6. Environment Variables
C-PAT is configured via its Environment Variables:
Variable |
Description |
Affects |
|---|---|---|
CPAT_API_ADDRESS |
Default
0.0.0.0The IP address on which the the API server will listen
|
API |
CPAT_API_MAX_JSON_BODY |
Default
52428800The maximum size in bytes of the request body when Content-Type is application/json
|
API |
CPAT_API_MAX_UPLOAD |
Default
52428800The maximum size in bytes of the file uploaded with Content-Type multipart/form-data
|
API |
CPAT_API_RATE_LIMIT |
Default
1000API rate limit per 15 minutes
|
API |
CPAT_API_TRUST_PROXY |
Default
1Number of trusted proxy hops for Express trust proxy setting
|
API |
CPAT_API_PORT |
Default
8086The TCP port on which the server will listen
|
API |
CPAT_CLASSIFICATION |
If CPAT_DOD_DEPLOYMENT is explicitly set to
false: Default NONE, otherwise Default USets the classification banner, if any. Available values:
NONE U FOUO CUI C S TS SCI |
API, Client |
CPAT_DOD_DEPLOYMENT |
Default
trueConfigure whether application deployment is subject to DoD and Application Security and Development STIG rules. i.e. DoD consent banner.
|
API, Client |
CPAT_DOD_BRANCH |
Default
NavyBranch of service for the deployment, which selects the eMASS export template. Case-insensitive. Available values:
Navy Army Marine Corps |
API, Client |
CPAT_ADMIN_INACTIVITY_TIMEOUT |
Default
10Time in minutes that a admin can be inactive before being automatically logged out.
|
Client |
CPAT_INACTIVITY_TIMEOUT |
Default
15Time in minutes that a user can be inactive before being automatically logged out.
|
Client |
CPAT_API_BASE |
Default
apiThe base URL for Client requests to the API relative to the sever root at /
|
Client |
CPAT_CLIENT_DIRECTORY |
Default
../client/dist/browserThe location of the web client files, relative to the API source directory. Note that if running source from a clone of the GitHub repository, the client is located at ../client/dist/browser relative to the API directory.
|
API, Client |
CPAT_CLIENT_DISABLED |
Default
falseWhether to not serve the reference web client
|
Client |
CPAT_CLIENT_EXTRA_SCOPES |
No default
OAuth2 scopes to request in addition to
c-pat:read c-pat:write c-pat:op openid. Some OIDC providers (Okta) generate a refresh token only if the scope offline_access is requested |
Client |
CPAT_OIDC_CLIENT_ID |
Default
c-patThe OIDC clientId for C-PAT
|
Client |
CPAT_SCOPE_PREFIX |
No default
String used as a prefix for each scope when authenticating to the OIDC Provider. Some providers (Azure AD) expect scope requests in the format
api://<application_id>/<scope>, where api://<application_id>/ is the required prefix. |
Client |
CPAT_CLIENT_REFRESH_DISABLED |
Default
falseWhether the web client should use a provided refresh token to update the access token
|
Client |
CPAT_DB_HOST |
Default
localhostThe database hostname or IP from to the API server
|
API |
CPAT_DB_MAX_CONNECTIONS |
Default
25The maximum size of the database connection pool
|
API |
CPAT_DB_USER |
Default
cpatThe user account used to login to the database
|
API |
CPAT_DB_PASSWORD |
No default
The password used to login to the database
|
API |
CPAT_DB_PORT |
Default
3306The database TCP port relative to the API server
|
API |
CPAT_DB_SCHEMA |
Default
cpatThe schema where the C-PAT object is found
|
API |
CPAT_DB_TLS_CA_FILE |
No default
A file/path relative to the API /tls directory that contains the PEM encoded CA certificate used to sign the database TLS certificate. Setting this variable enables TLS connections to the database.
|
API |
CPAT_DB_TLS_CERT_FILE |
No default
A file/path relative to the API /tls directory that contains the PEM encoded Client certificate used when authenticating the database client. Additionally requires setting values for
CPAT_DB_TLS_CA_FILE and CPAT_DB_TLS_KEY_FILE. |
API |
CPAT_DB_TLS_KEY_FILE |
No default
A file/path relative to the API /tls directory that contains the PEM encoded Client private key used when authenticating the database client. Additionally requires setting values for
CPAT_DB_TLS_CA_FILE and CPAT_DB_TLS_CERT_FILE. |
API |
CPAT_DOCS_DIRECTORY |
Default
./docsThe location of the documentation files, relative to the API source directory. Note that if running source from a clone of the GitHub repository, the docs are located at ../../docs/_build/html relative to the API directory.
|
API, Documentation |
CPAT_DOCS_DISABLED |
Default
falseWhether to not serve the documentation.
|
Documentation |
CPAT_LOG_LEVEL |
Default
3Controls the granularity of the generated log output, from 1 to 4. Each level is inclusive of the ones before it. Level 1 will log only errors, level 2 includes warnings, level 3 includes status and transaction logs, and level 4 includes debug-level logs
|
API |
CPAT_LOG_MODE |
Default
combinedControls whether the logs will create one “combined” log entry for http requests that includes both the request and response information; or two separate log entries, one for the request and one for the response, that can be correlated via a generated Request GUID in each entry
|
API |
CPAT_JWT_EMAIL_CLAIM |
Default
emailThe access token claim whose value is the user’s email address
|
API, Client |
CPAT_JWT_NAME_CLAIM |
Default
nameThe access token claim whose value is the user’s full name
|
API, Client |
CPAT_JWT_FIRST_NAME_CLAIM |
Default
given_nameThe access token claim whose value is the user’s first name
|
API, Client |
CPAT_JWT_LAST_NAME_CLAIM |
Default
family_nameThe access token claim whose value is the user’s last name
|
API, Client |
CPAT_JWT_PRIVILEGES_CLAIM |
Default
realm_access.rolesThe access token claim whose value is the user’s privileges
|
API, Client |
CPAT_JWT_ASSERTION_CLAIM |
Default
jtiThe access token claim whose value is the OIDC provider’s Assertion ID. Updates to this value trigger the API to update a User’s
lastClaims property. The claim MUST NOT be nested and MUST be a valid ECMAScript identifier. |
API, Client |
CPAT_JWT_AUD_VALUE |
No default
Expected audience value for JWT validation. When set the JWT aud claim must match this value or validation will fail. Leave unset to skip audience validation.
|
API, Client |
CPAT_JWT_SCOPE_CLAIM |
Default
scopeThe access token claim whose value is the user’s scopes. Some OIDC Providers (Okta, Azure AD) use the claim
scp to enumerate scopes |
API, Client |
CPAT_JWT_SERVICENAME_CLAIM |
Default
clientIdThe access token claim whose value is the user’s client
|
API, Client |
CPAT_JWT_USERNAME_CLAIM |
Default
preferred_usernameThe access token claim whose value is the user’s username
|
API, Client |
CPAT_OIDC_PROVIDER |
Default
http://localhost:8080/auth/realms/RMFToolsThe base URL of the OIDC provider issuing signed JWTs for the API. The string
/.well-known/openid-configuration will be appended when fetching metadata. |
API, Client |
CPAT_CLIENT_OIDC_PROVIDER |
Default
CPAT_OIDC_PROVIDERClient override of the base URL of the OIDC provider issuing signed JWTs for the API. The string
/.well-known/openid-configuration will be appended when fetching metadata. |
API, Client |
CPAT_SWAGGER_ENABLED |
Default
falseWhether to enable the SwaggerUI SPA at /api-docs
|
API |
CPAT_SWAGGER_REDIRECT |
Default
http://localhost:8086/api-docs/oauth2-redirect.htmlThe redirect URL sent by SwaggerUI to the OIDC provider when authorizing
|
API |
CPAT_SWAGGER_SERVER |
Default
http://localhost:8086/apiThe API server URL relative to the SwaggerUI
|
API |
CPAT_ALTERNATE_SWAGGER_SERVER |
No default
Alternate server URL for use within the SwaggerUI
|
API |
STIGMAN_OIDC_CLIENT_ID |
Default
stig-managerThe OIDC clientId for STIG Manager
|
API, Client |
STIGMAN_API_URL |
Default
http://localhost:54000/apiThe API server URL for STIG Manager
|
API |
STIGMAN_SCOPE_PREFIX |
No default
String used as a prefix for each scope when authenticating to the OIDC Provider. Some providers (Azure AD) expect scope requests in the format
api://<application_id>/<scope>, where api://<application_id>/ is the required prefix. |
Client |
STIGMAN_EXTRA_SCOPES |
No default
OAuth2 scopes to request in addition to
stig-manager:stig stig-manager:stig:read stig-manager:collection stig-manager:user stig-manager:user:read stig-manager:op openid. Some OIDC providers (Okta) generate a refresh token only if the scope offline_access is requested |
Client |
TENABLE_URL |
No default
The URL for Tenable.sc. No trailing slash required.
|
API |
TENABLE_ACCESS_KEY |
No default
The access key provided by Tenable for API access.
|
API |
TENABLE_SECRET_KEY |
No default
The secret key provided by Tenable for API access.
|
API |
TENABLE_CERT_FILE |
No default
A file/path relative to the API /tls directory that contains the PEM encoded Client certificate used when connecting to Tenable. Additionally requires setting a value for
TENABLE_KEY_FILE. |
API |
TENABLE_KEY_FILE |
No default
A file/path relative to the API /tls directory that contains the PEM encoded Client private key used when connecting to Tenable. Additionally requires setting a value for
TENABLE_CERT_FILE. |
API |
CPAT_MARKETPLACE_DISABLED |
Default
falseDisabled C-PAT theme marketplace feature.
|
Client |
CPAT_AI_ENABLED |
Default
falseBy default, AI integration will be disabled. Set to
true to enable. |
API, Client |
CPAT_AI_PROVIDER |
No default
Valid options include:
anthropic cerebras cohere deepinfra fireworks genai google groq mistral ollama openai perplexity replicate togetherai xai |
API |
CPAT_AI_MODEL_NAME |
No default
Underlying AI integration is enabled by Vercel AI SDK. For precise model naming instructions, please visit the Vercel docs.
|
API |
CPAT_AI_API_KEY |
No default
The API key for your chosen AI provider. This is not applicable when using ollama.
|
API |
CPAT_AI_BASE_URL |
Conditional
URL prefix for API calls. Default will be set according to the providers [CPAT_AI_PROVIDER] documented default.
|
API |
Variable |
Description |
Affects |
|---|---|---|
NODE_EXTRA_CA_CERTS |
[your CA certificate file path] Set this Node.js environment variable to direct Node to accept CA certificates you have provided, in addition to its built-in CA certs. |
Node.js, API |