{"id":34035490,"url":"https://github.com/opencybersecurityalliance/stix-shifter","last_synced_at":"2026-02-27T13:15:47.782Z","repository":{"id":37271505,"uuid":"133072277","full_name":"opencybersecurityalliance/stix-shifter","owner":"opencybersecurityalliance","description":"This project consists of an open source library allowing software to connect to data repositories using STIX Patterning, and return results as STIX Observations.","archived":false,"fork":false,"pushed_at":"2026-02-19T13:29:02.000Z","size":46690,"stargazers_count":261,"open_issues_count":46,"forks_count":229,"subscribers_count":31,"default_branch":"develop","last_synced_at":"2026-02-19T17:29:51.307Z","etag":null,"topics":["cybersecurity","hacktoberfest","ocsf","python","security","security-automation","security-tools","stix","stix2","threat","threat-hunting","threat-intelligence","threatintel"],"latest_commit_sha":null,"homepage":"https://stix-shifter.readthedocs.io","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/opencybersecurityalliance.png","metadata":{"files":{"readme":"docs/README.md","changelog":"CHANGELOG.md","contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":"docs/supported-mappings.md","governance":null,"roadmap":null,"authors":"AUTHORS.md","dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-05-11T18:01:01.000Z","updated_at":"2026-02-19T13:29:07.000Z","dependencies_parsed_at":"2025-11-28T05:09:11.296Z","dependency_job_id":null,"html_url":"https://github.com/opencybersecurityalliance/stix-shifter","commit_stats":{"total_commits":913,"total_committers":91,"mean_commits":"10.032967032967033","dds":0.8433734939759037,"last_synced_commit":"244ce47e533e12d6a0e146334da5b769de7cd8df"},"previous_names":[],"tags_count":241,"template":false,"template_full_name":null,"purl":"pkg:github/opencybersecurityalliance/stix-shifter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencybersecurityalliance%2Fstix-shifter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencybersecurityalliance%2Fstix-shifter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencybersecurityalliance%2Fstix-shifter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencybersecurityalliance%2Fstix-shifter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/opencybersecurityalliance","download_url":"https://codeload.github.com/opencybersecurityalliance/stix-shifter/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencybersecurityalliance%2Fstix-shifter/sbom","scorecard":{"id":709157,"data":{"date":"2025-08-11","repo":{"name":"github.com/opencybersecurityalliance/stix-shifter","commit":"8e6e2972990a3918b16374f8872b6c5f465aa3a0"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.3,"checks":[{"name":"Code-Review","score":9,"reason":"Found 20/21 approved changesets -- score normalized to 9","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":2,"reason":"0 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/code-coverage.yml:1","Warn: no topLevel permission defined: .github/workflows/main.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: InProgress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":9,"reason":"SAST tool is not run on all commits -- score normalized to 9","details":["Warn: 29 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-coverage.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/opencybersecurityalliance/stix-shifter/code-coverage.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-coverage.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/opencybersecurityalliance/stix-shifter/code-coverage.yml/develop?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/code-coverage.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/opencybersecurityalliance/stix-shifter/code-coverage.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/opencybersecurityalliance/stix-shifter/main.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/opencybersecurityalliance/stix-shifter/main.yml/develop?enable=pin","Warn: containerImage not pinned by hash: deployment/ibm_cloud_pak_for_security/Dockerfile:1: pin your Docker image by updating registry.access.redhat.com/ubi9/ubi-minimal to registry.access.redhat.com/ubi9/ubi-minimal@sha256:8d905a93f1392d4a8f7fb906bd49bf540290674b28d82de3536bb4d0898bf9d7","Warn: pipCommand not pinned by hash: deployment/ibm_cloud_pak_for_security/Dockerfile:14","Warn: pipCommand not pinned by hash: deployment/ibm_cloud_pak_for_security/Dockerfile:15","Warn: pipCommand not pinned by hash: deployment/ibm_cloud_pak_for_security/Dockerfile:16","Warn: pipCommand not pinned by hash: bundle_validator/validate.sh:30","Warn: pipCommand not pinned by hash: bundle_validator/validate.sh:31","Warn: pipCommand not pinned by hash: deployment/ibm_cloud_pak_for_security/deploy.sh:54","Warn: pipCommand not pinned by hash: deployment/ibm_cloud_pak_for_security/deploy.sh:62","Warn: pipCommand not pinned by hash: deployment/ibm_cloud_pak_for_security/deploy.sh:63","Warn: pipCommand not pinned by hash: stix_shifter/scripts/changelog_generator/generate_changelog.sh:15","Warn: pipCommand not pinned by hash: stix_shifter/scripts/changelog_generator/generate_changelog.sh:16","Warn: pipCommand not pinned by hash: .github/workflows/code-coverage.yml:29","Warn: pipCommand not pinned by hash: .github/workflows/code-coverage.yml:30","Warn: pipCommand not pinned by hash: .github/workflows/code-coverage.yml:33","Warn: pipCommand not pinned by hash: .github/workflows/code-coverage.yml:34","Warn: pipCommand not pinned by hash: .github/workflows/main.yml:27","Warn: pipCommand not pinned by hash: .github/workflows/main.yml:28","Warn: pipCommand not pinned by hash: .github/workflows/main.yml:31","Warn: pipCommand not pinned by hash: .github/workflows/main.yml:38","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned","Info:   0 out of  18 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":7,"reason":"3 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-2cf3-g243-hhfx","Warn: Project is vulnerable to: GHSA-hgjp-83m4-h4fj","Warn: Project is vulnerable to: GHSA-pq67-6m6q-mj2v"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T07:37:44.278Z","repository_id":37271505,"created_at":"2025-08-22T07:37:44.278Z","updated_at":"2025-08-22T07:37:44.278Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29896317,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-27T12:09:13.686Z","status":"ssl_error","status_checked_at":"2026-02-27T12:09:13.282Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","hacktoberfest","ocsf","python","security","security-automation","security-tools","stix","stix2","threat","threat-hunting","threat-intelligence","threatintel"],"created_at":"2025-12-13T20:02:19.520Z","updated_at":"2026-02-27T13:15:47.773Z","avatar_url":"https://github.com/opencybersecurityalliance.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"[![example workflow](https://github.com/opencybersecurityalliance/stix-shifter/actions/workflows/main.yml/badge.svg)](https://github.com/opencybersecurityalliance/stix-shifter/actions)\n[![codecov](https://codecov.io/gh/opencybersecurityalliance/stix-shifter/branch/develop/graph/badge.svg?token=gQvl14peRj)](https://codecov.io/gh/opencybersecurityalliance/stix-shifter)\n\n# Introduction\n\nSTIX-shifter is an open source python library allowing software to connect to products that house data repositories by using STIX Patterning, and return results as STIX Observations.\n\nThis library takes in STIX 2 Patterns as input, and \"finds\" data that matches the patterns inside various products that house repositories of cybersecurity data. Examples of such products include SIEM systems, endpoint management systems, threat intelligence platforms, orchestration platforms, network control points, data lakes, and more.\n\nIn addition to \"finding\" the data by using these patterns, STIX-Shifter also _transforms the output_ into STIX 2 Observations. Why would we do that you ask? To put it simply - so that all of the security data, regardless of the source, mostly looks and behaves the same.\n\n***Project Documentation***\n\nFor general information about STIX, this project, and the command line utilities, see the [STIX-shifter Documentation](https://stix-shifter.readthedocs.io/)\n\n## Installation\n\nThe recommended method for installing stix-shifter is via pip. Two prerequisite packages needs to be installed inlcuding the package of stix-shifter connector module to complete a stix-shifter connector installation. Run the below commands to install all the packages:\n\n1. Main stix-shifter package:  `pip install stix-shifter`\n\n2. Stix-shifter Utility package:  `pip install stix-shifter-utils`\n\n3. Desired stix-shifter connector module package:  `pip install stix-shifter-modules-\u003cmodule name\u003e `\n   Example:  `pip install stix-shifter-modules-qradar`\n\n### Dependencies\n\nSTIX-shifter requries Python 3.10 or greater. See the [requirements file](../stix_shifter/requirements.txt) for library dependencies. \n\n## Usage\n\nSTIX-Shifter can use used the following ways:\n\n### As a command line utility\n\nThe STIX-Shifter comes with a bundled script which you can use to translate STIX Pattern to a native datasource query. It can also be used to translate a JSON data source query result to a STIX bundle of observable objects. You can also send query to a datasource by using a transmission option. \n\nMore details of the command line option can be found [here](OVERVIEW.md#how-to-use)\n\n```\n$ stix-shifter translate \u003cMODULE NAME\u003e query \"\u003cSTIX IDENTITY OBJECT\u003e\" \"\u003cSTIX PATTERN\u003e\" \"\u003cOPTIONS\u003e\"\n```\nExample:\n```\n$ stix-shifter translate qradar query {} \"[ipv4-addr:value = '127.0.0.1']\" {}\n```\n\nIn order to build `stix-shifter` packages from source follow the below prerequisite steps:\n   1. Go to the stix-shifter parent directory\n   2. Optionally, you can create a Python 3 virtual environemnt:\n       `virtualenv -p python3 virtualenv \u0026\u0026 source virtualenv/bin/activate`\n   3. Run setup: `python -m build_tools.run_build install`\n\n\n### Running from the source\n\nYou may also use the `python3 main.py` script. All the options are the same as the command line utility described above.\n\nExample:\n\n```\npython3 main.py translate qradar query {} \"[ipv4-addr:value = '127.0.0.1']\" {}\n```\n\nIn order to run `python3 main.py` from the source follow the below prerequisite steps:\n   1. Go to the stix-shifter parent directory\n   2. Optionally, you can create a Python 3 virtual environemnt:\n       `virtualenv -p python3 virtualenv \u0026\u0026 source virtualenv/bin/activate`\n   3. Run setup to install dependancies: `INSTALL_REQUIREMENTS_ONLY=1 python3 -m build_tools.run_build install`. \n\n**Note:** `build_tools.run_build` only installs dependencies when INSTALL_REQUIREMENTS_ONLY=1 directive is used. This option is similar to `python3 -m build_tools.pre_build \u0026\u0026 pip install -r requirements.txt`\n\n### As a library\n\nYou can also use this library to integrate STIX Shifter into your own tools. You can translate a STIX Pattern:\n\n```\nfrom stix_shifter.stix_translation import stix_translation\n\ntranslation = stix_translation.StixTranslation()\nresponse = translation.translate('\u003cMODULE NAME\u003e', 'query', '{}', '\u003cSTIX PATTERN\u003e', '\u003cOPTIONS\u003e')\n\nprint(response)\n```\n### Use of custom mappings\n\nIf a connector has been installed using pip, the process for editing the STIX mappings is different than if you have pulled-down the project. When working locally, you can edit the mapping files directly. See the [mapping files for the MySQL connector](https://github.com/opencybersecurityalliance/stix-shifter/tree/develop/stix_shifter_modules/mysql/stix_translation/json) as an example. Editing the mapping files won't work if the connector has been installed with pip; the setup script of the stix-shifter package includes the mapppings inside `config.json`. This allows stix-shifter to injest custom mappings as part of the connector's configuration.\n\nRefer to [Use of custom mappings](adapter-guide/custom_mappings.md) for more details on how to edit the mappings in the configuration.\n\n# Contributing\n\nWe are thrilled you are considering contributing! We welcome all contributors.\nPlease read our [guidelines for contributing](CONTRIBUTING.md).\n\n## [Connector Developer Guide](adapter-guide/develop-stix-adapter.md)\n\n\n## [CLI tools and Connector Development Labs](lab/README.md)\n\n\n# Licensing\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n\n# More Resources\n\n## Join us on Slack!\n\n[Click here](https://docs.google.com/forms/d/1vEAqg9SKBF3UMtmbJJ9qqLarrXN5zeVG3_obedA3DKs) and fill out the form to receive an invite to the Open Cybersecurity Alliance slack instance, then join the #stix-shifter channel, to meet and discuss usage with the team.\n\n## Introduction Webinar!\n\n[Click here](https://ibm.biz/BdzTyA) to view an introduction webinar on STIX Shifter and the use cases it solves for.\n\n## Changelog\n\n- [Changelog](../CHANGELOG.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopencybersecurityalliance%2Fstix-shifter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopencybersecurityalliance%2Fstix-shifter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopencybersecurityalliance%2Fstix-shifter/lists"}