Import feature - api endpoint

[KlavsKlavsen]

Problem statement
I would love to be able to point to an API to get list of assets, applied controls, risk scenarios etc.

Expected behavior
This way I could automate the lists I work with - f.ex. by pointing that to my CMDB.. (and writing a function to respond in CISO compatible way) - and you could add specific CMDBs support in pro edition if you wanted.

Same way, I could point to openvas, openscab or other open source tools - that provide a list of "risks".. kube-bench f.ex. for k8s security benchmark finds.

Also point it to something getting all public certs issued for my domains (as those are a clear risk too).

its merely an idea at this point.. but the data (such as servers and services on them - often identified by certs) shouldn't have to be manually entered as that will easily become stagnant and wrong.

Such api and data standard would allow other open source tools to provide data, always updated - to CISO - helping to keep the security "in check" - and ciso could alert on new un-mitigated risks f.ex. (from a security scanner) etc.

[ab-smith]

Hello @KlavsKlavsen and thank you for the inputs,
This is indeed part of our next phase for the product around integration. We've finalised a first drafit for the design that we'll be presenting during the office hours live sessions.
Essentially, the automation will be handled externally on an orchestrator of your choice (we'll suggest one based on the community votes with samples and let people contribute to that) and the orchestrator will just have to send a message to a broker on which CA will be listening to process events asynchronously, which will scale way better on the long run. We'll just impose the message schemas.
Let me know if this is is what what you had in mind.