7. Environment Variables¶
STIG Manager is configured via its Environment Variables:
Variable |
Description |
Affects |
|---|---|---|
STIGMAN_API_ADDRESS |
Default
0.0.0.0The IP address on which the the API server will listen
|
API |
STIGMAN_API_MAX_JSON_BODY |
Default
5242880The maximum size in bytes of the request body when Content-Type is application/json
|
API |
STIGMAN_API_MAX_UPLOAD |
Default
1073741824The maximum size in bytes of the file uploaded with Content-Type multipart/form-data
|
API |
STIGMAN_API_PORT |
Default
54000The TCP port on which the server will listen
|
API |
STIGMAN_CLASSIFICATION |
Default
USets the classification banner, if any. Available values:
NONE U CUI C S TS SCI |
API, Client |
STIGMAN_CLIENT_API_BASE |
Default
./apiThe base URL for Client requests to the API relative to the sever root at /
|
Client |
STIGMAN_CLIENT_DIRECTORY |
Default
./clientsThe location of the web client files, relative to the API source directory. Note that if running source from a clone of the GitHub repository, the client is located at ../../clients relative to the API directory.
|
API, Client |
STIGMAN_CLIENT_DISABLED |
Default
falseWhether to not serve the reference web client
|
Client |
STIGMAN_CLIENT_EXTRA_SCOPES |
No default
OAuth2 scopes to request in addition to
stig-manager:stig stig-manager:stig:read stig-manager:collection stig-manager:user stig-manager:user:read stig-manager:op. Some OIDC providers (Okta) generate a refresh token only if the scope offline_access is requested |
Client |
STIGMAN_CLIENT_ID |
Default
stig-managerThe OIDC clientId of the web client
|
Client |
STIGMAN_CLIENT_OIDC_PROVIDER |
Default Value of
STIGMAN_OIDC_PROVIDERClient override of the base URL of the OIDC provider issuing signed JWTs for the API. The string
/.well-known/openid-configuration will be appended by the client when fetching metadata. |
Client |
STIGMAN_CLIENT_SCOPE_PREFIX |
No default
String used as a prefix for each scope when authenticating to the OIDC Provider. Some providers (Azure AD) expect scope requests in the format
api://<application_id>/<scope>, where api://<application_id>/ is the required prefix. |
Client |
STIGMAN_CLIENT_REFRESH_DISABLED |
Default
falseWhether the web client should use a provided refresh token to update the access token
|
Client |
STIGMAN_CLIENT_WELCOME_IMAGE |
No default
An image URL that will be rendered in the Home tab Welcome widget. The image will be scaled to a max width or height of 125 pixels - If no alternate image is specified, the seal of the Department of the Navy (the project sponsor) will be displayed.
|
Client Appearance |
STIGMAN_CLIENT_WELCOME_LINK |
No default
Value of an optional link that will follow the Welcome message in the Home tab Welcome widget.
|
Client Appearance |
STIGMAN_CLIENT_WELCOME_MESSAGE |
No default
Text that will be displayed in the Home tab Welcome widget.
|
Client Appearance |
STIGMAN_CLIENT_WELCOME_TITLE |
Default
SupportThe tile that will be displayed for the custom Home tab Welcome message.
|
Client Appearance |
STIGMAN_DB_HOST |
Default
localhostThe database hostname or IP from to the API server
|
API |
STIGMAN_DB_MAX_CONNECTIONS |
Default
25The maximum size of the database connection pool
|
API |
STIGMAN_DB_PASSWORD |
No default
The password used to login to the database
|
API |
STIGMAN_DB_PORT |
Default
3306The database TCP port relative to the API server
|
API |
STIGMAN_DB_SCHEMA |
Default
stigmanThe schema where the STIG Manager object are found
|
API |
STIGMAN_DB_TLS_CA_FILE |
No default
A file/path relative to the API /tls directory that contains the PEM encoded CA certificate used to sign the database TLS certificate. Setting this variable enables TLS connections to the database.
|
API |
STIGMAN_DB_TLS_CERT_FILE |
No default
A file/path relative to the API /tls directory that contains the PEM encoded Client certificate used when authenticating the database client. Additionally requires setting values for
STIGMAN_DB_TLS_CA_FILE and STIGMAN_DB_TLS_KEY_FILE. |
API |
STIGMAN_DB_TLS_KEY_FILE |
No default
A file/path relative to the API /tls directory that contains the PEM encoded Client private key used when authenticating the database client. Additionally requires setting values for
STIGMAN_DB_TLS_CA_FILE and STIGMAN_DB_TLS_CERT_FILE. |
API |
STIGMAN_DB_TYPE |
Default
mysqlThe database type. Valid values are
mysql |
API |
STIGMAN_DB_USER |
Default
stigmanThe user account used to login to the database
|
API |
STIGMAN_DOCS_DIRECTORY |
Default
./docsThe location of the documentation files, relative to the API source directory. Note that if running source from a clone of the GitHub repository, the docs are located at ../../docs/_build/html relative to the API directory.
|
API, documentation |
STIGMAN_DOCS_DISABLED |
Default
falseWhether to not serve the project Documentation. NOTE: If you choose to serve the Client from the API container but not the Documentation, the links do the Docs on the home page will not work.
|
Documentation |
STIGMAN_INIT_IMPORT_STIGS |
Default
falseWhether to fetch and import the current DISA STIG Library compilation from public.cyber.mil on initial database migration
|
API |
STIGMAN_LOG_LEVEL |
Default
3Controls the granularity of the generated log output, from 1 to 4. Each level is inclusive of the ones before it. Level 1 will log only errors, level 2 includes warnings, level 3 includes status and transaction logs, and level 4 includes debug-level logs
|
API |
STIGMAN_LOG_MODE |
Default
combinedControls whether the logs will create one “combined” log entry for http requests that includes both the request and response information; or two separate log entries, one for the request and one for the response, that can be correlated via a generated Request GUID in each entry
|
API |
STIGMAN_JWT_EMAIL_CLAIM |
Default
emailThe access token claim whose value is the user’s email address
|
API, Client |
STIGMAN_JWT_NAME_CLAIM |
Default
nameThe access token claim whose value is the user’s full name
|
API, Client |
STIGMAN_JWT_PRIVILEGES_CLAIM |
Default
realm_access.rolesThe access token claim whose value is the user’s privileges
|
API, Client |
STIGMAN_JWT_SCOPE_CLAIM |
Default
scopeThe access token claim whose value is the user’s scopes. Some OIDC Providers (Okta, Azure AD) use the claim
scp to enumerate scopes |
API, Client |
STIGMAN_JWT_SERVICENAME_CLAIM |
Default
clientIdThe access token claim whose value is the user’s client
|
API, Client |
STIGMAN_JWT_USERNAME_CLAIM |
Default
preferred_usernameThe access token claim whose value is the user’s username
|
API, Client |
STIGMAN_OIDC_PROVIDER |
Default
http://localhost:8080/auth/realms/stigmanThe base URL of the OIDC provider issuing signed JWTs for the API. The string
/.well-known/openid-configuration will be appended when fetching metadata. |
API, Client |
STIGMAN_SWAGGER_ENABLED |
Default
falseWhether to enable the SwaggerUI SPA at /api-docs
|
API |
STIGMAN_SWAGGER_OIDC_PROVIDER |
Default Value of
STIGMAN_OIDC_PROVIDERSwaggerUI override of the base URL of the OIDC provider issuing signed JWTs for the API. The string
/.well-known/openid-configuration will be appended by the SwaggerUI when fetching metadata. |
API |
STIGMAN_SWAGGER_REDIRECT |
Default
http://localhost:54000/api-docs/oauth2-redirect.htmlThe redirect URL sent by SwaggerUI to the OIDC provider when authorizing
|
API |
STIGMAN_SWAGGER_SERVER |
Default
http://localhost:54000/apiThe API server URL relative to the SwaggerUI
|
API |
Variable |
Description |
Affects |
|---|---|---|
NODE_EXTRA_CA_CERTS |
[your CA certificate file path] Set this Node.js environment variable to direct Node to accept CA certificates you have provided, in addition to its built-in CA certs. In the case of the Iron Bank based image, DoD CA certificates are already located here: |
Node.js, API |