PCI DSS, and more
Real-time Analysis
Process 500+ findings in under 2 seconds
Prioritized Gaps
Smart remediation prioritization
Export Reports
JSON, CSV, PDF, XLSX formats
Base URL: https://api.cseregistry.org/v1/gap-analysisTier Access
| Tier | Access | Limits |
|---|---|---|
| Community | No access | - |
| Pro | Single framework | 100 findings/request, 30-day retention |
| Teams | Multi-framework, comparisons | 500 findings/request, 90-day retention |
| Enterprise | All features + custom frameworks | 10,000 findings/request, 365-day retention |
Analyze Compliance Gaps
POST /gap-analysisAnalyzes security findings against one or more compliance frameworks to identify gaps, calculate compliance posture, and generate remediation guidance.
Request Body
| Field | Type | Description |
|---|---|---|
| findings | array | Array of security findings to analyze (required) |
| frameworks | string[] | Framework codes to analyze against (required) |
| options.include_resolved | boolean | Include resolved findings (default: false) |
| options.min_confidence | number | Minimum mapping confidence 0-1 (default: 0.7) |
| options.include_remediation | boolean | Include remediation guidance (default: true) |
| options.include_evidence_requirements | boolean | Include evidence collection requirements (default: false) |
Finding Object
| Field | Type | Description |
|---|---|---|
| id | string | Unique finding identifier (required) |
| signal_id | string | CSE signal ID (required) |
| status | string | open, in_progress, resolved, accepted, false_positive (required) |
| observed_at | string | ISO 8601 timestamp (required) |
| severity | object | { level: "critical"|"high"|"medium"|"low"|"info", score?: number } |
| artifact | object | { type: string, id: string, provider?: string } |
Requestbash
curl -X POST "https://api.cseregistry.org/v1/gap-analysis" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"findings": [
{
"id": "FND-001",
"signal_id": "CSE-HIPAA-TECH-NO-ENCRYPTION-004",
"status": "open",
"observed_at": "2025-01-01T00:00:00Z",
"severity": { "level": "high" },
"artifact": {
"type": "cloud-resource",
"id": "arn:aws:s3:::patient-records",
"provider": "aws"
}
}
],
"frameworks": ["HIPAA"],
"options": {
"include_remediation": true,
"include_evidence_requirements": true
}
}'Response200 OK
{
"data": {
"analysis_id": "GAP-2025-01-01-abc123",
"summary": {
"overall_posture": "at_risk",
"posture_score": 67.5,
"total_controls_assessed": 54,
"controls_by_status": {
"compliant": 35,
"partially_compliant": 12,
"non_compliant": 5,
"not_assessed": 2
},
"critical_gaps": 1,
"high_risk_gaps": 3
},
"frameworks": [
{
"code": "HIPAA",
"name": "HIPAA Security Rule",
"posture": {
"status": "at_risk",
"score": 67.5
},
"gaps": [
{
"control": {
"id": "164.312(a)(2)(iv)",
"title": "Encryption and Decryption"
},
"status": "non_compliant",
"confidence": 0.95,
"severity": "high",
"remediation": {
"priority": 1,
"effort": "medium",
"guidance": "Enable encryption on storage resources...",
"steps": ["Identify resources", "Enable SSE", "Verify"]
}
}
]
}
],
"cross_framework_insights": {
"common_gaps": []
}
},
"meta": {
"version": "1.0.0",
"processing_time_ms": 450
}
}Get Analysis by ID
GET /gap-analysis/:idRetrieves a previously generated analysis by its ID. Useful for retrieving stored results.
Path Parameters
| id | The analysis ID (e.g., GAP-2025-01-01-abc123) |
Requestbash
curl "https://api.cseregistry.org/v1/gap-analysis/GAP-2025-01-01-abc123" \
-H "Authorization: Bearer YOUR_API_KEY"Returns the full analysis result (same format as POST response)
Compare Analyses
Teams+ Required
POST /gap-analysis/compareCompares two analyses to track compliance progress over time. Identifies improved, regressed, new, and resolved gaps.
Request Body
| baseline_id | The earlier analysis ID to compare against |
| current_id | The current analysis ID to compare |
| options.include_unchanged | Include controls with no changes (default: false) |
Requestbash
curl -X POST "https://api.cseregistry.org/v1/gap-analysis/compare" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"baseline_id": "GAP-2024-12-01-abc",
"current_id": "GAP-2025-01-01-xyz"
}'Response200 OK
{
"data": {
"comparison_id": "CMP-2025-01-01-def",
"summary": {
"baseline_score": 65.0,
"current_score": 85.0,
"score_change": 20.0,
"overall_change": "improved"
},
"changes": {
"improved": 5,
"regressed": 1,
"new_gaps": 2,
"resolved": 8
},
"by_framework": [
{
"framework": "HIPAA",
"baseline_score": 65.0,
"current_score": 85.0,
"controls_improved": 4,
"controls_regressed": 0
}
]
}
}List Analyses
GET /gap-analysis/summaryLists all your gap analyses with summary information and pagination.
Query Parameters
| page | Page number (default: 1) |
| per_page | Results per page (default: 20, max: 50) |
| status | Filter by status: pending, completed, failed |
| framework | Filter by framework code |
Export Analysis
POST /gap-analysis/:id/exportExports an analysis in various formats for reporting and integration.
Request Body
| format | json, csv (Pro+), pdf, xlsx (Teams+) |
| options.include_remediation | Include remediation details |
| options.include_evidence | Include evidence requirements |
| options.frameworks | Filter to specific frameworks |
Export as CSV
Requestbash
curl -X POST "https://api.cseregistry.org/v1/gap-analysis/GAP-2025-01-01-abc123/export" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"format": "csv"}' \
-o gap-analysis-report.csvExport as PDF (Teams+)
Requestbash
curl -X POST "https://api.cseregistry.org/v1/gap-analysis/GAP-2025-01-01-abc123/export" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"format": "pdf", "options": {"include_remediation": true}}'Supported Frameworks
| Framework | Code | Controls |
|---|---|---|
| HIPAA Security Rule | HIPAA | 54 controls |
| CMMC 2.0 | CMMC | 110 controls |
| SOC 2 | SOC2 | 64 controls |
| ISO 27001:2022 | ISO27001 | 93 controls |
| PCI DSS 4.0 | PCIDSS | 64 controls |
| GDPR | GDPR | 50 controls |
| NIST CSF 2.0 | NISTCSF | 106 controls |
| HITRUST CSF 11 | HITRUST | 156 controls |
| CIS Controls 8.1 | CIS | 153 controls |
| FedRAMP Rev5 | FEDRAMP | 421 controls |
| CCPA 2023 | CCPA | 35 controls |
Error Codes
| Code | HTTP | Description |
|---|---|---|
| GAP_INVALID_FINDING | 400 | Finding validation failed |
| GAP_SIGNAL_NOT_FOUND | 400 | Signal ID not in registry |
| GAP_FRAMEWORK_NOT_FOUND | 400 | Invalid framework code |
| GAP_TOO_MANY_FINDINGS | 400 | Exceeded tier finding limit |
| GAP_TOO_MANY_FRAMEWORKS | 400 | Exceeded tier framework limit |
| GAP_TIER_REQUIRED | 403 | Feature requires higher tier |
| GAP_NOT_FOUND | 404 | Analysis ID not found |
| GAP_EXPIRED | 410 | Analysis results expired |