SecurityScorecard

Develop on the SecurityScorecard Platform

Create unique customer experiences using our APIs, connect data sources across your technology stack, and build any app or automation you want.

Build apps

Build an App

Planning your SecurityScorecard App

SecurityScorecard apps let you extend our platform in multiple ways, adding new functionality, or integrating with other services.

We believe a community-powered marketplace is key to making the world a safer place, and your app can help you and others improve cybersecurity in ways we couldn't imagine, and we can't wait to see it!

To help you plan your app, here are the capabilities a SecurityScorecard app can extend or make use of

SecurityScorecard API

For building apps that access or manipulate SecurityScorecard resources, including scorecards, portfolios or reports.

When writing integrations for your own organization, you can access our API using a token associated to a bot user. But registering an app lets you (optionally) access specific resources in behalf of any user.

For this purpose your app can optionally declare a set of required API scopes, during installation if the user authorizes your app to perform the associated actions your app will be granted an API token to access our API in their behalf. This is implemented thru a typical OAuth2 code flow.

example authorization step used by the zapier appexample authorization step used by the zapier app

example authorization step used by the zapier app

Actions

For apps that want to extend workflow automation provided by our Rules, by introducing custom actions that can integrate with other services.

When creating Rules, users can select a specific trigger, and multiple steps to execute. For each step user can select an "action". These include built-in actions like "Add to Portfolio" or "Share Report", as additional actions declared by any installed apps.

actions made available by user's installed apps, distinguished by their app logoactions made available by user's installed apps, distinguished by their app logo

actions made available by user's installed apps, distinguished by their app logo

If your app declares a new action, endpoints in your app will be invoked both during rule edition (eg. to display options in the rule builder), and when a step using your action is executing.

Signals

For apps that can extend company scorecards with additional security signals.

SecurityScorecard collects different types of signals (a.k.a. "issues"), that are reflected into scorecards to inform on a company security posture. Your app can introduce new signals that enrich our scorecards with additional data points for both self-monitoring or ecosystem risk monitoring.

an example signal after installing a new app, including the app logoan example signal after installing a new app, including the app logo

an example signal after installing a new app, including the app logo

While these signals are offered to our customers in a similar way to native ones, they currently have some limitations:

  • they don't impact scores, severity can only be INFO or POSITIVE
  • they are not reflected into scorecard event logs or detailed reports
  • they currently can't be used to trigger Rules or filter scorecards in a portfolio

Our signals API lets you send new signals in near-realtime, specifying any internet domain, which we'll use our digital footprint information to attribute to specific scorecards.


In order to make an app, you must create an app manifest. This is a simple internet-facing json document that describes your app and declares which of the capabilities above are extended or provided. To get started creating one, see the next section: Creating an App.

Updated about a month ago


What's Next

Creating an App

Build an App


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.