Update parts of an RSK by numeric ID.

PATCH

/v1/risks/{id}

• Production
• Staging
• Local

Parameters

Path Parameters

id

required

integer format: int64

Numeric RSK ID (e.g. 1 for RSK-00001)

Example

1

Request Body ^required

PATCH /risks/:id

object

assigned_to

string | null format: uuid

closed_date

string | null format: date-time

control_statement

string | null

description

string | null

discovered_date

string | null format: date-time

expected_date

string | null format: date-time

impact

One of:

null

null

string

string

Allowed values: Very Low Low Medium High Severe

impact_reasoning

string | null

initially_reported_urgency

One of:

null

null

string

string

Allowed values: Critical High Medium Low Info

likelihood

One of:

null

null

string

string

Allowed values: Remote Unlikely Possible Probable Imminent

likelihood_reasoning

string | null

remediation_task

string | null

source

string | null

status

One of:

null

null

string

The status of a risk

string

Allowed values: New Urgency Proposed Remediation Closure Proposed Closed

tags

array | null

threat_objectives

array | null

A relational struct that has a threat objective type and its relevancy to a risk.

PartialEq, Eq, and Hash are implemented manually to exclude created_date, which is metadata about when the relation was mutated — not part of the identity.

object

created_date

The time that this relation was mutated

string | null format: date-time

relevance

One of:

null

null

string

The relevancy of the threat objective to the risk. Typically a value of 1, or 2. While the relevancy is null the the database, implementations of retrieving this from postgres should ignore null values.

string

Allowed values: Moderate Substantial

threat_objective

required

The threat objective type

string

Allowed values: Sabotage Data Disclosure Extortion Customer Targeting Resource Hijacking Fraud

title

string | null

type

One of:

null

null

string

string

Allowed values: Code Configuration Control Deficiency Policy Procedural Vulnerability Third-party

Responses

200

Risk updated successfully

Register row for Organization Risks (RSKs). A Risk plus the relational data shown on the risk register: threat objectives, incident associations, tags, and comment count.

object

comments

required

Count of comments on this risk (not the comments themselves).

integer format: int64

incident_associations

required

Array<string>

Example

INC-00001

risk

required

The core view of an Organization Risk (RSK).

Relational data — threat objectives, comments, incident associations, and tags — is exposed on RiskRegisterEntry, not here.

object

assigned_to

One of:

null

null

object

A User as returned by the API.

Profile images are not embedded — clients fetch them from GET /api/v1/{icon} when icon is Some.

object

email

required

string

first_name

required

string

icon

Relative path to the user’s avatar endpoint, e.g. "users/{id}/avatar?v={hash}". None when the user has no avatar.

string | null

id

required

string format: uuid

last_name

required

string

closed_date

string | null format: date-time

control_statement

string | null

created_date

required

string format: date-time

deleted_date

string | null format: date-time

description

required

string

discovered_date

required

string format: date-time

due_date

string | null format: date-time

expected_date

string | null format: date-time

id

required

string

Example

RSK-00001

impact

One of:

null

null

string

string

Allowed values: Very Low Low Medium High Severe

impact_reasoning

string | null

initially_reported_urgency

One of:

null

null

string

string

Allowed values: Critical High Medium Low Info

likelihood

One of:

null

null

string

string

Allowed values: Remote Unlikely Possible Probable Imminent

likelihood_reasoning

string | null

opened_by

required

A User as returned by the API.

Profile images are not embedded — clients fetch them from GET /api/v1/{icon} when icon is Some.

object

email

required

string

first_name

required

string

icon

Relative path to the user’s avatar endpoint, e.g. "users/{id}/avatar?v={hash}". None when the user has no avatar.

string | null

id

required

string format: uuid

last_name

required

string

remediation_task

string | null

source

string | null

status

required

The status of a risk

string

Allowed values: New Urgency Proposed Remediation Closure Proposed Closed

title

required

string

type

required

string

Allowed values: Code Configuration Control Deficiency Policy Procedural Vulnerability Third-party

updated_by

required

A User as returned by the API.

Profile images are not embedded — clients fetch them from GET /api/v1/{icon} when icon is Some.

object

email

required

string

first_name

required

string

icon

Relative path to the user’s avatar endpoint, e.g. "users/{id}/avatar?v={hash}". None when the user has no avatar.

string | null

id

required

string format: uuid

last_name

required

string

updated_date

required

string format: date-time

urgency

One of:

null

null

string

Derived from likelihood and impact. Null when either is missing.

string

Allowed values: Info Low Medium High Critical

tags

required

Array<object>

object

content

required

string

creator_id

required

string format: uuid

id

required

string format: uuid

org_id

string | null format: uuid

threat_objectives

required

Array<object>

A relational struct that has a threat objective type and its relevancy to a risk.

PartialEq, Eq, and Hash are implemented manually to exclude created_date, which is metadata about when the relation was mutated — not part of the identity.

object

created_date

The time that this relation was mutated

string | null format: date-time

relevance

One of:

null

null

string

The relevancy of the threat objective to the risk. Typically a value of 1, or 2. While the relevancy is null the the database, implementations of retrieving this from postgres should ignore null values.

string

Allowed values: Moderate Substantial

threat_objective

required

The threat objective type

string

Allowed values: Sabotage Data Disclosure Extortion Customer Targeting Resource Hijacking Fraud

400

Validation failed (e.g. empty payload, unknown source, inactive assignee)