{"id":13642825,"url":"https://github.com/mitre/vulcan","last_synced_at":"2026-05-08T06:20:01.241Z","repository":{"id":37572357,"uuid":"125561963","full_name":"mitre/vulcan","owner":"mitre","description":"A web application to streamline the development of STIGs from SRGs","archived":false,"fork":false,"pushed_at":"2026-05-06T20:15:03.000Z","size":101485,"stargazers_count":85,"open_issues_count":95,"forks_count":28,"subscribers_count":21,"default_branch":"master","last_synced_at":"2026-05-06T22:26:13.120Z","etag":null,"topics":["compliance","compliance-automation","disa","inspec","mitre-corporation","mitre-inspec","srg","stig"],"latest_commit_sha":null,"homepage":"https://vulcan.mitre.org/","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mitre.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE.md","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-03-16T19:38:01.000Z","updated_at":"2026-05-06T18:37:15.000Z","dependencies_parsed_at":"2023-12-13T15:42:15.471Z","dependency_job_id":"0872c310-3da1-44eb-9133-10032e20039a","html_url":"https://github.com/mitre/vulcan","commit_stats":{"total_commits":442,"total_committers":25,"mean_commits":17.68,"dds":0.7217194570135747,"last_synced_commit":"a46d108a8bd0246a0f06dbbc61b213afce77d439"},"previous_names":[],"tags_count":21,"template":false,"template_full_name":null,"purl":"pkg:github/mitre/vulcan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre%2Fvulcan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre%2Fvulcan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre%2Fvulcan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre%2Fvulcan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mitre","download_url":"https://codeload.github.com/mitre/vulcan/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre%2Fvulcan/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32769336,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-08T02:36:36.067Z","status":"ssl_error","status_checked_at":"2026-05-08T02:36:07.210Z","response_time":54,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["compliance","compliance-automation","disa","inspec","mitre-corporation","mitre-inspec","srg","stig"],"created_at":"2024-08-02T01:01:36.787Z","updated_at":"2026-05-08T06:20:01.233Z","avatar_url":"https://github.com/mitre.png","language":"Ruby","funding_links":[],"categories":["Ruby"],"sub_categories":[],"readme":"# Vulcan\n\n[![CI](https://github.com/mitre/vulcan/actions/workflows/ci.yml/badge.svg)](https://github.com/mitre/vulcan/actions/workflows/ci.yml)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n[![Latest Release](https://img.shields.io/github/v/release/mitre/vulcan)](https://github.com/mitre/vulcan/releases/latest)\n[![Docker Pulls](https://img.shields.io/docker/pulls/mitre/vulcan)](https://hub.docker.com/r/mitre/vulcan)\n\n## Overview\n\nVulcan is a comprehensive tool designed to streamline the creation of STIG-ready security guidance documentation and InSpec automated validation profiles. It bridges the gap between security requirements and practical implementation, enabling organizations to develop both human-readable instructions and machine-readable validation code simultaneously.\n\n### Live Deployments\n\n- **Production**: [https://mitre-vulcan-prod.herokuapp.com](https://mitre-vulcan-prod.herokuapp.com/users/sign_in)\n- **Staging**: [https://mitre-vulcan-staging.herokuapp.com](https://mitre-vulcan-staging.herokuapp.com/users/sign_in)\n\n### What is Vulcan?\n\nVulcan models the Security Technical Implementation Guide (STIG) creation process, facilitating the alignment of security controls from high-level DISA Security Requirements Guides (SRGs) into [STIGs](https://public.cyber.mil/stigs/) tailored to specific system components. Content developed with Vulcan can be submitted to DISA for peer review and formal publication as official STIGs.\n\n### Key Features\n\n- **📋 STIG Process Modeling**: Manages the complete workflow between vendors and sponsors\n- **🔍 InSpec Integration**: Write and test validation code locally or across SSH, AWS, and Docker targets\n- **📊 Control Management**: Track control status, revision history, and relationships\n- **👥 Collaborative Authoring**: Multiple authors can work on control sets with built-in review workflows\n- **🔗 Cross-Reference Capabilities**: Look up related controls across published STIGs\n- **📚 STIG Library**: View and reference DISA-published STIG content\n- **🔒 Security**: Database encryption for confidential data using symmetric encryption\n- **🔑 Flexible Authentication**: Support for local, GitHub, LDAP, and OIDC/OKTA providers\n- **📬 Notifications**: Email and Slack integration for workflow updates\n\n## 🚀 Quick Start\n\n### Latest Release: [v2.3.6](https://github.com/mitre/vulcan/releases/tag/v2.3.6)\n\n```bash\n# Pull the latest Docker image\ndocker pull mitre/vulcan:v2.3.6\n\n# Or use docker compose for a complete setup\nwget https://raw.githubusercontent.com/mitre/vulcan/master/docker-compose.yml\nwget https://raw.githubusercontent.com/mitre/vulcan/master/setup-docker-secrets.sh\nchmod +x setup-docker-secrets.sh\n./setup-docker-secrets.sh\ndocker compose up\n```\n\nThe first user to register becomes admin automatically.\n\nFor detailed release notes, see the [Changelog](./CHANGELOG.md).\n\n## 📚 Documentation\n\n- **[📖 Full Documentation](https://mitre.github.io/vulcan/)** - Comprehensive guides and references\n- [Installation Guide](https://mitre.github.io/vulcan/getting-started/installation/)\n- [Configuration Reference](https://mitre.github.io/vulcan/getting-started/environment-variables/)\n- [User Guide](https://mitre.github.io/saf-training/courses/guidance/) - Complete training materials\n- [API Documentation](https://mitre.github.io/vulcan/api/overview/)\n- [Contributing Guidelines](./CONTRIBUTING.md)\n\n### Working with Documentation\n\nThe documentation uses [VitePress](https://vitepress.dev/) and is located in the `docs/` directory.\n\n**Important:** The documentation has its own `package.json` separate from the main application to avoid Vue version conflicts (main app uses Vue 2, VitePress uses Vue 3). This separation will be removed once the main application migrates to Vue 3.\n\n```bash\n# Start documentation dev server\nyarn docs:dev  # Runs at http://localhost:5173/vulcan/\n\n# Build documentation (only works in CI/CD currently)\nyarn docs:build\n\n# Work directly in docs directory\ncd docs\nyarn install  # Install docs-specific dependencies\nyarn dev      # Start dev server\n```\n\n## 🛠️ Technology Stack\n\n### Core Framework\n- **Ruby 3.4.9** with **Rails 8.0.2.1**\n- **PostgreSQL 18** database\n- **Node.js 24 LTS** for JavaScript runtime\n\n### Frontend\n- **Vue 2.7.16** (14 separate instances for different pages)\n- **Bootstrap 4.6.2** with Bootstrap-Vue 2.13.0\n- **Turbolinks 5.2.0** for navigation optimization\n- **esbuild** for JavaScript bundling (replaced Webpacker)\n\n### Testing \u0026 Quality\n- **RSpec** for Ruby testing (1600+ backend tests)\n- **Vitest** for Vue component testing (1900+ frontend tests)\n- **ESLint** \u0026 **Prettier** for JavaScript linting\n- **RuboCop** for Ruby style enforcement\n- **Brakeman** for security scanning\n- **bundler-audit** for dependency vulnerability scanning\n\n### DevOps \u0026 Deployment\n- **Docker** with optimized UBI 9 production images (~529MB)\n- **GitHub Actions** for CI/CD\n- **Heroku** compatible\n- **SonarCloud** integration for code quality\n\n## 💻 Development Setup\n\n### Prerequisites\n\n- Ruby 3.4.9 (use rbenv or rvm)\n- PostgreSQL 18\n- Node.js 24 LTS\n- Yarn package manager\n\n### Local Installation\n\n```bash\n# Clone the repository\ngit clone https://github.com/mitre/vulcan.git\ncd vulcan\n\n# Install Ruby dependencies\nbundle install\n\n# Install JavaScript dependencies\nyarn install\n\n# Setup database\nbin/setup\n\n# Seed the database with sample data\nrails db:seed\n\n# Start the development server\nforeman start -f Procfile.dev\n\n# Or start services separately\nrails server\nyarn build:watch\n```\n\nAccess the application at `http://localhost:3000`\n\n### Running Tests\n\n```bash\n# Run full backend suite (parallel — 3-4x faster than serial)\nbundle exec parallel_rspec spec/\n\n# Run specific test file\nbundle exec rspec spec/models/user_spec.rb\n\n# Run frontend tests\nyarn test:unit\n\n# IMPORTANT: After running db:migrate, sync all parallel test databases.\n# Parallel tests use separate databases (one per CPU core). New migrations\n# only apply to the primary test DB — parallel:prepare propagates to all.\nbundle exec rake parallel:prepare\n\n# Run linters\nbundle exec rubocop --autocorrect-all\nyarn lint\n\n# Security scanning\nbundle exec brakeman\nbundle exec bundler-audit\n```\n\n## 🐳 Docker Deployment\n\n### Production-Ready Docker Setup\n\n1. **Generate secure configuration**:\n   ```bash\n   ./setup-docker-secrets.sh\n   # Choose option 2 for production\n   ```\n\n2. **Configure environment** (edit `.env`):\n   - Authentication settings (OIDC/LDAP)\n   - Application URL and contact email\n   - SMTP configuration for notifications\n\n3. **Add SSL certificates** (if behind corporate proxy):\n   ```bash\n   cp /path/to/certificate.pem ./certs/\n   ```\n\n4. **Start the application**:\n   ```bash\n   docker compose up -d\n   ```\n\n5. **Database setup** is automatic — `db:prepare` runs on container start via the Docker entrypoint. No manual step needed.\n\n### Docker Image Features\n\n- **Optimized size**: ~529MB on Red Hat UBI 9 Minimal (Iron Bank / DISA aligned)\n- **Memory efficiency**: jemalloc (compiled from source) + YJIT for 20-40% reduction\n- **Multi-stage builds** for security and size (Ruby + jemalloc compiled in build stage, stripped before production COPY)\n- **Health checks** configured\n- **Non-root user** execution (UID 1000)\n\n## 🔐 Authentication Configuration\n\n### OIDC/OKTA Setup (Auto-Discovery)\n\nVulcan v2.2+ includes automatic OIDC endpoint discovery, requiring only 4 configuration variables:\n\n```bash\nVULCAN_ENABLE_OIDC=true\nVULCAN_OIDC_ISSUER_URL=https://your-domain.okta.com\nVULCAN_OIDC_CLIENT_ID=your-client-id\nVULCAN_OIDC_CLIENT_SECRET=your-client-secret\n```\n\nSupported providers:\n- **Okta**\n- **Auth0**\n- **Keycloak**\n- **Azure AD**\n- Any OIDC-compliant provider\n\n### LDAP Configuration\n\n```bash\nVULCAN_ENABLE_LDAP=true\nVULCAN_LDAP_HOST=ldap.example.com\nVULCAN_LDAP_PORT=636\nVULCAN_LDAP_BASE=dc=example,dc=com\nVULCAN_LDAP_BIND_DN=cn=admin,dc=example,dc=com\nVULCAN_LDAP_BIND_PASSWORD=your-password\n```\n\n## 📋 Maintenance Tasks\n\n### Pull Latest STIGs/SRGs\n\n```bash\n# Manual execution\nbundle exec rails stig_and_srg_puller:pull\n\n# Schedule in production (cron example)\n0 2 * * * cd /app \u0026\u0026 bundle exec rails stig_and_srg_puller:pull\n```\n\n## 🤝 Contributing\n\nWe welcome contributions! Please see our [Contributing Guidelines](./CONTRIBUTING.md) for details.\n\n### Development Workflow\n\n1. Fork the repository\n2. Create a feature branch (`git checkout -b feature/amazing-feature`)\n3. Commit your changes (`git commit -m 'feat: add amazing feature'`)\n4. Push to the branch (`git push origin feature/amazing-feature`)\n5. Open a Pull Request\n\n### Code Standards\n\n- Follow Ruby style guide (enforced by RuboCop)\n- Follow JavaScript style guide (enforced by ESLint)\n- Write tests for new features\n- Update documentation as needed\n- Ensure all tests pass before submitting PR\n\n## 📈 Roadmap\n\n### Upcoming Features (v2.3+)\n\n- **Vue 3 Migration**: Modernize frontend framework\n- **Bootstrap 5 Upgrade**: Update UI components\n- **Turbolinks Removal**: Simplify navigation architecture\n- **API v2**: Enhanced REST API with GraphQL support\n- **Multi-tenancy**: Support for multiple organizations\n- **Advanced Reporting**: Custom dashboards and metrics\n\nSee our [detailed roadmap](./ROADMAP.md) for more information.\n\n## 🙏 Acknowledgments\n\n- DISA for STIG and SRG specifications\n- The InSpec community for validation framework\n- All contributors who have helped improve Vulcan\n\n## 📞 Support\n\n- **Issues**: [GitHub Issues](https://github.com/mitre/vulcan/issues)\n- **Discussions**: [GitHub Discussions](https://github.com/mitre/vulcan/discussions)\n- **Wiki**: [Project Wiki](https://github.com/mitre/vulcan/wiki)\n- **Security Issues**: saf-security@mitre.org\n- **General Inquiries**: saf@mitre.org\n\n## 🏢 About MITRE SAF\n\nVulcan is part of the [MITRE Security Automation Framework (SAF)](https://saf.mitre.org/), a comprehensive suite of tools and libraries designed to automate security validation and compliance checking.\n\n### Related SAF Projects\n\n- **[InSpec](https://www.inspec.io/)**: Compliance automation framework\n- **[Heimdall](https://github.com/mitre/heimdall2)**: Security results visualization\n- **[SAF CLI](https://github.com/mitre/saf-cli)**: Command-line tools for security automation\n- **[InSpec Profile Development](https://github.com/mitre/inspec-profile-developer-course)**: Training resources\n\n---\n\n\u003cp align=\"center\"\u003e\n  Made with ❤️ by the \u003ca href=\"https://saf.mitre.org/\"\u003eMITRE Security Automation Framework\u003c/a\u003e team\n  \u003cbr\u003e\nA \u003ca href=\"https://saf.mitre.org\"\u003eMITRE SAF\u003c/a\u003e Initiative\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitre%2Fvulcan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmitre%2Fvulcan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitre%2Fvulcan/lists"}