Python based program to assist in the Answer File creation to support ESTIG scanning
This Python tool helps automate and simplify the STIG compliance lifecycle by:
-
Initializing Excel workbooks for tracking STIG items across products.
-
Updating Excel with "Not Reviewed" vulnerabilities from
.cklbJSON output files. -
Automatically generating STIG-compliant XML answer files used by tools like Evaluate-STIG.
-
Producing human-readable Markdown reports from
.cklbfindings. -
Supporting a fully interactive CLI and modular flag-based interface for automation.
-
Create and manage a centralized Excel workbook for multiple STIGs and systems.
-
Auto-import vulnerability keys (V-keys) marked as
Not_Reviewedfrom.cklbscan files. -
Generate valid XML answer files that map to the DISA Evaluate-STIG schema.
-
Clear and reinitialize workbooks when beginning a new assessment cycle.
-
Report open findings across systems and generate a Markdown summary.
| Flag | Description |
|---|---|
-i, --init |
Create a new workbook from a template and generate tabs per STIG |
-c, --clear |
Clear data rows from all STIG sheets in the workbook |
-u, --update |
Import new “Not Reviewed” V-keys from .cklb JSON scans |
-m, --manualestig |
Legacy alias for --update |
-g, --generate |
Generate XML answer files per STIG using workbook data |
-r, --report |
Build a Markdown summary from multiple .cklb scan files |
Example:
python estig_tool.py -c -u -g
📂 /stig-assessments/
├── 📄 estig_tool.py
├── 📄 template.xlsx # Excel template with correct headers
├── 📂 scans/
│ ├── SQL2016DB_20240401-121212.cklb
│ ├── RHEL9_20240401-123456.cklb
├── 📂 workbook/
│ └── my_stig_tracking.xlsx
├── 📂 xml_output/
│ └── SQL2016DB.xml
├── 📂 reports/
│ └── stig_report.md
python estig_tool.py -i
You’ll be prompted to provide:
-
A path to your Excel template.
-
A destination file for the new workbook.
Creates one sheet per STIG shortname and adds the “AnswerKey Name” column.
python estig_tool.py -c
Deletes all data rows (retains headers) — useful before importing new findings.
python estig_tool.py -u
Prompts:
-
Directory of
.cklbfiles. -
“ValidTrueComment” (e.g.,
STIG COMPLIANT) -
Whether to also generate XML.
It:
-
Extracts “Not Reviewed” V-keys.
-
Adds them to Excel if not already present.
-
Optionally updates XML answer files for those V-keys.
✅ Maintains only the latest scan per STIG using filename timestamps.
python estig_tool.py -g
For each STIG sheet:
-
Generates or updates an XML file with
<Vuln>and<AnswerKey>nodes. -
Preserves prior data and appends comments noting added keys.
AnswerKey structure:
<AnswerKey Name="DEFAULT">
<ExpectedStatus>Not_Reviewed</ExpectedStatus>
<ValidationCode />
<ValidTrueStatus>NotAFinding</ValidTrueStatus>
<ValidTrueComment>STIG COMPLIANT</ValidTrueComment>
...
</AnswerKey>
python estig_tool.py -r
-
Scans recursively for
.cklbfiles. -
Aggregates findings per host and per STIG.
-
Outputs
stig_report_YYYYMMDD-HHMMSS.mdwith stats like:
### File: SQL2016DB_20240401-121212.cklb
- Host: SERVER01
- STIG: SQL2016DB — **45** findings
- Not Reviewed: 20
- Open: 25
## STIG Implementation Summary
- Total Evaluated: 100
- Compliant (Not a Finding): 70
- Non-compliant (Open): 30
**Overall Implementation: 70.00%**
STIG compliance normally requires manually copying V-keys and tracking implementation in spreadsheets and XML. This tool removes hours of manual labor.
You get:
-
Versioned XMLs with timestamped comments.
-
Markdown reports for meetings, ATOs, or POA&M updates.
Generates valid XML for Evaluate-STIG, which integrates with DoD vulnerability management pipelines.
Install Python dependencies:
pip install openpyxl pandas
Python 3.13 recommended.