Modeling risks and documenting problems within system boundaries is a critical aspect of continuous monitoring, because you have to be able to communicate about what's wrong before you can fix anything. NIST SP 800-30, Guide for Conducting Risk Assessments provides an approach to this conundrum and risquè provides an easy to use tool for leveraging those ideas into actual shareable content.
I'm open to Issues and Pull Requests!