Changelog

Version history for the CSE specification and registry. All notable changes are documented here.

v1.1.0 - Compliance Findings Catalog

Released: January 2025

Major release introducing the Compliance Findings Catalog - a comprehensive system for normalizing security tool findings to CSE signals with framework crosswalks and gap analysis.

Compliance Findings Catalog (Pro)

• 1,854 tool mappings from 20 security tools to CSE signals
• Finding templates with actionable remediation guidance for each signal
• Normalization API to convert tool-specific findings to CSE format
• 93K+ framework crosswalks across 132 framework pairs
• Gap Analysis API for identifying compliance gaps with remediation guidance

Security Tools Supported

• Cloud Security: AWS Security Hub, Azure Defender, GCP Security Command Center, Prisma Cloud, Wiz, Lacework, Orca Security
• Container/K8s: Trivy, Aqua Security, Snyk Container, Falco
• Vulnerability Scanners: Qualys, Nessus, Rapid7 InsightVM
• SAST/DAST: SonarQube, Checkmarx, Veracode, Burp Suite
• Secrets Detection: GitLeaks

API Enhancements

• New /normalize endpoint for finding normalization
• New /crosswalks endpoint for framework-to-framework mappings
• New /gap-analysis endpoint for compliance gap identification
• New /controls endpoint for framework control access
• Tiered access model with Community, Pro, Teams, and Enterprise tiers

v1.0.0 - Initial Release

Released: December 2024

The initial public release of the Compliance Signal Enumeration specification and registry.

Registry

• 1,143 signals across 12 compliance frameworks
• 1,308 control mappings linking signals to framework controls
• Full coverage of major compliance frameworks including HIPAA, SOC 2, ISO 27001, PCI DSS, CMMC, GDPR, and more

Specification

• Signal format - Canonical structure for defining compliance-relevant technical conditions
• Registry format - Manifest and directory structure for the signal registry
• Mapping format - Structure for linking signals to framework controls
• Finding format - Standardized structure for recording signal observations
• Artifact format - Evidence format for supporting findings

API

• RESTful API for programmatic registry access
• Signal listing, filtering, and search endpoints
• Control mapping retrieval
• Domain and statistics endpoints
• Community tier with 10,000 requests/day

Documentation

• Complete specification documentation
• API reference with examples
• Integration guides for security tools, compliance platforms, GRC systems, and CI/CD pipelines
• Web-based registry browser

Domains Included

Upcoming

Features and improvements planned for future releases:

Registry Expansion

• Additional signals for cloud-native security patterns
• Expanded coverage for container and Kubernetes security
• More detailed detection conditions and artifact specifications

New Frameworks

• NIST 800-53 mappings
• StateRAMP mappings
• Industry-specific frameworks based on community requests

API Enhancements

• Webhook notifications for registry updates
• Bulk export endpoints
• GraphQL API (under consideration)

SDKs (Coming Soon)

• Official Python SDK with async support
• TypeScript/JavaScript SDK for Node.js and browsers
• Go SDK for high-performance integrations
• CLI tool for signal lookup and validation

Contributing

Want to contribute to CSE? Here's how:

• Report issues: Open an issue for bugs, inaccuracies, or suggestions
• Propose signals: Submit new signal proposals via GitHub
• Expand mappings: Contribute mappings to additional frameworks
• Improve docs: Submit pull requests for documentation improvements

See the contribution guidelines for more details.

Subscribing to Updates

Stay informed about CSE updates:

• GitHub: Watch the repository for releases and discussions
• API: Check the /stats endpoint for registry version