The complete STIG assessment
toolkit for VS Code

View, edit, and export DISA STIG checklists without leaving your editor. Built to replace the legacy Java STIG Viewer with a modern, keyboard-driven experience.

Get Started Free Buy Pro — $12/mo
Features
Everything you need for STIG assessments
From importing benchmarks to exporting evidence packages, STIG Workbench handles the full assessment lifecycle.

Free

$0 forever
Open source · MIT License
  • Full checklist viewer & editor
  • Import XCCDF benchmarks
  • Import legacy CKL files
  • Export to CKL format
  • Inline editing with auto-save
  • Status filtering & free-text search
  • Column sorting
  • Keyboard navigation (j/k, arrows)
  • Target data editing
Install Free
Popular

Pro

$12 /month
or $100/year per seat · Instant license key delivery
  • Everything in Free, plus:
  • SARIF import with CWE-to-STIG mapping
  • Repo security scanner
  • Dependency audit import (npm/pip)
  • SCAP results import
  • Multi-checklist dashboard
  • Merge / carry forward findings
  • Diff two checklists
  • Bulk status updates
  • CSV & POA&M export
  • Evidence package builder
  • Finding detail templates
Buy Pro — $129/yr $12/month
How It Works
From install to evidence in four steps
No Java, no standalone app. Just open VS Code and go.

Install

Install STIG Workbench from the VS Code Marketplace. Open any .cklb file and the editor activates automatically.

Import STIG

Import an XCCDF benchmark from public.cyber.mil to generate a blank checklist, or import an existing CKL.

Run Your Tools

Import SARIF results from CodeQL, Semgrep, or Bandit. Run dependency audits. Use the built-in repo scanner for quick checks.

Export Evidence

Export CKL for eMASS, summary CSV for briefings, POA&M for remediation tracking, or a full evidence package zip.

Built for Assessors
Replace the legacy Java STIG Viewer

DISA's STIG Viewer served its purpose, but it's a standalone Java app from another era. STIG Workbench brings the full assessment workflow into the editor you already live in.

Work through rules with keyboard shortcuts, triage with inline dropdowns, merge findings when STIG versions update, and export everything your ATO package needs — without switching windows.

Native VS Code Integration

Custom editor, undo/redo, themes, keyboard navigation — it works like any other VS Code editor.

SAST-to-STIG Automation

Map CodeQL, Semgrep, and Bandit findings directly to STIG rules via CWE IDs. Stop copy-pasting.

📦
One-Click Evidence Packages

Bundle the checklist, CKL export, CSV summary, POA&M, and attached artifacts into a single zip.