{"id":50411988,"url":"https://github.com/srkyn/stigpilot","last_synced_at":"2026-05-31T04:02:56.707Z","repository":{"id":358078081,"uuid":"1239915686","full_name":"srkyn/stigpilot","owner":"srkyn","description":"Local Python CLI that compares DISA STIG XCCDF releases and generates impact summaries, remediation backlogs, evidence checklists, and ticket-ready exports.","archived":false,"fork":false,"pushed_at":"2026-05-22T18:32:04.000Z","size":196,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-22T19:53:29.762Z","etag":null,"topics":["blue-team","cli","compliance","cybersecurity","disa-stig","evidence","grc","python","remediation","security-automation","stig","vulnerability-management","xccdf"],"latest_commit_sha":null,"homepage":"https://srkyn.com/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/srkyn.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-15T15:18:47.000Z","updated_at":"2026-05-22T19:05:17.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/srkyn/stigpilot","commit_stats":null,"previous_names":["srkyn/stigpilot"],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/srkyn/stigpilot","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srkyn%2Fstigpilot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srkyn%2Fstigpilot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srkyn%2Fstigpilot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srkyn%2Fstigpilot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/srkyn","download_url":"https://codeload.github.com/srkyn/stigpilot/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srkyn%2Fstigpilot/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33718449,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blue-team","cli","compliance","cybersecurity","disa-stig","evidence","grc","python","remediation","security-automation","stig","vulnerability-management","xccdf"],"created_at":"2026-05-31T04:02:56.539Z","updated_at":"2026-05-31T04:02:56.702Z","avatar_url":"https://github.com/srkyn.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"![STIGPilot banner](docs/assets/stigpilot-banner.svg)\n\n# STIGPilot\n\nSTIGPilot is a local Python CLI that compares DISA STIG XCCDF releases and turns the changes into impact summaries, remediation backlogs, evidence checklists, manager summaries, and ticket-ready exports.\n\n[![Tests](https://github.com/srkyn/stigpilot/actions/workflows/tests.yml/badge.svg)](https://github.com/srkyn/stigpilot/actions/workflows/tests.yml)\n![Python](https://img.shields.io/badge/python-3.11%2B-blue)\n![License](https://img.shields.io/badge/license-MIT-green)\n\n## Why this exists\n\nOfficial tools are authoritative for viewing, scanning, checklist work, and formal compliance. STIGPilot focuses on the workflow gap after a new STIG release drops:\n\n- What changed?\n- What matters?\n- What got more severe?\n- What likely needs implementation work?\n- What evidence needs to be refreshed?\n- What tickets should be created?\n- What should a manager know?\n\nI built this after learning about STIGs and asking a practical question: if someone is responsible for applying these controls or comparing releases, what would make their day easier? The answer was not another viewer or scanner. It was a fast local helper that turns a dense XML release into a short brief, a backlog, and evidence requests people can actually act on.\n\n## 30-second demo\n\n```bash\ngit clone https://github.com/srkyn/stigpilot.git\ncd stigpilot\npython -m pip install -e \".[dev]\"\nstigpilot demo\n```\n\nGenerated files:\n\n```text\noutput/demo/change-brief.md\noutput/demo/change-brief.html\noutput/demo/changes.json\noutput/demo/manager-summary.md\noutput/demo/remediation-backlog.csv\noutput/demo/evidence-checklist.md\noutput/demo/jira-import.csv\noutput/demo/servicenow-import.csv\noutput/demo/github-issues.md\noutput/demo/remediation-drafts.md\n```\n\nExample terminal output:\n\n```text\nDemo Reports Generated\nChange brief          output/demo/change-brief.md\nManager summary       output/demo/manager-summary.md\nRemediation backlog   output/demo/remediation-backlog.csv\n\nSTIGPilot Diff Summary\nTotal changes                     4\nAdded                             1\nRemoved                           1\nModified                          2\nHigh-priority review              2\nEvidence update likely            1\n```\n\nChange brief excerpt:\n\n```text\n4 control change(s) were detected. 3 change(s) are likely to require priority review,\nimplementation work, or evidence refresh. Prioritize high-severity additions or\nseverity increases, then review remediation text changes before reusing old tickets.\n```\n\n## Artifact preview\n\nSTIGPilot is built around reviewable outputs, not hidden scoring. A typical packet answers four questions:\n\n| Question | Example from the sample packet |\n|---|---|\n| What changed? | `4 control change(s)` detected across the Chrome sample |\n| What needs attention first? | `2` high-priority review items |\n| Who should review it? | Endpoint/Windows Admin and Security/GRC Analyst owner groups |\n| What can be handed off? | Backlog CSV, evidence checklist, manager summary, ticket imports, and review-only remediation drafts |\n\nUseful sample artifacts:\n\n- [Chrome change brief](examples/chrome_windows_output/change-brief.md)\n- [Chrome HTML change brief](examples/chrome_windows_output/change-brief.html)\n- [Chrome manager summary](examples/chrome_windows_output/manager-summary.md)\n- [Chrome remediation backlog CSV](examples/chrome_windows_output/remediation-backlog.csv)\n- [Chrome evidence checklist](examples/chrome_windows_output/evidence-checklist.md)\n- [Portfolio comparison summary](examples/portfolio_output/portfolio-summary.md)\n\n## Real-world Chrome demo\n\nGoogle Chrome for Windows is the best first real-world scenario because it is familiar, endpoint-security relevant, and smaller than a full operating system STIG.\n\nRun the built-in sanitized Chrome workflow:\n\n```bash\nstigpilot chrome-demo\n```\n\nGenerate a Chrome packet for only one team or impact category:\n\n```bash\nstigpilot chrome-demo --impact evidence_update_likely --owner \"Endpoint/Windows Admin\"\n```\n\nGenerated files:\n\n```text\noutput/chrome/change-brief.md\noutput/chrome/change-brief.html\noutput/chrome/changes.json\noutput/chrome/manager-summary.md\noutput/chrome/remediation-backlog.csv\noutput/chrome/evidence-checklist.md\noutput/chrome/jira-import.csv\noutput/chrome/servicenow-import.csv\noutput/chrome/github-issues.md\noutput/chrome/remediation-drafts.md\n```\n\nTo run against official DoD Cyber Exchange Google Chrome Current Windows STIG V2R10 and V2R11 files, download the public ZIPs, extract the XCCDF XML files, and place them here:\n\n```text\nexamples/chrome_windows_input/old.xml\nexamples/chrome_windows_input/new.xml\n```\n\nThen rerun:\n\n```bash\nstigpilot chrome-demo\n```\n\n## What STIGPilot is good at\n\n- Release-to-release STIG change triage\n- Folder-to-folder portfolio comparisons for multiple STIG updates\n- Identifying severity increases and implementation-impacting changes\n- Generating remediation backlog CSVs\n- Preparing owner-focused evidence requests\n- Creating manager summaries\n- Exporting ticket-ready CSVs and GitHub issue drafts\n\n## What STIGPilot is not\n\n- Not official DISA tooling\n- Not compliance validation\n- Not a scanner\n- Not auto-remediation\n- Not a replacement for SCC, STIG Viewer, PowerSTIG, OpenRMF, or organizational compliance review\n\nSTIGPilot intentionally stops at the remediation-planning boundary. See [docs/remediation-boundary.md](docs/remediation-boundary.md) for why it generates reviewable work packets instead of applying system changes.\n\n## When to use it\n\n- A new Windows 11 STIG release drops and you need to know what changed.\n- A vulnerability management analyst needs a backlog CSV.\n- A GRC analyst needs an evidence checklist.\n- A sysadmin team needs owner-focused remediation work.\n- A manager needs a short update without reading hundreds of controls.\n\n## Install\n\nFrom a clone:\n\n```bash\ngit clone https://github.com/srkyn/stigpilot.git\ncd stigpilot\npython -m pip install -e .\n```\n\nDevelopment dependencies:\n\n```bash\npython -m pip install -e \".[dev]\"\n```\n\nWith `pipx` from a local clone:\n\n```bash\npipx install .\n```\n\nFallback without the console script:\n\n```bash\npython -m stigpilot.cli --help\npython -m stigpilot.cli demo\n```\n\nWindows note: if `stigpilot` is not recognized after install, your Python Scripts directory may not be on `PATH`. The `python -m stigpilot.cli ...` fallback works without changing `PATH`.\n\n## Government Mode\n\nSome government environments treat Python and pip packages as third-party software. STIGPilot includes a PowerShell-only fallback for restrictive Windows instances:\n\n```powershell\n.\\tools\\STIGPilot-Gov.ps1 -Command packet `\n  -Old examples\\sample_input\\old.xml `\n  -New examples\\sample_input\\new.xml `\n  -OutDir output\\gov\n```\n\nGenerated files:\n\n```text\noutput/gov/change-brief.md\noutput/gov/remediation-backlog.csv\noutput/gov/changes.json\noutput/gov/evidence-checklist.md\noutput/gov/jira-import.csv\noutput/gov/servicenow-import.csv\noutput/gov/github-issues.md\n```\n\nThis mode uses only built-in PowerShell/.NET XML, CSV, JSON, and file APIs. It is intentionally smaller than the Python CLI, but it preserves the core local workflow: parse, compare, summarize, produce a backlog, and prepare evidence requests. See [docs/government-mode.md](docs/government-mode.md).\n\nGenerate a focused Government Mode packet for one impact category or owner:\n\n```powershell\n.\\tools\\STIGPilot-Gov.ps1 -Command packet `\n  -Old examples\\sample_input\\old.xml `\n  -New examples\\sample_input\\new.xml `\n  -OutDir output\\gov-windows `\n  -Impact high_priority_review `\n  -Owner \"Endpoint/Windows Admin\"\n```\n\n## CLI usage\n\nHealth check:\n\n```bash\nstigpilot doctor\n```\n\nParse a STIG:\n\n```bash\nstigpilot parse examples/sample_input/new.xml --csv output/controls.csv --json output/controls.json\n```\n\nGenerate a brief:\n\n```bash\nstigpilot brief examples/sample_input/new.xml --out output/brief.md --severity high\n```\n\nCompare two STIG versions:\n\n```bash\nstigpilot diff examples/sample_input/old.xml examples/sample_input/new.xml --out output/change-brief.md --csv output/remediation-backlog.csv\n```\n\nGenerate a complete local workflow packet from two STIG files:\n\n```bash\nstigpilot packet examples/sample_input/old.xml examples/sample_input/new.xml --out output/packet\n```\n\nGenerate workflow exports:\n\n```bash\nstigpilot diff examples/sample_input/old.xml examples/sample_input/new.xml --out output/change-brief.md --csv output/remediation-backlog.csv --jira-csv output/jira-import.csv --servicenow-csv output/servicenow-import.csv --github-md output/github-issues.md --drafts-md output/remediation-drafts.md --json output/changes.json\n```\n\nCompare folders of old/new STIG XML files:\n\n```bash\nstigpilot batch examples/portfolio_input/old examples/portfolio_input/new --out output/portfolio\n```\n\nGenerate a focused packet for one impact category or owner group:\n\n```bash\nstigpilot diff examples/sample_input/old.xml examples/sample_input/new.xml --out output/windows-high-priority.md --csv output/windows-high-priority.csv --impact high_priority_review --owner \"Endpoint/Windows Admin\"\n```\n\nGenerate a manager-facing summary:\n\n```bash\nstigpilot manager examples/sample_input/old.xml examples/sample_input/new.xml --out output/manager-summary.md\n```\n\nGenerate a self-contained HTML change brief:\n\n```bash\nstigpilot html examples/sample_input/old.xml examples/sample_input/new.xml --out output/change-brief.html\n```\n\nGenerate ticket-ready export from one STIG:\n\n```bash\nstigpilot tickets examples/sample_input/new.xml --out output/tickets.csv --severity high\n```\n\nGenerate an evidence checklist:\n\n```bash\nstigpilot evidence examples/sample_input/new.xml --out output/evidence-checklist.md\n```\n\nGenerate review-only remediation drafts:\n\n```bash\nstigpilot drafts examples/sample_input/old.xml examples/sample_input/new.xml --out output/remediation-drafts.md\n```\n\nShow a terminal summary:\n\n```bash\nstigpilot summary examples/sample_input/new.xml\n```\n\nWrite a configurable owner/tag mapping example:\n\n```bash\nstigpilot config-example --out stigpilot.toml\n```\n\nUse a local owner/tag mapping config:\n\n```bash\nstigpilot diff examples/sample_input/old.xml examples/sample_input/new.xml --out output/change-brief.md --csv output/remediation-backlog.csv --config stigpilot.toml\n```\n\n## Example outputs\n\nSynthetic fixtures are included in `examples/sample_input/`. They are fake and sanitized.\n\nCommitted sample outputs in `examples/sample_output/`:\n\n- `change-brief.md`\n- `change-brief.html`\n- `changes.json`\n- `manager-summary.md`\n- `remediation-backlog.csv`\n- `evidence-checklist.md`\n- `jira-import.csv`\n- `servicenow-import.csv`\n- `github-issues.md`\n- `remediation-drafts.md`\n\nOne-command packet outputs are committed in `examples/packet_output/`.\n\nFolder comparison sample outputs are committed in `examples/portfolio_output/`.\n\nHTML report output is committed in `examples/html_output/`.\n\nMachine-readable change exports include `schema_version: \"1.0\"` and are documented by [docs/schemas/changes.schema.json](docs/schemas/changes.schema.json).\n\nAdditional parsed-control and ticket-export examples:\n\n- `controls.csv`\n- `controls.json`\n- `tickets.csv`\n\n## Chrome for Windows official inputs\n\nOfficial Google Chrome Current Windows STIG XML files are not vendored in this repository. The Chrome demo uses sanitized sample files unless you provide official XMLs under `examples/chrome_windows_input/`.\n\nSuggested source ZIPs:\n\n- `https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Google_Chrome_V2R10_STIG.zip`\n- `https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Google_Chrome_V2R11_STIG.zip`\n\nThis keeps the project useful immediately while avoiding unclear redistribution of official STIG XML files.\n\n## Impact rules\n\nThe classifier is intentionally transparent. There is no opaque AI dependency.\n\n- New high severity control: `high_priority_review`\n- Severity increased to high: `high_priority_review`\n- Severity increased below high: `review_recommended`\n- Meaningful fix text change: `implementation_change_likely`\n- Meaningful check text change: `evidence_update_likely`\n- Removed control: `review_recommended`\n- Only title/metadata wording changed: `no_action_likely`\n- CCI/reference changes: `review_recommended`\n\nText changes use a transparent similarity threshold of `0.86` plus configuration-language keywords. The goal is to separate wording-only churn from changes likely to affect implementation steps or evidence requests.\n\n## Tags and ownership\n\nTags and suggested owners are keyword-based and explainable.\n\n- Windows, GPO, Registry, Defender/AV: Endpoint/Windows Admin\n- Linux, sshd, sudo, auditd, PAM: Linux Admin\n- IAM, privileged access, authentication, lockout: IAM/Security Admin\n- SQL, Oracle, PostgreSQL, MongoDB: Database Admin\n- Firewall, router, switch, Cisco, Palo Alto: Network/Security Engineering\n- Cloud, Azure, AWS, GCP, Entra: Cloud/IAM Admin\n- Container, Kubernetes, Docker: Platform/Container Admin\n\nEverything else defaults to Security/GRC Analyst.\n\nTeams can extend mappings with a local TOML file:\n\n```toml\n[[owner_rules]]\nowner = \"Identity/IAM Team\"\nkeywords = [\"authentication\", \"privileged account\"]\n\n[tag_rules]\n\"Privileged Access\" = [\"privileged account\", \"sudoers\"]\n```\n\nSee [docs/configuration.md](docs/configuration.md) for owner routing examples, tag rules, and config validation notes.\n\n## Limitations\n\n- STIGPilot does not validate host compliance.\n- STIGPilot does not replace formal review.\n- STIGPilot does not download or scrape DISA content.\n- STIGPilot does not auto-remediate.\n- XML variants are handled best-effort; unusual vendor packaging may require parser improvements.\n- Keyword tags and owner mapping are transparent but imperfect.\n\n## Safe usage\n\nUse STIGPilot only with files you are authorized to process. Do not publish sensitive evidence, system names, internal host data, credentials, classified information, or restricted organizational material. The included fixtures are synthetic.\n\n## Roadmap\n\n- PyPI packaging and publish workflow\n- Better HTML packet/portfolio report coverage\n- More parser fixtures from official-but-user-supplied STIG variants\n- More detailed review-only remediation draft formats\n- Optional screenshot assets for README examples\n- Optional Streamlit dashboard after the CLI remains strong\n\n## What this demonstrates\n\n- Built from a practical security-automation question: how can STIG comparison and follow-up work be made less painful for the people doing it?\n- Defensive security product judgment\n- XCCDF/XML parsing with namespace resilience\n- STIG release change analysis\n- Rule-based impact classification\n- Ticket and evidence workflow design\n- Testable Python CLI engineering\n\n## Development\n\nRun tests:\n\n```bash\npython -m pytest\n```\n\nRegenerate sample outputs:\n\n```bash\npython -m stigpilot.cli diff examples/sample_input/old.xml examples/sample_input/new.xml --out examples/sample_output/change-brief.md --csv examples/sample_output/remediation-backlog.csv --jira-csv examples/sample_output/jira-import.csv --servicenow-csv examples/sample_output/servicenow-import.csv --github-md examples/sample_output/github-issues.md --drafts-md examples/sample_output/remediation-drafts.md\npython -m stigpilot.cli manager examples/sample_input/old.xml examples/sample_input/new.xml --out examples/sample_output/manager-summary.md\npython -m stigpilot.cli parse examples/sample_input/new.xml --csv examples/sample_output/controls.csv --json examples/sample_output/controls.json\npython -m stigpilot.cli tickets examples/sample_input/new.xml --out examples/sample_output/tickets.csv\npython -m stigpilot.cli evidence examples/sample_input/new.xml --out examples/sample_output/evidence-checklist.md\npython -m stigpilot.cli chrome-demo --out examples/chrome_windows_output --input-dir examples/chrome_windows_input\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsrkyn%2Fstigpilot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsrkyn%2Fstigpilot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsrkyn%2Fstigpilot/lists"}