Reassessments API - Coverbase API

A reassessment (cbrsm_...) is a draft batch of assessments to run against a set of vendors — typically prompted by a radar event or alert. It lets you curate the vendor set and choose an assessment plan, then run it, without ever opening a case. A reassessment moves through four statuses:

Status	Meaning
`draft`	Just created; awaiting review and vendor curation.
`confirmed`	Vendor set confirmed; ready to run.
`run`	Assessments have been created from the linked plan. Terminal.
`dismissed`	Closed without running. Terminal.

A reassessment in a terminal status (run or dismissed) is immutable. All endpoints are org-scoped to the API key. See API conventions for shared behavior.

Method	Path
`GET`	`/v1/reassessments`
`POST`	`/v1/reassessments`
`GET`	`/v1/reassessments/{reassessment_id}`
`PATCH`	`/v1/reassessments/{reassessment_id}`
`POST`	`/v1/reassessments/{reassessment_id}/vendors`
`POST`	`/v1/reassessments/{reassessment_id}/vendor_inclusion`
`POST`	`/v1/reassessments/{reassessment_id}/confirm`
`POST`	`/v1/reassessments/{reassessment_id}/dismiss`
`POST`	`/v1/reassessments/{reassessment_id}/run`

None of these honor Idempotency-Key.

Create a reassessment

method

POST

POST /v1/reassessments

Returns 201 Created. Creates a draft reassessment from a radar event with an initial vendor set. The assessment plan is optional up front — set it later with a PATCH before running.

Request body

radar_event_id

string

required

The radar event providing context for the reassessment (cbrevent_...).

vendor_ids

string[]

required

Vendors to include (cbvndr_...). At least one; all must belong to the API key’s org.

assessment_plan_id

string

Assessment plan to run (cbasmtpl_...). Optional; set later before running.

title

string

Reassessment title.

Example request

cURL

curl -X POST "https://api.coverbase.app/v1/reassessments" \
  -H "Authorization: Bearer ak_live_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "radar_event_id": "cbrevent_3333333333333333333333333333cccc",
    "vendor_ids": ["cbvndr_e448ba62882143f3ba0c140bb2e30162"],
    "title": "Reassess Acme after breach"
  }'

Returns the reassessment object.

Reassessment object

string

Reassessment ID (cbrsm_...).

status

string

draft, confirmed, run, or dismissed.

title

string | null

Title.

assessment_plan_id

string | null

Linked assessment plan (cbasmtpl_...).

radar_event_id

string | null

Source radar event (cbrevent_...).

alert_ids

string[]

Radar alerts that drove the reassessment.

vendors

object[]

Per-vendor entries — see below.

created_at

integer

Unix timestamp (seconds).

updated_at

integer

Unix timestamp (seconds).

Each vendors[] entry:

vendor_id

string

Vendor (cbvndr_...).

source

string

How the vendor joined: matched (added at creation) or manual (added during review).

included

boolean

Whether the vendor is in the run set.

assessment_id

string | null

Assessment created for this vendor once the reassessment is run.

List reassessments

method

GET

GET /v1/reassessments

Query parameters

status

string

Filter by status (draft, confirmed, run, dismissed).

Returns an items array of reassessment objects, newest first.

Retrieve a reassessment

method

GET

GET /v1/reassessments/{reassessment_id}

Returns the reassessment object, or 404 reassessment_not_found.

Update a reassessment

method

PATCH

PATCH /v1/reassessments/{reassessment_id}

Update editable metadata. Only included fields change. Rejected with 422 reassessment_immutable once the reassessment is run or dismissed.

Request body

title

string

New title.

assessment_plan_id

string

Assessment plan to run (cbasmtpl_...).

radar_event_id

string

Re-link to a different radar event (cbrevent_...).

Curate the vendor set

method

POST

POST /v1/reassessments/{reassessment_id}/vendors

Add manually-selected vendors. Body: { "vendor_ids": ["cbvndr_..."] } (at least one).

method

POST

POST /v1/reassessments/{reassessment_id}/vendor_inclusion

Opt a single vendor in or out of the run set. Body: { "vendor_id": "cbvndr_...", "included": false }. Both return the refreshed reassessment object.

Confirm, dismiss, run

method

POST

POST /v1/reassessments/{reassessment_id}/confirm

Move a draft reassessment to confirmed (vendor set locked in, ready to run).

method

POST

POST /v1/reassessments/{reassessment_id}/dismiss

Close a reassessment without running it (dismissed).

method

POST

POST /v1/reassessments/{reassessment_id}/run

Create an assessment from the linked plan for each included vendor, then mark the reassessment run. Requires assessment_plan_id to be set first — otherwise 400 missing_assessment_plan. This never creates a case.

Example request

cURL

curl -X POST "https://api.coverbase.app/v1/reassessments/cbrsm_1234/run" \
  -H "Authorization: Bearer ak_live_xxx"

All three return the refreshed reassessment object.

Error responses

Status	Body	When
400	`{"detail": {"code": "missing_assessment_plan", ...}}`	`run` called before an assessment plan is set.
404	`{"detail": {"code": "reassessment_not_found", ...}}`	Not found / not in the API key’s org.
422	`{"detail": {"code": "reassessment_immutable", ...}}`	Editing a `run`/`dismissed` reassessment.

Radar API — the events and alerts that prompt reassessments.
Webhooks — subscribe to Reassessment.* events.

​Create a reassessment

​Request body

​Example request

​Reassessment object

​List reassessments

​Query parameters

​Retrieve a reassessment

​Update a reassessment

​Request body

​Curate the vendor set

​Confirm, dismiss, run

​Example request

​Error responses

​Related

Create a reassessment

Request body

Example request

Reassessment object

List reassessments

Query parameters

Retrieve a reassessment

Update a reassessment

Request body

Curate the vendor set

Confirm, dismiss, run

Example request

Error responses

Related