Skip to main content

Build

Going from "it works on the demo" to "it works on my infrastructure."

1. Can I build a proof of concept? (speed to MVP)

A working PoC is three steps:

  1. Snapshot your config — point the AWS CLI (or Terraform, or an extractor) at the resources you care about and emit obs.v0.1 JSON. → How to create snapshots.
  2. Pick or write controls — start with the built-in catalog (Reference); add your own when you need to. → Tutorials walk through writing your first control.
  3. Evaluate + gate — run stave apply in CI and gate on exit code 3 (violations). → How-to Guides.
stave apply --observations ./snapshot/ --format sarif > findings.sarif
# exit 0 = clean, 3 = violations (fail the pipeline), 2 = input error

Most teams get a real finding on their own config the same afternoon.

2. Is the product a good experience?

  • Sandbox: the bundled demo scenarios are a ready-made sandbox — curated S3 misconfigurations you can run, read, and modify without any cloud setup. Clone, stave apply, tweak a setting, watch the verdict change.
  • Plain-file inputs, deterministic output, grep-friendly text or structured JSON/SARIF — it drops into existing pipelines without fuss.
  • Fail-loud philosophy: degraded/unknown states are surfaced, never silently passed.

3. How do I get support?

Email bparanj@gmail.com — bug reports, control-authoring questions, "is this the right tool for X?". Include the command you ran and the output (use --sanitize to scrub identifiers before sharing).

Ready to roll it out more widely? → Scale.