A standalone desktop app for macOS, Windows, and Linux. Import XCCDF, CKL, SCAP, InSpec/HDF, and SARIF — assess inline, upgrade between STIG versions, and export evidence packages. No Java. No VS Code.
Inline rule editor with severity filtering, free-text search, column sorting, bulk actions, and target data editing.
Read docs →Convert DISA XCCDF XML or SCAP 1.2/1.3 data streams into a fresh .cklb checklist.
Convert legacy .ckl checklists to .cklb, preserving status, finding details, and comments.
Apply pass/fail results from SCAP scanners (e.g. SCC) to your open checklist automatically.
Read docs →Apply Heimdall Data Format results from InSpec runs. Conservative status mapping — errors never count as a pass.
Read docs →Map SAST/DAST findings from CodeQL, Semgrep, Bandit, and other SARIF 2.1.0 tools to STIG rules via CWE lookup.
Read docs →Import npm audit, pip-audit, or generic CVE JSON. Maps vulnerabilities to STIG rules with CAT severity.
Pattern-match source code evidence against STIG check content for additional automated coverage.
Read docs →Carry status, finding details, and comments from an older checklist into a newer one by rule_version.
Carry completed findings to a new major STIG version. Change detection flags only what needs re-review.
Read docs →Aggregate compliance metrics across a folder of checklists. Status, severity, and completion rates at a glance.
Read docs →Side-by-side comparison of two checklists. Surfaces regressions, improvements, new rules, and removed rules.
Read docs →Bundle the checklist, supporting files, and a human-readable summary into a ZIP archive for ATO submission.
Read docs →Export to spreadsheet for briefings, legacy CKL for tools that require it, or POA&M for remediation tracking.
Read docs →Roll up checklist compliance by NIST 800-53 Rev. 5 control family for ATO/RMF reporting. CCI data already captured.
DISA releases updated STIGs regularly. Manually re-triaging every rule from scratch takes hours — and risks losing prior work when rules are rewritten or renumbered.
The Upgrade Wizard carries your completed findings forward automatically. It identifies which rules changed, which are new, which were removed, and flags anything that needs re-review before you sign off. Matching uses stable identifiers (rule_version, srg_id, CCI overlap) — never the volatile group_id or rule_id that change between releases.
Pick your completed checklist and the new STIG version (XCCDF benchmark or blank CKLB).
See exactly what carried cleanly, what changed, what’s new, what was removed, and any severity changes.
Reset changed rules, add upgrade notes to comments, and generate a markdown diff report.
Upgraded checklist and optional report are written to disk. Your source file is never modified.
Grab the 14-day trial for your OS and install it. Double-click any .cklb file and it opens automatically.
Import an XCCDF benchmark from public.cyber.mil, or open an existing CKL or CKLB.
Apply SCAP, InSpec/HDF, SARIF, or dependency audit results to auto-populate findings. Triage the rest inline.
Export CKL for eMASS, CSV for briefings, POA&M for remediation, or a full evidence package ZIP.
DISA’s STIG Viewer is a standalone Java app from another era — slow to launch, limited in features, and disconnected from the rest of your workflow. STIG Workbench is a modern native desktop application that handles the full assessment lifecycle in one place.
Work through rules with keyboard shortcuts, triage with inline dropdowns, fold in automated evidence from InSpec, SCAP, and SARIF, carry findings forward when STIG versions update, and export everything your ATO package needs.
Runs on macOS, Windows, and Linux. No Java, no VS Code, no browser. Opens .cklb files by default.
XCCDF, CKL, SCAP, InSpec/HDF, SARIF, and dependency audits. Conservative status mapping — errors never count as a pass.
Carry completed findings to a new STIG version automatically. Change detection flags only what needs re-review.