Returns platform health status. No authentication required. Use this endpoint to verify connectivity from CI/CD pipelines before triggering a scan.

{ "status": "ok", "version": "1.0.0" }

Returns all 7 supported compliance frameworks with their identifiers, display names, descriptions, and which plan tiers have access. Use the id field when specifying frameworks in /scan requests.

[
  {
    "id":          "iso42001",
    "name":        "ISO 42001:2023",
    "description": "AI Management Systems standard",
    "category":    "AI Governance",
    "plans":       ["free_trial", "starter", "professional", "enterprise"]
  },
  { "id": "sr11_7",      "name": "SR 11-7",         ... },
  { "id": "eu_ai_act",   "name": "EU AI Act",        ... },
  { "id": "nist_ai_rmf", "name": "NIST AI RMF 1.0", ... },
  { "id": "mas_trm",     "name": "MAS TRM",          ... },
  { "id": "dora",        "name": "DORA",             ... },
  { "id": "sox",         "name": "SOX",              ... }
]

Returns all subscription tiers with their scan quotas, framework access, governance cadence, and feature flags. Useful for building plan-upgrade prompts or quota dashboards in your own tooling.

Returns your tenant's subscription plan, scan quota usage, linked Azure subscription IDs, and current governance settings. This is the primary endpoint used by the session widget and portal UI.

{
  "tenant_id":         "3f8a2b1c-...",
  "purchaser_email":   "you@company.com",
  "plan_id":           "professional",
  "status":            "active",
  "scan_count":        12,
  "scan_limit":        100,
  "azure_subscription_ids": ["sub-id-1", "sub-id-2"],
  "governance_enabled": true,
  "governance_cadence": "biweekly",
  "report_history_days": 90
}

Replace the list of Azure subscription IDs linked to your account. Plan-based limits apply: Free Trial (1), Starter (3), Professional (15), Enterprise (unlimited). All future scans will scan across all linked subscriptions.

{ "subscription_ids": ["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"] }

Store or replace the Azure service principal credentials used by Guardia AI to scan your Azure subscriptions. Credentials are encrypted at rest using AES-256-GCM and never logged. The service principal must have Reader RBAC access on all linked subscriptions.

{
  "tenant_id":     "your-azure-tenant-id",
  "client_id":     "your-service-principal-app-id",
  "client_secret": "your-service-principal-secret"
}

Triggers a synchronous compliance scan of your linked Azure subscriptions against the specified regulatory frameworks. Returns a full JSON report with per-resource findings, risk scores, and AI-generated narratives. This is the primary endpoint for CI/CD integration — fail your pipeline on critical_count > 0.

{
  "frameworks":     ["iso42001", "sr11_7"],
  "subscription_id": "optional-override-sub-id",
  "generate_narrative": true,
  "scan_label":     "pre-deploy-check"
}

{
  "report_id":        "COMP-20260519-143022",
  "tenant_id":        "3f8a2b1c-...",
  "scan_ts":          "2026-05-19T14:30:22Z",
  "frameworks":       ["iso42001", "sr11_7"],
  "aggregate_score":  78,
  "critical_count":   2,
  "high_count":       5,
  "medium_count":     11,
  "findings": [
    {
      "control_id":    "ISO42001-4.1",
      "framework":     "iso42001",
      "resource":      "/subscriptions/.../providers/Microsoft.MachineLearning/workspaces/ws1",
      "severity":      "critical",
      "status":        "fail",
      "title":         "ML Workspace lacks diagnostic logging",
      "description":   "...",
      "narrative":     "Azure OpenAI generated explanation...",
      "remediation":   "Enable diagnostic settings on the workspace..."
    }
  ]
}

- name: Run Guardia compliance gate
  run: |
    RESULT=$(curl -s -X POST https://app.trustguardia.com/scan \
      -H "X-API-Key: $GUARDIA_KEY" \
      -H "Content-Type: application/json" \
      -d '{"frameworks":["iso42001","sr11_7"],"scan_label":"${{ github.sha }}"}')

    CRITICAL=$(echo $RESULT | jq '.critical_count')
    if [[ $CRITICAL -gt 0 ]]; then
      echo "❌ BLOCKED: $CRITICAL critical compliance findings"
      echo "$RESULT" | jq '.findings[] | select(.severity=="critical")'
      exit 1
    fi
    echo "✅ Compliance gate passed"

Runs a compliance scan in dry-run mode. The scan is fully executed but the result is not persisted and does not count against your monthly scan quota. Useful for testing pipeline integration or previewing findings before a scheduled release. Accepts the same request body as /scan.

Same structure as /scan but with "dry_run": true and no report_id — the report is not stored.

Returns a diff between two previously saved compliance reports — new findings, resolved findings, score delta, and severity changes. Useful for tracking remediation progress between deployments.

{ "report_a": "COMP-20260515-120000", "report_b": "COMP-20260519-143022" }

{
  "score_delta":     +6,
  "new_findings":    [ ... ],
  "resolved":        [ ... ],
  "unchanged":       [ ... ]
}

Returns all saved compliance reports for your tenant, newest first. Reports are retained per your plan's history window: Free Trial/Starter (30 days), Professional (90 days), Enterprise (365 days).

Returns the full JSON payload of a saved compliance report by ID. Includes all findings, narratives, scores, and resource paths. Report IDs follow the format COMP-YYYYMMDD-HHmmss.

Permanently deletes all manual scan reports for your tenant. Governance (CCM) scan reports are not affected. Each deletion is audit-logged. This action is irreversible — deleted reports cannot be recovered from the portal (deleted reports are non-recoverable from the portal).

{ "status": "ok", "deleted": 7 }

Permanently deletes a single compliance report by ID. Deletion is audit-logged.

{ "status": "ok", "deleted": 1, "report_id": "COMP-20260519-143022" }

Returns your tenant's Continuous Control Monitoring (CCM) configuration: cadence, last scan time, next scheduled scan, history of governance scan report IDs, and current health status.

{
  "governance_enabled":   true,
  "cadence":              "biweekly",
  "last_scan_ts":         "2026-05-12T06:00:00Z",
  "next_scan_ts":         "2026-05-26T06:00:00Z",
  "governance_score":     82,
  "drift_detected":       false,
  "history": [
    { "report_id": "COMP-20260512-060012", "score": 82, "ts": "2026-05-12T06:00:12Z" }
  ]
}

Deletes governance (CCM) scan history reports for your tenant. Can be used to clear all history or selectively remove a specific report. Each deletion is audit-logged internally.

{
  "selective":  false,
  "report_id":  "COMP-20260512-060012"
}

Returns whether IaC remediation scripts are available for a report, how many findings have associated scripts, and which formats (ARM, Bicep, Terraform) are ready to download.

{
  "report_id":      "COMP-20260519-143022",
  "iac_available":  true,
  "finding_count":  7,
  "formats":        ["arm", "bicep", "terraform"]
}

Downloads the Infrastructure-as-Code remediation script for a report in the specified format. Scripts are pre-filled with your subscription IDs, resource names, resource group paths, and the specific control being remediated. Apply them directly to your deployment pipeline.

Returns the script as plain text (text/plain) or JSON depending on the format. Attach to your CI/CD artifact store or apply directly via az deployment / terraform apply.

Returns whether the authenticated tenant has access to Enterprise scorecard features, and the endpoints to call if access is granted.

{
  "report_id":           "COMP-20260519-143022",
  "scorecard_available": true,
  "plan":                "enterprise",
  "upgrade_message":     null,
  "endpoints": {
    "scorecard":         "/report/COMP-20260519-143022/scorecard",
    "roadmap":           "/report/COMP-20260519-143022/roadmap",
    "auditor_package":   "/report/COMP-20260519-143022/auditor-package"
  }
}

Generates an AI-powered board-ready Executive Compliance Scorecard from a scan report. Returns RAG (Red/Amber/Green) status per framework, top compliance gaps in plain business language, compliance trajectory, and a CRO-ready board narrative. Backed by Azure OpenAI.

{
  "report_id":    "COMP-20260519-143022",
  "plan":         "enterprise",
  "generated_at": "2026-05-28T14:30:00Z",
  "scorecard": {
    "overall_rag":        "AMBER",
    "overall_rag_reason": "Critical gaps in access control and model governance remain unresolved.",
    "framework_rag": {
      "sr11_7":     "RED",
      "iso42001":   "AMBER",
      "eu_ai_act":  "AMBER",
      "nist_ai_rmf":"GREEN"
    },
    "top_gaps": [
      { "gap": "No model validation documentation found", "business_impact": "Regulatory exam failure risk", "severity": "CRITICAL" }
    ],
    "trajectory":      "IMPROVING",
    "trajectory_note": "Score improved 12 points across last 3 scans.",
    "board_narrative": "Our Azure AI infrastructure achieved an overall compliance score of 68/100 this period. Two critical gaps in SR 11-7 model governance require immediate remediation. The programme is trending in the right direction with 12-point improvement over the last quarter."
  }
}

Generates a prioritised remediation roadmap from scan findings. Each action item includes owner role, estimated effort level, and Azure-specific remediation steps. Grouped into 30-day (immediate/critical), 60-day (short-term/high), and 90-day (strategic/medium-low) horizons.

{
  "report_id":    "COMP-20260519-143022",
  "plan":         "enterprise",
  "generated_at": "2026-05-28T14:30:00Z",
  "roadmap": {
    "immediate": [
      {
        "action":      "Enable diagnostic logging on all Azure ML workspaces",
        "framework":   "sr11_7",
        "effort":      "Low",
        "owner_role":  "Cloud Security Engineer",
        "azure_steps": "Navigate to Azure ML workspace → Diagnostic settings → Enable all log categories to Log Analytics.",
        "finding_ref": "SR117-LOG-001"
      }
    ],
    "short_term":  [ "..." ],
    "strategic":   [ "..." ],
    "summary_note": "Focus immediate effort on model governance documentation and logging gaps to address the highest-risk SR 11-7 findings."
  }
}

Generates a structured auditor evidence package for presenting to OCC examiners, FCA supervisors, EU AI Act notified bodies, or internal audit teams. Includes assessment scope, methodology, per-framework coverage, finding summary, attestation statement, and recommended next review date.

{
  "report_id":    "COMP-20260519-143022",
  "plan":         "enterprise",
  "generated_at": "2026-05-28T14:30:00Z",
  "auditor_package": {
    "assessment_scope":       "Azure subscription sub-abc123 assessed for AI infrastructure compliance across 7 regulatory frameworks.",
    "methodology":            "Read-only scan of Azure Resource Manager and Microsoft Graph APIs. No data plane access. No workload modification.",
    "frameworks_coverage":    [
      { "framework": "SR 11-7", "standard_reference": "SR 11-7 (2011)", "controls_assessed": 12, "gaps_found": 4 }
    ],
    "finding_summary":        { "critical": 2, "high": 5, "medium": 8, "low": 3 },
    "attestation_statement":  "This assessment was conducted by Guardia AI on 2026-05-28 using automated infrastructure scanning. All findings reflect the state of the Azure environment at the time of scan.",
    "assessor_note":          "This is an automated assessment. Manual review is recommended for controls requiring human judgement.",
    "recommended_next_review":"Within 30 days given critical findings identified."
  }
}

Returns the current CMK configuration status. Use GET /tenant/encryption/status for the full extended view including mode history and version fingerprint.

{
  "plan":                  "professional",
  "cmk_supported":         true,
  "cmk_configured":        true,
  "key_vault_url":         "https://your-kv.vault.azure.net/",
  "key_vault_secret_name": "guardia-tenant-key",
  "cmk_key_version":       "abc123def456...",
  "cmk_verified_at":       "2026-05-20T09:00:00Z",
  "cmk_blocked":           false,
  "cmk_last_error":        null,
  "cmk_downgrade_pending": false,
  "upgrade_required":      false
}

Extended encryption status including the last 10 mode-change events and the current key version fingerprint. Use this to audit all PMK↔CMK switches and key rotations on your account.

{
  "encryption_mode":         "cmk",
  "cmk_supported":           true,
  "cmk_configured":          true,
  "key_vault_url":           "https://your-kv.vault.azure.net/",
  "key_vault_secret_name":   "guardia-tenant-key",
  "cmk_key_version":         "abc123def456...",
  "cmk_verified_at":         "2026-05-20T09:00:00Z",
  "cmk_blocked":             false,
  "cmk_last_error":          null,
  "cmk_downgrade_pending":   false,
  "encryption_mode_history": [
    {
      "mode":          "cmk",
      "changed_at":    "2026-05-20T09:00:00Z",
      "changed_by":    "admin@acme.com",
      "previous_mode": "pmk",
      "reason":        "cmk_configure",
      "vault_uri":     "https://your-kv.vault.azure.net/",
      "key_name":      "guardia-tenant-key",
      "key_version":   "abc123def456..."
    }
  ]
}

Enables Customer-Managed Key encryption. Guardia tests connectivity to your Key Vault before saving — the request fails if the vault is unreachable or the secret is inaccessible. On success, a CMK-enabled confirmation email is sent to the account owner and the key version fingerprint is captured for silent-rotation detection.

{
  "key_vault_url":          "https://your-kv.vault.azure.net/",
  "key_vault_secret_name":  "guardia-tenant-key"
}

{
  "ok":              true,
  "message":         "CMK enabled — future reports will be encrypted using your Key Vault secret.",
  "key_version":     "abc123def456...",
  "cmk_verified_at": "2026-05-20T09:00:00Z"
}

{ "detail": "CMK connectivity test failed: Secret 'guardia-key' not found. Fix the issue before enabling CMK." }

Call this after rotating your key in Azure Key Vault to refresh Guardia's stored version fingerprint. Guardia verifies connectivity, reads the current key version, and updates the fingerprint. If the version has changed, a rotation-detected email is sent as an audit record and the mode history is stamped.

This is the manual version of what Guardia's 24-hour health check does automatically. You do not need to call this — but calling it provides immediate confirmation after a rotation.

{
  "ok":              true,
  "rotated":         true,
  "old_version":     "abc123...",
  "new_version":     "def456...",
  "cmk_verified_at": "2026-05-20T10:00:00Z",
  "message":         "Key rotation confirmed — version fingerprint updated."
}

Two-step process. This call initiates the switch — it does not immediately remove CMK. A one-time confirmation link is sent to the account owner's email address, valid for 30 minutes. The switch only completes when that link is clicked (which calls POST /tenant/encryption/confirm-pmk).

Important: Historical reports encrypted with your CMK key remain bound to that Key Vault key after the switch. Do not delete or disable the key — those reports will become permanently unreadable.

{
  "ok":           true,
  "pending":      true,
  "email_sent":   true,
  "message":      "A confirmation link has been sent to admin@acme.com. Click it within 30 minutes to complete the switch to PMK."
}

Completes the CMK → PMK downgrade using the one-time token from the confirmation email. Token expires after 30 minutes. The portal handles this automatically via a URL parameter — you do not need to call this manually unless building a custom integration.

{
  "ok":                 true,
  "mode":               "pmk",
  "cmk_was_accessible": true,
  "warning":            null,
  "message":            "Encryption switched to Platform-Managed Key. Future scans use Guardia's PMK."
}

All errors return a JSON body with a detail field and an appropriate HTTP status code.

{ "detail": "Scan quota exceeded for plan 'starter' (25/25 used this month)" }