Skip to main content

Posture Trending

stave trend reads historical assessment output files and computes posture metrics: violation rate, MTTR, severity distribution, framework coverage trajectory, velocity, and projection.

Who it's for

  • CISO — board-level trend: "Are we getting safer over time?"
  • Engineering leadership — MTTR and velocity for quarterly reviews
  • Auditors — framework coverage trajectory for compliance evidence

Setup

Run stave apply on a schedule to accumulate assessment output files:

# Daily assessment in CI/CD
stave apply --controls controls/ --observations obs/ --format json \
> assessments/$(date +%Y-%m-%d).json

Basic Usage

# Table output (default)
stave trend --history ./assessments/

# JSON output for dashboard integration
stave trend --history ./assessments/ --format json

# Framework coverage trajectory
stave trend --history ./assessments/ --compliance hipaa,soc2

# Last 10 runs only
stave trend --history ./assessments/ --window 10

MTTR (Mean Time to Remediate)

MTTR is computed from closed violation windows only — a violation that appears and then disappears between consecutive runs. Open violations (still failing in the latest run) are excluded.

When no violations have been remediated yet, MTTR is omitted from output with a note. This is not an error — it means no violation windows have been closed yet.

MTTR is aggregated by severity: critical, high, medium, low.

Velocity

Net violation change per run, computed as a rolling average over the last 5 runs (configurable with --window).

  • Positive velocity (net increase) = regression
  • Negative velocity (net decrease) = improvement
  • Zero velocity = steady state

Projection

When velocity is negative (improving), stave trend estimates how many runs until the violation rate reaches 5%.

This is a linear extrapolation assuming constant improvement rate. Security posture is not linear. Treat this as directional guidance only, not a guarantee.

OpenMetrics Integration

Write metrics for Prometheus/VictoriaMetrics ingestion:

# Prometheus textfile collector
stave trend --history ./assessments/ --format openmetrics \
--out /var/lib/node_exporter/textfile_collector/stave.prom

# Victoria Metrics file input
stave trend --history ./assessments/ --format openmetrics \
--out /data/stave/metrics.prom

Five metric types: stave_violations_total, stave_violation_rate, stave_mttr_days, stave_framework_coverage, stave_velocity_per_run.

Governance Pipeline

stave apply (daily/per-deploy)
→ out.v0.1 files accumulate in ./assessments/
→ stave trend --history ./assessments/
→ stave export compliance --snapshot obs.json --profile hipaa

Each command does one thing. Together they give the CISO the trajectory, the engineers the metrics, and the auditors the evidence.