Project

cyber_trackr_live

0.0
The project is in a healthy, maintained state
cyber_trackr_livemitre/cyber-trackr-liveHomepageDocumentationSource CodeBug TrackerWiki
Provides OpenAPI 3.1.1 specification and Ruby client for accessing DISA STIGs, SRGs, RMF controls, CCIs, and SCAP data via the cyber.trackr.live API
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
 Popularity
Downloads
388
Stars
1
Forks
0
Watchers
0
 Releases
Current version
1.0.3
Total releases
4
First release
2025-08-02
Latest release
2025-08-02
 Development
Primary Language
Ruby
Licenses
Apache-2.0
Average date of last 50 commits
2025-08-01
Reverse Dependencies
0

 Dependencies

Development

bundler
~> 2.0
bundler-audit
~> 0.9
minitest
~> 5.0
rake
~> 13.0
rubocop
~> 1.50
rubocop-ast
~> 1.28
simplecov
~> 0.22
webmock
~> 3.0
yard
~> 0.9

Runtime

faraday
~> 2.0
faraday-follow_redirects
~> 0.3
faraday-multipart
~> 1.0
marcel
~> 1.0
 Project Readme
title description layout sidebar
cyber-trackr-live
OpenAPI specification and Ruby client for the cyber.trackr.live API
doc
true

cyber-trackr-live

OpenAPI specification and Ruby client for the cyber.trackr.live API - providing programmatic access to DISA STIGs, SRGs, RMF controls, CCIs, and SCAP data.

🎯 Overview

This repository contains:

  • OpenAPI 3.1.1 Specification - Complete API documentation for cyber.trackr.live
  • Ruby Client Library - Generated client with helper utilities
  • Documentation - Interactive API docs via VitePress
  • Examples - Usage examples for common workflows

πŸ“š Quick Links

πŸ’Ž Installation

Ruby Gem

gem install cyber_trackr_live

Or add to your Gemfile:

gem 'cyber_trackr_live'

See README-GEM.md for detailed Ruby usage instructions.

Using the OpenAPI Spec

The OpenAPI specification can be used to generate clients in other languages:

# Example: Generate a Python client
docker run --rm \
  -v "${PWD}:/local" \
  openapitools/openapi-generator-cli generate \
  -i /local/openapi/openapi.yaml \
  -g python \
  -o /local/generated/python

πŸ”— DISA Ecosystem Overview

The cyber.trackr.live API provides access to the complete DISA cybersecurity compliance hierarchy:

NIST RMF Controls (high-level policy framework)
    ↓ (decomposed into atomic, testable statements)
CCIs (Control Correlation Identifiers - bridge policy to implementation)
    ↓ (grouped by technology class into generic requirements)
SRGs (Security Requirements Guides - technology class "what" to do)
    ↓ (implemented as vendor-specific "how" to do it)
STIGs (Security Technical Implementation Guides - vendor/product specific)
    ↓ (automated versions for scanning tools)
SCAP (Security Content Automation Protocol documents)

Key ID Types

  • V-IDs: V-214518 - Legacy "Vulnerability IDs", actually requirement identifiers
  • SV-IDs: SV-214518r997541_rule - XCCDF rule IDs with revision tracking
  • SRG-IDs: SRG-NET-000015-ALG-000016 - Security Requirements Guide groupings
  • CCI-IDs: CCI-000213 - Control Correlation Identifiers (map to RMF controls)
  • RMF Controls: AC-1, AU-2 - Risk Management Framework controls

πŸ“Š API Scale & Coverage

  • 1000+ STIG/SRG documents
  • 3000+ Control Correlation Identifiers (CCIs)
  • 100+ RMF controls in revisions 4 and 5
  • 87 SCAP documents for automated scanning
  • Complete cross-reference mappings between all document types

πŸ› οΈ Development

Prerequisites

  • Ruby 3.2+ (see .ruby-version)
  • Node.js 22+ (see .nvmrc)
  • Docker (for client generation)

Setup

# Clone the repository
git clone https://github.com/mitre/cyber-trackr-live.git
cd cyber-trackr-live

# Install Ruby dependencies
bundle install

# Install Node dependencies for docs (optional - only for OpenAPI docs)
npm install

Development Workflows

Working on the OpenAPI Specification

# Validate the OpenAPI spec (using Spectral)
npm run docs:validate

# Preview API docs locally
npm run docs:dev
# Opens at http://localhost:4000

# Regenerate Ruby client after spec changes
make generate

Ruby Development

# Run tests before committing
make test

# Run linting
bundle exec rubocop

# Test the gem build
gem build cyber_trackr_live.gemspec

# Use the gem locally
bundle exec irb -I lib -r cyber_trackr_helper

Documentation Development

# Generate YARD docs for Ruby code
bundle exec yard doc

# Build complete documentation site
make docs

# Start local Scalar docs server
make docs-serve

Project Structure

cyber-trackr-live/
β”œβ”€β”€ openapi/                   # OpenAPI specification
β”‚   └── openapi.yaml          # Main spec file
β”œβ”€β”€ lib/                      # Ruby implementation
β”‚   β”œβ”€β”€ cyber_trackr_client/  # Generated client
β”‚   β”œβ”€β”€ cyber_trackr_helper/  # Helper utilities
β”‚   └── rubocop/             # Custom cops
β”œβ”€β”€ test/                     # Test suite
β”œβ”€β”€ examples/                 # Usage examples
β”œβ”€β”€ scripts/                  # Development scripts
└── docs/                     # Documentation

πŸ§ͺ Testing

The project uses a two-tier testing approach with clear separation of concerns:

OpenAPI Validation (Node.js/Spectral)

# Validate OpenAPI spec - professional-grade validation
npm run docs:validate

Ruby Testing (Core Functionality)

# Run core gem tests (fast - default)
bundle exec rake test

# Run all tests including live API integration
bundle exec rake test:all

# Run live API integration tests only
bundle exec rake test:stage2b

Test Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚   Spectral      β”‚    β”‚ Ruby Testing    β”‚
β”‚   (Node.js)     β”‚    β”‚                 β”‚
β”‚                 β”‚    β”‚                 β”‚
β”‚ β€’ OpenAPI 3.1   β”‚    β”‚ β€’ Core gem      β”‚
β”‚ β€’ Syntax valid  β”‚    β”‚ β€’ Helper methodsβ”‚
β”‚ β€’ Best practice β”‚    β”‚ β€’ Live API      β”‚
β”‚ β€’ Custom rules  β”‚    β”‚ β€’ Integration   β”‚
β”‚ β€’ DISA patterns β”‚    β”‚ β€’ Business logicβ”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
        β”‚                       β”‚
        β–Ό                       β–Ό
   Static Analysis        Dynamic Testing
   (Spec Quality)         (Live API)

Test Suite Details

  1. Spectral Validation - Professional OpenAPI 3.1 validation with custom DISA rules
  2. Core Gem Tests - Tests helper methods and gem functionality
  3. Live API Tests - Tests against live cyber.trackr.live API responses
  4. Integration Tests - End-to-end workflow testing

⚠️ Important API Notes

Mixed Endpoints

SRGs and STIGs are served from the same /stig endpoint despite being conceptually different:

  • SRGs: Generic technology requirements (e.g., "Configure the ALG to...")
  • STIGs: Vendor-specific implementation (e.g., "show configuration system services ssh")

Use the Ruby helper's is_srg?() method or name patterns to distinguish them.

Known Issues

  • Error Codes: Invalid parameters return 500 (not 404)
  • Date Formats: Some dates have leading spaces or inconsistent formats

Rate Limiting

The API appears to accept reasonable request rates, but be respectful:

  • Use delays between requests (helper defaults to 100ms)
  • Cache responses when possible
  • Avoid unnecessary bulk downloads

🀝 Contributing

See Contributing Guide for development setup and contribution guidelines.

πŸ“„ License

This project is licensed under the Apache License 2.0 - see License for details.

🏒 Acknowledgments

Created and maintained by MITRE as part of the Security Automation Framework (SAF).

This is an unofficial, community-maintained project. Not affiliated with DISA or cyber.trackr.live.