Track and refine the 126 CWE→STIG mappings as users report edge cases where:
- A CWE maps to the wrong STIG finding
- A CWE is missing that should be mapped
- A confidence level is wrong (e.g., marked
direct but should be inferred)
- A finding classified as
procedural is actually partially SAST-assessable
Process: collect feedback via issues tagged mapping-feedback, validate against the XCCDF finding text, update data/mappings/asd_stig_v6r3.yaml and data/mappings/finding_classifications.yaml.
The current 80/206 SAST/procedural split and 126 mappings across 60 CWEs are a solid starting point, but real-world scanner output will surface gaps.
Track and refine the 126 CWE→STIG mappings as users report edge cases where:
directbut should beinferred)proceduralis actually partially SAST-assessableProcess: collect feedback via issues tagged
mapping-feedback, validate against the XCCDF finding text, updatedata/mappings/asd_stig_v6r3.yamlanddata/mappings/finding_classifications.yaml.The current 80/206 SAST/procedural split and 126 mappings across 60 CWEs are a solid starting point, but real-world scanner output will surface gaps.