8. Integrations Configuration

C-PAT offers integrations with STIG Manager and Tenable.sc. While it is possible to run C-PAT independently, to fully realize the benefits of C-PAT it is strongly recommended that C-PAT be configured to run in conjunction with these tools.

8.1. STIG Manager

Note

C-PAT has been tested and configured to work when C-PAT and STIG Manager are housed within the same OIDC realm, therefor, the value set for CPAT_OIDC_PROVIDER will also be used for obtaining a token for STIG Manager. If you are using the provided RMFTools Keycloak container, the default value for STIGMAN_OIDC_CLIENT_ID can be used.

STIG Manager Environmenment Variables:
Variable	Default	Description
`STIGMAN_OIDC_CLIENT_ID`	stig-manager	The OIDC clientId for STIG Manager.
`STIGMAN_API_URL`	http://localhost:54000/api	The URL to the STIG Manager API.
`STIGMAN_SCOPE_PREFIX`	No default	String used as a prefix for each STIG Manager scope when authenticating to the OIDC Provider. This will likely match your `STIGMAN_CLIENT_SCOPE_PREFIX` environment variable configured in STIG Manager (if applicable).
`STIGMAN_EXTRA_SCOPES`	No default	Scopes to request in addition to: `stig-manager:stig` `stig-manager:stig:read` `stig-manager:collection` `stig-manager:user` `stig-manager:user:read` `stig-manager:op` `openid`

8.2. Tenable

Tenable Environmenment Variables:

Variable

Default

Description

TENABLE_URL

No default

The URL to your instance of Tenable.sc, no trailing slashes or additional paths are necessary. Example: https://myACASinstance.something.com

TENABLE_ACCESS_KEY

No default

See the tenable documentation for instructions on how to generate API keys. NOTE: The account that an API key is generated for must have permissions to access vulnerability data. e.g. Security Analyst Vulnerability Analyst Auditor

TENABLE_SECRET_KEY

No default

See the tenable documentation for instructions on how to generate API keys. NOTE: The account that an API key is generated for must have permissions to access vulnerability data. e.g. Security Analyst Vulnerability Analyst Auditor

TENABLE_CERT_FILE

No default

A file/path relative to the API /tls directory that contains the PEM encoded Client certificate used when connecting to Tenable. Additionally requires setting a value for TENABLE_KEY_FILE.

TENABLE_KEY_FILE

No default

A file/path relative to the API /tls directory that contains the PEM encoded Client private key used when connecting to Tenable. Additionally requires setting a value for TENABLE_CERT_FILE.

8.3. AI

Warning

AI integration for mitigation statement generation is an experimental feature.

AI Environmenment Variables:
Variable	Default	Description
`CPAT_AI_ENABLED`	`false`	By default, AI integration will be disabled. Set to `true` to enable.
`CPAT_AI_PROVIDER`	No default	Valid options include: `anthropic` `cerebras` `cohere` `deepinfra` `fireworks` `genai` `google` `groq` `mistral` `ollama` `openai` `perplexity` `replicate` `togetherai` `xai`.
`CPAT_AI_MODEL_NAME`	No default	Underlying AI integration is enabled by Vercel AI SDK. For precise model naming instructions, please visit the Vercel docs.
`CPAT_AI_API_KEY`	No default	The API key for your chosen AI provider. This is not applicable when using ollama.
`CPAT_AI_BASE_URL`	`Conditional`	URL prefix for API calls. Default will be set according to the providers [CPAT_AI_PROVIDER] documented default.