Compliance Reports¶
rimae/scan provides built-in compliance reporting for major regulatory frameworks. Reports are generated from live system data -- vulnerability matches, audit logs, SLA metrics, integration status, and asset inventory -- and can be exported for auditor review.
Supported Frameworks¶
| Framework | Standard | Controls |
|---|---|---|
| ISO 27001:2022 | Information security management system | 16 controls |
| SOC 2 Type II | Trust Services Criteria | 14 controls |
| PCI DSS 4.0 | Payment Card Industry Data Security | 10 controls |
| NIST CSF 2.0 | Cybersecurity Framework | 12 controls |
| CIS Controls v8 | Critical Security Controls | 10 controls |
| HIPAA Security Rule | Health data safeguards | 9 controls |
Note: The control counts reflect the subset of each framework where rimae/scan provides automated evidence. Full framework compliance requires additional controls outside the scope of vulnerability management.
Report Types¶
| Type | Description |
|---|---|
| Full Assessment | Complete control-by-control assessment with auto-collected evidence |
| Gap Analysis | Identifies controls without evidence or with open findings |
| Evidence Package | Collected evidence bundle for auditor review |
| Executive Summary | High-level compliance posture overview for management |
| Integration Summary | Report on data from enabled integrations (SIEM, scanners, threat intel) |
| Remediation Progress | Vulnerability remediation metrics and SLA compliance status |
Generating a Report¶
Via the UI¶
- Navigate to Reports > Compliance Reports
- Click Generate Report
- Select a framework, report type, and output format
- The report is queued as a background task (HTTP 202)
- When complete, the report appears in the list with a download link
Via the API¶
# Generate a report
curl -X POST -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"title": "Q1 2026 ISO 27001 Assessment", "framework": "iso27001", "report_type": "full_assessment", "format": "pdf"}' \
https://rimae-scan.example.com/api/reports/generate
# List reports
curl -H "Authorization: Bearer $TOKEN" \
"https://rimae-scan.example.com/api/reports?framework=iso27001&page_size=10"
# Get report with sections
curl -H "Authorization: Bearer $TOKEN" \
https://rimae-scan.example.com/api/reports/<report-id>
Report Status Lifecycle¶
Framework Controls¶
Each framework maps to specific controls that rimae/scan can assess using internal data:
ISO 27001:2022¶
Key controls with automated evidence:
| Control | Name | Data Source |
|---|---|---|
| A.8.8 | Management of technical vulnerabilities | Vulnerability matches, remediation status |
| A.8.15 | Logging | Audit log records |
| A.8.16 | Monitoring activities | SIEM alert integration |
| A.5.26 | Response to information security incidents | Resolved vulnerability matches |
| A.8.1 | User endpoint devices | Asset inventory |
SOC 2 Type II¶
Key controls with automated evidence:
| Control | Name | Data Source |
|---|---|---|
| CC6.8 | Vulnerability Management | Vulnerability matches and scoring |
| CC7.1 | Detection and Monitoring | SIEM alerts from enabled integrations |
| CC7.2 | Security Event Analysis | Threat intelligence correlation |
| CC3.2 | Risk Assessment | Composite risk scores per asset |
| A1.1 | System Availability | SLA metrics and remediation times |
PCI DSS 4.0¶
Key controls with automated evidence:
| Control | Name | Data Source |
|---|---|---|
| 6.3.1 | Identify Security Vulnerabilities | Vulnerability source crawl status |
| 6.3.3 | Patch Management | Remediation queue and SLA compliance |
| 11.3.1 | Vulnerability Scanning | Scan run history |
| 10.2.1 | Audit Logs | Audit log records |
Evidence Tasks¶
Evidence tasks provide a structured workflow for collecting and managing compliance evidence. Each task maps to a specific framework control and tracks the evidence collection status.
Task Workflow¶
Creating Evidence Tasks¶
# Create a task for a specific control
curl -X POST -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"framework": "iso27001", "control_id": "A.8.8", "control_name": "Management of technical vulnerabilities", "assignee": "security-team", "due_date": "2026-06-30"}' \
https://rimae-scan.example.com/api/evidence-tasks
# List tasks filtered by framework
curl -H "Authorization: Bearer $TOKEN" \
"https://rimae-scan.example.com/api/evidence-tasks?framework=iso27001"
# Update task status
curl -X PATCH -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"status": "completed", "notes": "Reviewed remediation queue — all critical vulns resolved within SLA"}' \
https://rimae-scan.example.com/api/evidence-tasks/<task-id>
Uploading Evidence¶
Attach supporting documents (screenshots, exports, policy documents) to evidence tasks:
# Upload an attachment
curl -X POST -H "Authorization: Bearer $TOKEN" \
-F "file=@vuln-scan-report-q1.pdf" \
https://rimae-scan.example.com/api/evidence-tasks/<task-id>/attachments
# List attachments
curl -H "Authorization: Bearer $TOKEN" \
https://rimae-scan.example.com/api/evidence-tasks/<task-id>/attachments
# Download an attachment
curl -H "Authorization: Bearer $TOKEN" \
https://rimae-scan.example.com/api/evidence-tasks/<task-id>/attachments/<attachment-id>/download
Attachment Limits¶
| Constraint | Value |
|---|---|
| Max file size | 50 MB |
| Storage location | <data_dir>/evidence/<task-id>/ |
| Accepted formats | Any (PDF, PNG, XLSX, etc.) |
Auto-Evidence¶
rimae/scan can automatically populate evidence for controls where internal data is available. Auto-evidence is stored in the auto_evidence JSON field and supplements (but does not replace) manually uploaded documents.
Data sources for auto-evidence:
| Query | Description |
|---|---|
vuln_matches |
Current vulnerability match counts and severity breakdown |
vuln_remediation |
Remediation metrics (resolved count, MTTR) |
audit_log |
Audit trail records for the assessment period |
siem_alerts |
SIEM alert counts from enabled integrations |
asset_inventory |
Asset count, OS distribution, staleness metrics |
scan_runs |
Vulnerability scan history and frequency |
sla_metrics |
SLA compliance rates by severity |
threat_intel |
Threat intelligence indicator counts |
github_scanning |
Repository vulnerability scan results |
API Reference¶
Reports¶
| Method | Endpoint | Description | Auth |
|---|---|---|---|
GET |
/api/reports/frameworks |
List supported frameworks | Any |
GET |
/api/reports/report-types |
List available report types | Any |
GET |
/api/reports/frameworks/:framework/controls |
List controls for a framework | Any |
POST |
/api/reports/generate |
Generate a compliance report | Any |
GET |
/api/reports |
List generated reports | Any |
GET |
/api/reports/:report_id |
Get report with sections | Any |
DELETE |
/api/reports/:report_id |
Delete a report | Admin |
Evidence Tasks¶
| Method | Endpoint | Description | Auth |
|---|---|---|---|
POST |
/api/evidence-tasks |
Create an evidence task | Any |
GET |
/api/evidence-tasks |
List evidence tasks | Any |
GET |
/api/evidence-tasks/:task_id |
Get task with attachments | Any |
PATCH |
/api/evidence-tasks/:task_id |
Update task status/details | Any |
DELETE |
/api/evidence-tasks/:task_id |
Delete a task | Admin |
POST |
/api/evidence-tasks/:task_id/attachments |
Upload evidence file | Any |
GET |
/api/evidence-tasks/:task_id/attachments |
List attachments | Any |
GET |
/api/evidence-tasks/:task_id/attachments/:id/download |
Download file | Any |
DELETE |
/api/evidence-tasks/:task_id/attachments/:id |
Delete attachment | Any |
Related Documentation¶
- Remediation Queue -- Vulnerability triage and resolution workflow
- Correlation Engine -- How vulnerability matches and scores are computed
- Settings Reference -- System configuration including SLA policies
- Exports -- Standard vulnerability export formats
- API Reference -- Complete API documentation