DISA periodically releases new versions of the Application Security and Development STIG. The current mapping database targets V6R3 (February 2025, 286 findings).
When DISA releases V7 (or V6R4+), stigcode needs to:
- Diff the XCCDF — identify new, modified, and removed findings using `stigcode stig import-xccdf` on both versions
- Update finding classifications — new findings need SAST/procedural classification
- Update CWE mappings — new SAST-assessable findings need CWE assignments
- Version the mapping database — create a new mapping file (e.g., `asd_stig_v7r1.yaml`) alongside the existing one
- Update the registry — add the new version to `registry.yaml`, optionally set as default
- Test — verify all existing tests pass with both old and new mapping data
The multi-STIG architecture (registry.yaml, --stig flag) already supports multiple versions of the same STIG. The main work is the data curation for changed findings.
Monitor: https://public.cyber.mil/stigs/downloads/ for new ASD STIG releases.
DISA periodically releases new versions of the Application Security and Development STIG. The current mapping database targets V6R3 (February 2025, 286 findings).
When DISA releases V7 (or V6R4+), stigcode needs to:
The multi-STIG architecture (registry.yaml, --stig flag) already supports multiple versions of the same STIG. The main work is the data curation for changed findings.
Monitor: https://public.cyber.mil/stigs/downloads/ for new ASD STIG releases.