Supported Report Formats

RiskSage accepts VAPT reports from five sources. Each format is automatically detected from the uploaded file's structure — no manual format selection required.

ScannerFile FormatContent-TypeNotes
Nessus.nessus (XML)application/xmlTenable Nessus Professional / Essentials export
Burp Suite.xmlapplication/xmlBurp Suite Professional XML export
OpenVAS.xmlapplication/xmlGVM/OpenVAS report export
Qualys.xml or .csvapplication/xml or text/csvQualys VMDR / WAS export
Manual.jsonapplication/jsonCustom JSON following the VaptFinding[] schema

The Parse Report Endpoint

Upload a VAPT report file to be parsed into structured findings. The endpoint accepts multipart form data with the report file attached.

POST /vapt/assessments/:id/parse-report
Authorization: Bearer <token>
X-Tenant-Id: acme-bank
Content-Type: multipart/form-data

// Form fields:
"file":        <report-file>          // Required — the scanner report
"scanner":     "NESSUS"               // Optional — auto-detected if omitted
"autoLink":    true                   // Optional — auto-map to UCL controls
"autoTrigger": true                   // Optional — trigger IRDAI.AUDIT.1 if applicable

On success, the API returns the parsed findings array along with summary statistics:

// Response 200
{
  "assessmentId":   "ast_7f3a9b2c",
  "scanner":        "NESSUS",
  "parsedAt":       "2026-04-07T10:30:00+05:30",
  "totalFindings":  147,
  "summary": {
    "critical": 3,
    "high":     12,
    "medium":   41,
    "low":      67,
    "info":     24
  },
  "findings":      [/* VaptFinding[] — see schema below */],
  "irdaiTrigger":  true
}

VaptFinding[] Schema

Each parsed finding conforms to the VaptFinding schema. This is the normalised structure regardless of input scanner format.

// VaptFinding object
{
  "id":              "vf_a1b2c3d4",
  "title":           "SQL Injection in /api/v1/users",
  "description":     "Blind SQL injection via user_id parameter...",
  "severity":        "CRITICAL",          // CRITICAL | HIGH | MEDIUM | LOW | INFO

  // CVSS scoring
  "cvssVersion":     "3.1",
  "cvssVector":      "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "cvssScore":       9.8,

  // CVE linkage
  "cveIds":          ["CVE-2024-21234", "CVE-2024-21235"],

  // UCL control mapping
  "uclControls":     ["UCL.APP.3", "UCL.APP.7"],

  // Asset and location
  "affectedAsset":   "api-gateway-prod-01",
  "ipAddress":       "10.0.1.42",
  "port":            443,
  "protocol":        "HTTPS",

  // Remediation
  "remediation":     "Parameterise all SQL queries. Use prepared statements...",
  "status":          "OPEN",              // OPEN | IN_PROGRESS | REMEDIATED | ACCEPTED | FALSE_POSITIVE
  "dueDate":         "2026-04-21T23:59:59+05:30",

  // Provenance
  "scanner":         "NESSUS",
  "pluginId":        "90024",
  "originalSeverity":"Critical"
}
UCL Control Auto-Linking When autoLink: true is set, RiskSage automatically maps each finding to the relevant Unified Control Library (UCL) controls based on the vulnerability type, affected asset class, and CWE classification. This provides instant regulatory traceability without manual mapping.

IRDAI.AUDIT.1 Auto-Trigger Mechanism

Under IRDAI's revised cybersecurity guidelines (March 2025), insurers must conduct VAPT assessments and report findings that exceed defined thresholds. RiskSage automates this compliance trigger.

When does the trigger fire?

The IRDAI.AUDIT.1 trigger activates automatically when a parsed VAPT report meets any of these conditions:

ConditionThresholdAction
Critical findings count≥ 1Creates IRDAI.AUDIT.1 compliance task with 48-hour deadline
High findings count≥ 5Creates IRDAI.AUDIT.1 compliance task with 7-day deadline
CVSS 9.0+ finding on internet-facing asset≥ 1Creates IRDAI.AUDIT.1 + escalation to CISO
Repeat critical finding (previously reported)≥ 1Creates IRDAI.AUDIT.1 + board notification flag
Board Attestation Requirement Under IRDAI's March 2025 revision, critical VAPT findings on internet-facing assets require board-level attestation within 30 days. RiskSage tracks this deadline and generates the board attestation report automatically when the IRDAI.AUDIT.1 trigger fires with board notification.

Trigger response in API

When the auto-trigger fires, the parse response includes an irdaiTrigger object with the compliance task details:

// When IRDAI.AUDIT.1 triggers
{
  "irdaiTrigger": true,
  "irdaiTask": {
    "taskId":          "irdai_task_9x8y7z",
    "controlRef":      "IRDAI.AUDIT.1",
    "deadline":        "2026-04-09T23:59:59+05:30",
    "boardNotify":     false,
    "triggerReason":   "3 critical findings detected in VAPT assessment",
    "assignedTo":      "ciso@acme-insurance.in"
  }
}

Integration Best Practices

When integrating VAPT report ingestion into your CI/CD or periodic assessment workflow:

Recommended Workflow 1. Run your scanner (Nessus, Burp, OpenVAS, Qualys) and export the report file.
2. Create an assessment via POST /vapt/assessments with asset scope and assessment type.
3. Upload the report to POST /vapt/assessments/:id/parse-report with autoLink: true.
4. Retrieve findings via GET /vapt/assessments/:id/findings with severity filters.
5. Track remediation progress and due dates through the findings status lifecycle.