DevSecOps Policy API
Machine-readable NIST CSF 2.0 policies for AI coding agents, CI/CD pipelines, and automated security tooling.
The Rhodigital DevSecOps API exposes your NIST security policies as structured JSON โ not PDFs. Each policy contains machine-readable controls with enforcement rules that AI tools can interpret, CI/CD pipelines can evaluate, and automated scanners can act on.
Your API key was included in your purchase confirmation email. Pass it as the x-api-key header on every request.
# List all your policies
curl https://rhodigitalos.polsia.app/api/v1/policies \
-H "x-api-key: YOUR_API_KEY"// List all your policies
const response = await fetch(
'https://rhodigitalos.polsia.app/api/v1/policies',
{ headers: { 'x-api-key': process.env.RHODIGITAL_API_KEY } }
);
const data = await response.json();# List all your policies
import requests
response = requests.get(
"https://rhodigitalos.polsia.app/api/v1/policies",
headers={"x-api-key": os.environ["RHODIGITAL_API_KEY"]}
)
data = response.json()Authentication
Every request must include your API key in the x-api-key header. Keys are scoped to your company and cannot access other customers' policies.
x-api-key: rh_your64characterkeyhereNever commit your API key to source control. Store it in environment variables or a secrets manager. If compromised, contact us at rhodigitalos@polsia.app to rotate it.
Authentication errors
| Status | Code | Meaning |
|---|---|---|
| 401 | unauthorized | API key missing or invalid |
| 403 | forbidden | Key valid but not authorized for this resource |
Rate Limiting
Rate limit status is returned in every response via headers:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 87
X-RateLimit-Reset: 2026-04-22T05:00:00.000ZWhen the limit is exceeded, the response body includes a retry_after timestamp:
{
"error": "rate_limit_exceeded",
"message": "Rate limit exceeded. Max 100 requests per hour.",
"retry_after": "2026-04-22T05:00:00.000Z"
}Response Formats
All endpoints return JSON by default. YAML is available via query parameter or Accept header โ useful for writing policy-as-code or feeding into configuration tools.
Request YAML via query param
GET /api/v1/policies/access-control?format=yamlRequest YAML via Accept header
curl https://rhodigitalos.polsia.app/api/v1/policies/access-control \
-H "x-api-key: YOUR_API_KEY" \
-H "Accept: application/yaml"Errors
All error responses follow a consistent shape:
{
"error": "not_found", // machine-readable code
"message": "Policy 'xyz' not found.", // human-readable description
"available_policies": [...] // context when helpful
}| Status | Code | Cause |
|---|---|---|
| 400 | bad_request | Invalid query parameter or format |
| 401 | unauthorized | Missing or invalid API key |
| 404 | not_found | Policy ID does not exist |
| 429 | rate_limit_exceeded | 100 req/hour limit hit |
| 500 | internal_error | Server error โ contact support |
Endpoints
Returns metadata for all 8 NIST policies associated with your account. Includes control counts and direct links to each policy.
Response
{
"total": 8,
"customer": {
"company": "Acme Health Systems",
"tier": "pro"
},
"policies": [
{
"policy_id": "access-control-v1",
"framework": "NIST-CSF-2.0",
"category": "Protect",
"title": "Access Control Policy",
"slug": "access-control",
"control_count": 5,
"required_control_count": 5,
"url": "/api/v1/policies/access-control"
},
// ...7 more
]
}Returns the current policy version and last-updated timestamp. Useful for cache invalidation in CI/CD pipelines.
Response
{
"framework": "NIST-CSF-2.0",
"policy_version": "1.0.0",
"last_updated": "2026-04-22T03:50:28.000Z",
"policy_count": 8,
"api_version": "v1",
"customer": {
"id": 42,
"company": "Acme Health Systems",
"tier": "pro"
}
}Exports all 8 policies in a single response. Useful for seeding security tooling, feeding AI context, or archival.
Query parameters
| Parameter | Type | Description |
|---|---|---|
| formatoptional | string | json (default) or yaml |
Example
curl "https://rhodigitalos.polsia.app/api/v1/policies/export?format=yaml" \
-H "x-api-key: YOUR_API_KEY" \
-o policies-export.yamlReturns the complete policy including all controls, NIST mappings, compliance cross-references, and enforcement rules.
Path parameters
| Parameter | Type | Description |
|---|---|---|
| policyIdrequired | string | Policy slug โ see policy types |
Response
{
"policy_id": "access-control-v1",
"framework": "NIST-CSF-2.0",
"category": "Protect",
"title": "Access Control Policy",
"version": "1.0.0",
"effective_date": "2026-04-22",
"company": {
"name": "Acme Health Systems",
"industry": "healthcare"
},
"controls": [
{
"control_id": "AC-001",
"title": "Least Privilege Access",
"implementation_level": "required",
"nist_mapping": ["PR.AC-1", "PR.AC-4"],
"compliance_mapping": {
"hipaa": ["164.312(a)(1)"],
"soc2": ["CC6.1"]
},
"enforcement_rules": [
{
"rule_id": "AC-001-R1",
"type": "code_review",
"severity": "critical",
"ai_prompt": "When reviewing code, flag any database access that does not use role-based permissions..."
}
]
}
],
"metadata": {
"generated_at": "2026-04-22T03:50:28.000Z",
"total_controls": 5,
"required_controls": 5
}
}Returns only the controls array for a policy. Optionally filter by implementation level.
Query parameters
| Parameter | Type | Description |
|---|---|---|
| leveloptional | string | Filter by level: required, recommended, or optional |
Example โ required controls only
GET /api/v1/policies/access-control/controls?level=requiredReturns a flat list of all enforcement rules across all controls. Optimized for CI/CD consumption โ each rule includes parent control context and an AI prompt consumable by coding agents.
Query parameters
| Parameter | Type | Description |
|---|---|---|
| severityoptional | string | Filter: critical, high, medium, low |
| typeoptional | string | Filter: code_review, api_security, sql_injection, etc. |
Example โ critical code review rules
GET /api/v1/policies/data-protection/enforcement-rules?severity=critical&type=code_reviewResponse
{
"policy_id": "data-protection",
"total": 2,
"filters": { "severity": "critical", "type": "code_review" },
"enforcement_rules": [
{
"rule_id": "DP-006-R1",
"type": "sql_injection",
"severity": "critical",
"description": "All database queries must use parameterized statements.",
"ai_prompt": "Scan all database query code. Flag any query that uses string interpolation...",
"control_id": "DP-006",
"control_title": "Database Input Validation",
"nist_mapping": ["PR.DS-6"],
"compliance_mapping": { "soc2": ["CC6.1"], "pci_dss": ["6.5.1"] }
}
]
}Using enforcement rules in a CI/CD pipeline
// Fetch critical enforcement rules and pass to an AI code reviewer
const rulesRes = await fetch(
'https://rhodigitalos.polsia.app/api/v1/policies/data-protection/enforcement-rules?severity=critical',
{ headers: { 'x-api-key': process.env.RHODIGITAL_API_KEY } }
);
const { enforcement_rules } = await rulesRes.json();
// Build AI context from the rules
const reviewInstructions = enforcement_rules
.map(r => r.ai_prompt)
.join('\n\n');
// Pass to your AI code review agent
await aiAgent.review(changedFiles, reviewInstructions);Policy Types
Use these slugs as the :policyId path parameter.
Schema Reference
Full policy schema structure. All fields present in every response.
{
"policy_id": "string", // unique policy identifier
"framework": "NIST-CSF-2.0", // always NIST-CSF-2.0
"category": "string", // NIST function: Identify|Protect|Detect|Respond|Recover
"title": "string",
"version": "1.0.0",
"effective_date": "YYYY-MM-DD",
"company": {
"name": "string",
"industry": "string",
"size": "string",
"risk_profile": "low|moderate|high"
},
"controls": [
{
"control_id": "string", // e.g. "AC-001"
"title": "string",
"description": "string",
"implementation_level": "required|recommended|optional",
"nist_mapping": ["PR.AC-1", ...], // NIST CSF subcategory references
"compliance_mapping": {
"hipaa": ["164.312(a)(1)", ...],
"soc2": ["CC6.1", ...],
"iso27001": ["A.9.2.3", ...],
"pci_dss": ["7.1", ...],
"gdpr": ["Art. 32", ...]
},
"enforcement_rules": [
{
"rule_id": "string", // e.g. "AC-001-R1"
"type": "string", // code_review|api_security|sql_injection|...
"description": "string",
"severity": "critical|high|medium|low",
"ai_prompt": "string" // ready-to-use prompt for AI code review agents
}
]
}
],
"metadata": {
"generated_at": "ISO 8601",
"generator_version": "string",
"customized_for_profile": "boolean",
"total_controls": "number",
"required_controls": "number"
}
}Quick Start
Get all critical enforcement rules for your CI/CD pipeline in under 60 seconds.
# 1. Verify your key
curl https://rhodigitalos.polsia.app/api/v1/policies/version \
-H "x-api-key: YOUR_API_KEY"
# 2. Get all critical enforcement rules for access control
curl "https://rhodigitalos.polsia.app/api/v1/policies/access-control/enforcement-rules?severity=critical" \
-H "x-api-key: YOUR_API_KEY" | jq '.enforcement_rules[].ai_prompt'
# 3. Export everything as YAML
curl "https://rhodigitalos.polsia.app/api/v1/policies/export?format=yaml" \
-H "x-api-key: YOUR_API_KEY" -o policies.yaml// security-check.js โ fetch policies and run AI review
const BASE = 'https://rhodigitalos.polsia.app/api/v1/policies';
const headers = { 'x-api-key': process.env.RHODIGITAL_API_KEY };
async function getEnforcementRules(policyId, severity = 'critical') {
const res = await fetch(
`${BASE}/${policyId}/enforcement-rules?severity=${severity}`,
{ headers }
);
if (!res.ok) throw new Error(`API error: ${res.status}`);
const { enforcement_rules } = await res.json();
return enforcement_rules;
}
async function main() {
// Get critical rules for all security-relevant policies
const policies = ['access-control', 'data-protection', 'risk-management'];
const allRules = (
await Promise.all(policies.map(p => getEnforcementRules(p)))
).flat();
console.log(`Loaded ${allRules.length} critical enforcement rules`);
// Pass allRules.map(r => r.ai_prompt) to your AI reviewer
}
main();# .github/workflows/security-policy-check.yml
name: Security Policy Enforcement
on:
pull_request:
types: [opened, synchronize]
jobs:
policy-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Fetch enforcement rules
env:
RHODIGITAL_API_KEY: ${{ secrets.RHODIGITAL_API_KEY }}
run: |
curl -s \
"https://rhodigitalos.polsia.app/api/v1/policies/data-protection/enforcement-rules?severity=critical" \
-H "x-api-key: $RHODIGITAL_API_KEY" \
-o enforcement-rules.json
echo "Loaded $(jq '.total' enforcement-rules.json) critical rules"
- name: Run AI policy review
# Pass enforcement-rules.json to your preferred AI review action
uses: your-org/ai-code-review-action@v1
with:
rules: enforcement-rules.json
severity-threshold: criticalConfig File Generation DevSecOps
Auto-generate AI developer config files from your policy schemas. Drop them in your repo โ AI tools enforce your security policies automatically.
Returns a .cursorrules file generated from your active NIST CSF policies. Drop this file in your repository root โ Cursor AI will use it as system-level security instructions when generating code.
Response
Content-Type: text/plain ยท Download: .cursorrules
# Security Policy Rules โ Generated by Rhodigital NIST Policy Engine
# Company: Acme Corp | Framework: NIST CSF 2.0 | Updated: 2026-04-22
## Access Control
- [CRITICAL] MUST: All database queries must use role-based permissions...
- [CRITICAL] MUST: No unauthenticated endpoints should expose sensitive data...
- [HIGH] SHOULD: Privileged operations must be logged with actor identity...
## Data Protection
- [CRITICAL] MUST: Sensitive fields must use application-level encryption...
...Example
curl -H "x-api-key: YOUR_KEY" \
https://rhodigitalos.polsia.app/api/v1/configs/cursorrules \
> .cursorrulesReturns an AGENTS.md file with security policy context for AI agent frameworks (Claude Code, GitHub Copilot Workspace). Includes critical enforcement rules, code review checklist, and data handling rules.
Example
curl -H "x-api-key: YOUR_KEY" \
https://rhodigitalos.polsia.app/api/v1/configs/agents-md \
> AGENTS.mdReturns a CI/CD workflow configuration that validates code against your enforcement rules on every pull request.
Query Parameters
| Parameter | Values | Default |
|---|---|---|
| platform | github, gitlab, bitbucket | github |
Example
# GitHub Actions
mkdir -p .github/workflows
curl -H "x-api-key: YOUR_KEY" \
"https://rhodigitalos.polsia.app/api/v1/configs/ci-cd?platform=github" \
> .github/workflows/policy-check.yml
# GitLab CI
curl -H "x-api-key: YOUR_KEY" \
"https://rhodigitalos.polsia.app/api/v1/configs/ci-cd?platform=gitlab" \
> .gitlab-ci-policy.ymlReturns a ZIP archive containing all config files: .cursorrules, AGENTS.md, .github/workflows/policy-check.yml, gitlab-ci-policy.yml, and a README.md with setup instructions.
Response
Content-Type: application/zip ยท Download: rhodigital-policy-configs-{date}.zip
Example
curl -H "x-api-key: YOUR_KEY" \
https://rhodigitalos.polsia.app/api/v1/configs/bundle \
-o policy-configs.zip && unzip policy-configs.zipQuestions? Email rhodigitalos@polsia.app ยท Back to NIST packages