Export an audit-ready report

Reports bundle a set of findings + their compliance mappings into a single PDF or JSON artifact that maps cleanly onto an auditor request.

Create a report

curl -sS https://penaxtra.com/api/v2/reports \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Q2 2026 AI security evidence pack",
    "frameworks": ["OWASP_LLM","NIST_AI_600_1","EU_AI_ACT","ISO_42001"],
    "scope": {
      "endpoint_ids": ["ep_2026_abc123"],
      "from": "2026-04-01",
      "to": "2026-06-30",
      "include_severities": ["critical","high","medium"]
    },
    "format": "pdf"
  }'

Response:

{
  "id": "rpt_2026_def456",
  "status": "queued",
  "format": "pdf",
  "queued_at": "2026-05-22T10:35:00Z"
}

Poll until ready

curl -sS https://penaxtra.com/api/v2/reports/rpt_2026_def456 \
  -H "Authorization: Bearer $TOKEN"

When status is ready, fetch the artifact:

curl -fOJL \
  -H "Authorization: Bearer $TOKEN" \
  https://penaxtra.com/api/v2/reports/rpt_2026_def456/download

PDFs are signed at the metadata level. JSON exports are schema-versioned (schema_version field).

Cross-framework deduplication

Findings carry multiple framework references (twenty-two curated overlaps pre-computed). A single critical finding can satisfy OWASP LLM06 + NIST AI 600-1 MEASURE-2.7 + EU AI Act Article 10 in one report row.

Common errors

Security notes

• Report artifacts are stored in object storage with per-tenant prefixes and server-side encryption.
• Download URLs are signed; URL leakage exposes only the specific artifact, not the whole report archive.
• Reports respect the tenant's configured audit retention; an artifact older than the retention window is purged automatically.

Related

• Findings API
• Reports API
• Audit log API
• Audit evidence platform overview

Last reviewed: 2026-06-13. Reviewed by: Engineering. Content type: Developer documentation. Reach the maintainers: [email protected] .