--- title: Secureframe API Integration on Truto slug: secureframe category: Compliance canonical: "https://truto.one/integrations/detail/secureframe/" --- # Secureframe API Integration on Truto **Category:** Compliance **Status:** Beta ## MCP-ready AI tools Truto exposes 57 tools for Secureframe that AI agents can call directly. - **list_all_secureframe_repository_framework_asset_scopes** — List Framework Asset Scopes for a secureframe repository. The absence of a Framework Asset Scope indicates the asset is not in scope for the Framework. Returns: id, active, framework_id, manually_scoped_reason, created_at. Required: repository_id. - **create_a_secureframe_repository_framework_asset_scope** — Create a Framework Asset Scope for a secureframe repository. Framework Asset Scopes are immutable — once created they cannot be modified; create a new scope to update. Returns: id, active, framework_id, manually_scoped_reason, created_at. Required: repository_id. - **update_a_secureframe_repository_by_id** — Update a Secureframe repository by id. Returns: id, created_at, updated_at. Required: id. - **list_all_secureframe_repositories** — List repositories in Secureframe. Returns: id, created_at, updated_at. Supports Lucene syntax filtering via the q parameter and optional relationship sideloading via include and relationships. - **get_single_secureframe_repository_by_id** — Get a single Secureframe repository by id. Returns: id, created_at, updated_at. Required: id. - **list_all_secureframe_cloud_resources** — List Secureframe cloud resources. Returns: id, cloud_resource_type, vendor_name, region, third_party_id, in_audit_scope, owner_id, created_at, updated_at. Use `q` for Lucene-syntax filtering and `include` to embed related data. - **get_single_secureframe_cloud_resource_by_id** — Get a single Secureframe cloud resource by id. Returns: id, cloud_resource_type, vendor_name, region, third_party_id, in_audit_scope, owner_id, created_at, updated_at. Required: id. - **update_a_secureframe_cloud_resource_by_id** — Update a Secureframe cloud resource by id. Returns: id, cloud_resource_type, vendor_name, region, third_party_id, in_audit_scope, owner_id, created_at, updated_at. Required: id. - **list_all_secureframe_cloud_resource_framework_asset_scopes** — List framework asset scopes for a Secureframe cloud resource. Returns: id, in_audit_scope, out_of_audit_scope_reason for each scope record associated with the specified cloud resource. Required: cloud_resource_id. - **create_a_secureframe_cloud_resource_framework_asset_scope** — Create a framework asset scope for a Secureframe cloud resource, setting its audit scope status for a given framework. Returns: id, in_audit_scope, out_of_audit_scope_reason. Required: cloud_resource_id. - **list_all_secureframe_comments** — List Secureframe comments with optional filtering and full-text search. Returns: id, content, commentable_type, commentable_id, company_id, conversation_id. Use q for Lucene-syntax filtering and include to sideload related resources. - **get_single_secureframe_comment_by_id** — Get a single Secureframe comment by id. Returns: id, content, commentable_type, commentable_id, company_id, conversation_id. Required: id. - **create_a_secureframe_comment** — Create a new comment in Secureframe attached to a commentable resource. Returns: id, content, commentable_type, commentable_id, company_id, conversation_id. - **update_a_secureframe_comment_by_id** — Update an existing Secureframe comment's content by id. Returns: id, content, commentable_type, commentable_id, company_id, conversation_id. Required: id. - **delete_a_secureframe_comment_by_id** — Delete a Secureframe comment by id. Returns an empty 204 response on success. Required: id. - **list_all_secureframe_controls** — List Controls in Secureframe. Returns: id, name, key, health_status, enabled, custom, owner_name, frameworks, created_at, updated_at. Filter using Lucene syntax via the q parameter, or include related objects (author, company, owner) via include. - **get_single_secureframe_control_by_id** — Get a single Secureframe Control by id. Returns: id, name, key, health_status, enabled, custom, owner_name, frameworks, created_at, updated_at. Required: id. - **create_a_secureframe_custom_connection_datum** — Submit resource data to a Secureframe custom connection for asynchronous processing. Accepts an array of resource objects conforming to a specified schema and vendor slug. Returns a 202 Accepted response with no body indicating the data is enqueued for processing. Required: id, resource_data, schema_slug, vendor_slug. - **list_all_secureframe_devices** — List Secureframe devices. Returns: id, device_name, os, make, model, serial_number, mac_address, owner_name, hard_drive_encrypted, local_firewall_enabled, created_at, updated_at. Supports Lucene-syntax search and filtering via the q parameter. - **get_single_secureframe_device_by_id** — Get a single Secureframe device by id. Returns: id, device_name, os, make, model, serial_number, mac_address, owner_name, hard_drive_encrypted, local_firewall_enabled, created_at, updated_at. Required: id. - **list_all_secureframe_device_framework_asset_scopes** — List Framework Asset Scopes for a Secureframe device. The absence of a scope indicates the device is not in scope for the given Framework. Returns: id, device_id, framework_id, active, manually_scoped_reason. Required: device_id. - **create_a_secureframe_device_framework_asset_scope** — Create a Framework Asset Scope for a Secureframe device. Scopes are immutable once created; to change scope, create a new record. Returns: id, device_id, framework_id, active, manually_scoped_reason. Required: device_id. - **get_single_secureframe_evidence_by_id** — Get a single Evidence record from Secureframe by id. Returns: id. Required: id. - **list_all_secureframe_frameworks** — List Secureframe frameworks. Returns: id, title, created_at, updated_at. Supports full-text search via q (Lucene syntax) and optional relationship includes via include. - **get_single_secureframe_framework_by_id** — Get a single Secureframe framework by id. Returns: id, title, created_at, updated_at. Required: id. - **list_all_secureframe_framework_requirements** — List Secureframe Framework Requirements. Returns: id, name, key, enabled, health_status. Filter by enabled, health_status, id, key, or name using Lucene syntax via the q parameter. - **get_single_secureframe_framework_requirement_by_id** — Get a single Secureframe Framework Requirement by id. Returns: id, name, key, enabled, health_status. Required: id. - **list_all_secureframe_integration_connections** — List Secureframe integration connections. Returns: id, name, status, updated_at, vendor_name. Supports Lucene-syntax filtering via q, and relationship sideloading via include or relationships. - **get_single_secureframe_integration_connection_by_id** — Get a single Secureframe integration connection by id. Returns: id, name, status, updated_at, vendor_name. Required: id. - **secureframe_integration_connections_archive** — Archive a Secureframe integration connection by id. Returns the updated connection record including id, name, status, updated_at, and vendor_name. Required: id. - **get_single_secureframe_knowledge_base_answer_by_id** — Get a single Secureframe Knowledge Base Answer by id. Returns: id, content, type, primary_answer, knowledge_base_question_id. Required: id. - **create_a_secureframe_knowledge_base_answer** — Create a new Secureframe Knowledge Base Answer linked to an existing Knowledge Base Question. Returns: id, content, type, primary_answer, knowledge_base_question_id. Required: content, knowledge_base_question_id, type. - **update_a_secureframe_knowledge_base_answer_by_id** — Update an existing Secureframe Knowledge Base Answer by id. Returns: id, content, type, primary_answer, knowledge_base_question_id. Required: id. - **delete_a_secureframe_knowledge_base_answer_by_id** — Delete a Secureframe Knowledge Base Answer by id. Returns an empty 200 response on success. Required: id. - **list_all_secureframe_risks** — List risks in Secureframe. Returns: id, custom_risk_id, description, owner_name, archived. Filter results using Lucene syntax via the q parameter, or include the related owner object via the include parameter. - **get_single_secureframe_risk_by_id** — Get a single Secureframe risk by id. Returns: id, custom_risk_id, description, owner_name, archived. Required: id. - **create_a_secureframe_security_questionnaire** — Create a new Security Questionnaire in Secureframe by uploading a questionnaire file with associated metadata. Returns the created questionnaire object including its id, owner_id, and company_name. Required: owner_id, file. - **list_all_secureframe_tests** — List tests in Secureframe. Returns: id. - **get_single_secureframe_test_by_id** — Get a single Secureframe test by id. Returns: id. Required: id. - **update_a_secureframe_test_by_id** — Update a Secureframe test by id. Returns: id. Required: id. - **create_a_secureframe_test_export** — Create a Test Export for a Secureframe test. Returns: id, test_id. Required: test_id. - **get_single_secureframe_test_export_by_id** — Get a Secureframe Test Export by id. Returns: id, test_id. Required: id. - **list_all_secureframe_trust_center_requests** — List Trust Center Requests in Secureframe. Returns: id, email, requester_name, reviewed, created_at. Use q to filter with Lucene syntax; use include to sideload trust_center_resource_requests. - **get_single_secureframe_trust_center_request_by_id** — Get a single Secureframe Trust Center Request by id. Returns: id, email, requester_name, reviewed, created_at, document_security. Required: id. - **update_a_secureframe_trust_center_request_by_id** — Update a Secureframe Trust Center Request by id, including approving or rejecting resource requests and setting document security. Returns: id, email, requester_name, reviewed, created_at, document_security. Required: id. - **get_single_secureframe_user_security_setting_by_id** — Get user security settings in Secureframe for the authenticated company and user. Returns the UserSecuritySetting object including id and security configuration fields specific to the company and user; consult Secureframe API documentation for the full field breakdown. - **list_all_secureframe_vendors** — List Secureframe vendors. Returns: id, name, archived, owner_name, risk_level, updated_at. Supports Lucene-syntax search and filtering via q. Deprecated — prefer the Third Party Risk Management Vendor endpoint. - **get_single_secureframe_vendor_by_id** — Get a single Secureframe vendor by id. Returns: id, name, archived, owner_name, risk_level, updated_at. Required: id. Deprecated — prefer the Third Party Risk Management Vendor endpoint. - **secureframe_vendors_archive** — Archive a Secureframe vendor by id. Returns the updated vendor record including id, name, archived, owner_name, risk_level, and updated_at. Required: id. Deprecated — prefer the Third Party Risk Management Vendor endpoint. - **get_single_secureframe_knowledge_base_question_by_id** — Get a Secureframe Knowledge Base Question by id. Returns: id, content, owner_id, review_frequency, manual_review_requested. Required: id. - **create_a_secureframe_knowledge_base_question** — Create a new Secureframe Knowledge Base Question. Returns the created question including id, content, owner_id, review_frequency, and manual_review_requested. Required: content. - **update_a_secureframe_knowledge_base_question_by_id** — Update a Secureframe Knowledge Base Question by id. Returns the updated question including id, content, owner_id, review_frequency, and manual_review_requested. Required: id. - **delete_a_secureframe_knowledge_base_question_by_id** — Delete a Secureframe Knowledge Base Question by id. Returns an empty 200 OK response with no body on success. Required: id. - **list_all_secureframe_tprm_vendors** — List Third Party Risk Management Vendors in Secureframe. Returns: id, name, risk_level, archived, owner_name, updated_at, created_at. Filter results with Lucene syntax via q; optionally include related data using include or relationships. - **get_single_secureframe_tprm_vendor_by_id** — Get a single Third Party Risk Management Vendor in Secureframe by id. Returns: id, name, risk_level, archived, owner_name, updated_at, created_at. Required: id. - **secureframe_tprm_vendors_archive** — Archive a Third Party Risk Management Vendor in Secureframe by id. Returns: id, name, archived, risk_level, owner_name, updated_at, created_at. Required: id. - **create_a_secureframe_test_evidence** — Upload evidence to a test in Secureframe by attaching a file via multipart form. Returns: id. Required: test_id, file. Optionally supply activity_completion to record the date the activity was completed. ## How it works 1. **Link your customer's Secureframe account.** Use Truto's frontend SDK; we handle every OAuth and API key flow so you don't need to create the OAuth app. 2. **Authentication is automatic.** Truto refreshes tokens, stores credentials securely, and injects them into every API request. 3. **Call Truto's API to reach Secureframe.** The Proxy API is a 1-to-1 mapping of the Secureframe API. 4. **Get a unified response format.** Every response uses a single shape, with cursor-based pagination and data in the `result` field. ## Use cases - **Embed compliance evidence collection in infrastructure tools** — MDM, code repository, and cloud security platforms can let mutual customers automatically sync device states, repositories, and cloud resources into Secureframe, eliminating manual evidence collection for SOC 2, ISO 27001, and HIPAA audits. - **Power RFP and security questionnaire automation** — Sales enablement and AI questionnaire platforms can pull CISO-approved answers from Secureframe's Knowledge Base and push new unanswered questions back, letting mutual customers respond to security assessments in minutes instead of weeks. - **Automate Trust Center approvals from the CRM** — CRMs and deal desk tools can surface inbound Trust Center document requests next to deal context and approve or reject them programmatically, unblocking late-stage deals without involving the security team. - **Trigger vendor risk reviews from procurement events** — Spend management and procurement platforms can push newly discovered SaaS vendors into Secureframe's TPRM module so GRC teams can begin risk assessments the moment a new tool is purchased. - **File point-in-time evidence against specific controls** — Vulnerability scanners, pentest platforms, and security monitoring tools can upload reports directly to the relevant Secureframe test, keeping mutual customers continuously audit-ready. ## What you can build - **Two-way Knowledge Base sync** — Read existing Knowledge Base questions and answers from Secureframe and write new questions or updated answers back as your users finalize security responses. - **Trust Center request routing and approval** — List inbound Trust Center requests, enrich them with CRM context, and call update endpoints to approve or reject document access from inside your product. - **Device and cloud resource compliance feed** — Continuously push device, repository, and cloud resource state into Secureframe and update framework asset scopes so each asset is mapped to the right SOC 2, ISO 27001, or HIPAA controls. - **Automated test evidence uploads** — Attach PDFs, scan reports, or screenshots to specific Secureframe tests via the test evidence endpoint so audit artifacts land in the correct control bucket automatically. - **TPRM vendor lifecycle automation** — Create new third-party vendors in Secureframe from procurement or finance events and archive vendors when contracts end, keeping the vendor inventory in sync with reality. - **Compliance posture dashboard** — Pull frameworks, controls, tests, and risks via Truto to render a live compliance scorecard for your mutual customers without forcing them to log into Secureframe. ## FAQs ### How does authentication work for the Secureframe integration? Secureframe uses API key-based authentication. Truto handles credential collection, secure storage, and request signing so your end users only paste their key once during connection. ### Which Secureframe objects can we read and write through Truto? You can read frameworks, framework requirements, controls, tests, evidence, risks, devices, repositories, cloud resources, integration connections, vendors, TPRM vendors, comments, Trust Center requests, and Knowledge Base questions and answers. Write operations are supported for Knowledge Base questions and answers, Trust Center requests, comments, test evidence, cloud resources, repositories, tests, framework asset scopes (for devices, repositories, and cloud resources), custom connection data, and security questionnaires. ### Can we push custom asset data that isn't a native Secureframe object? Yes. The custom connection datum endpoint lets you push arbitrary asset records into Secureframe, which is the standard pattern for tools whose data model doesn't map cleanly to devices, repositories, or cloud resources. ### How fresh is the data we read from Secureframe? Truto fetches data on demand from Secureframe's REST API, so reads reflect the current state at request time. For ongoing sync, you can poll list endpoints on your preferred cadence or use Truto's scheduled sync to keep a local cache up to date. ### How are filtering and search handled on list endpoints? Secureframe supports Lucene-style query syntax on list endpoints for assets like cloud resources and devices, and Truto passes those filter parameters through so you can target specific non-compliant or in-scope assets without pulling the entire dataset. ### Can we delete records in Secureframe? Direct deletes are limited. You can delete Knowledge Base questions, answers, and comments. For vendors, TPRM vendors, and integration connections, Secureframe uses archive endpoints instead of hard deletes, which Truto exposes as dedicated archive operations. ## Related reading - [Connect Secureframe to ChatGPT: Manage Frameworks and Asset Scopes](https://truto.one/blog/connect-secureframe-to-chatgpt-manage-frameworks-and-asset-scopes/) — Learn how to connect Secureframe to ChatGPT using an MCP server. Automate framework tracking, manage asset scopes, and run vendor risk assessments with AI. - [Connect Secureframe to Claude: Monitor Controls and Vendor Risks](https://truto.one/blog/connect-secureframe-to-claude-monitor-controls-and-vendor-risks/) — Learn how to connect Secureframe to Claude using a managed MCP server. This guide covers generating the server, configuring Claude, and building automated GRC workflows. - [Connect Secureframe to AI Agents: Sync Evidence and Knowledge Bases](https://truto.one/blog/connect-secureframe-to-ai-agents-sync-evidence-and-knowledge-bases/) — Learn how to connect Secureframe to AI Agents using Truto's proxy APIs. Automate compliance evidence, manage risk registers, and handle complex API quirks like Lucene syntax and rate limits natively.