Skip to main content

Stave Docker Demo

Note — these scenarios have moved. Every scenario in scenarios/ is now a directory under stave/examples/demo-s3-*/ with a runner that works in the Codespaces devcontainer (bash examples/demo-s3-public-read/run.sh etc., no Docker needed). The Docker image here continues to work for users who prefer docker build && docker run, but the unified entry point is stave/examples/. See the Codespaces badge on the repo README and stave/examples/CATALOG.md#demo-scenarios-start-here for the migrated demos.

Run the control engine against curated S3 misconfiguration scenarios without installing anything except Docker.

Quick Start

# Build from repo root
docker build -f docs-content/demo/Dockerfile -t stave-demo .

# Run the built-in demo (one finding, bundled fixture)
docker run --rm stave-demo

Expected output:

Found 1 violation: CTL.S3.PUBLIC.001
Asset: s3://demo-public-bucket
Evidence: BlockPublicAccess=false, ACL=public-read
Fix: enable account/bucket Block Public Access + deny public principals

Example (Terraform):

  resource "aws_s3_bucket_public_access_block" "example" {
    bucket                  = aws_s3_bucket.example.id
    block_public_acls       = true
    block_public_policy     = true
    ignore_public_acls      = true
    restrict_public_buckets = true
  }

Scenarios

The image includes 7 curated scenarios based on real-world S3 misconfiguration patterns. Each scenario runs all 43 built-in S3 controls against a pair of observation snapshots.

# List available scenarios
docker run --rm stave-demo --list

# Run a specific scenario
docker run --rm stave-demo --scenario public-read
docker run --rm stave-demo --scenario hipaa-compliance
docker run --rm stave-demo --scenario acl-escalation
ScenarioFindingsWhat it demonstrates
public-read3Public bucket via policy + ACL + missing PAB
acl-write3Write access granted through ACL
acl-escalation5ACL privilege escalation chain
tool-blind-spot2Misconfigurations missed by other tools
hipaa-compliance8PHI bucket with multiple HIPAA failures
data-governance5Data classification and lifecycle gaps
upload-hardening3Upload path security controls

Pass-through to stave

Any unrecognized arguments are passed directly to the stave binary:

docker run --rm stave-demo --version
docker run --rm stave-demo doctor
docker run --rm stave-demo capabilities