SecurityScorecard apps let you extend our platform in multiple ways, adding new functionality, or integrating with other services.
We believe a community-powered marketplace is key to making the world a safer place, and your app can help you and others improve cybersecurity in ways we couldn't imagine, and we can't wait to see it!
To help you plan your app, here are the capabilities a SecurityScorecard app can extend or make use of
For building apps that access or manipulate SecurityScorecard resources, including scorecards, portfolios or reports.
When writing integrations for your own organization, you can access our API using a token associated to a bot user. But registering an app lets you (optionally) access specific resources in behalf of any user.
For this purpose your app can optionally declare a set of required API scopes, during installation if the user authorizes your app to perform the associated actions your app will be granted an API token to access our API in their behalf. This is implemented thru a typical OAuth2 code flow.
For apps that want to extend workflow automation provided by our Rules, by introducing custom actions that can integrate with other services.
When creating Rules, users can select a specific trigger, and multiple steps to execute. For each step user can select an "action". These include built-in actions like "Add to Portfolio" or "Share Report", as additional actions declared by any installed apps.
If your app declares a new action, endpoints in your app will be invoked both during rule edition (eg. to display options in the rule builder), and when a step using your action is executing.
For apps that can extend company scorecards with additional security signals.
SecurityScorecard collects different types of signals (a.k.a. "issues"), that are reflected into scorecards to inform on a company security posture. Your app can introduce new signals that enrich our scorecards with additional data points for both self-monitoring or ecosystem risk monitoring.
While these signals are offered to our customers in a similar way to native ones, they currently have some limitations:
- they don't impact scores, severity can only be INFO or POSITIVE
- they are not reflected into scorecard event logs or detailed reports
- they currently can't be used to trigger Rules or filter scorecards in a portfolio
Our signals API lets you send new signals in near-realtime, specifying any internet domain, which we'll use our digital footprint information to attribute to specific scorecards.
In order to make an app, you must create an app manifest. This is a simple internet-facing json document that describes your app and declares which of the capabilities above are extended or provided. To get started creating one, see the next section: Creating an App.
Updated about a month ago
|Creating an App|