First Evaluation
Install Stave, then evaluate a bundled demo snapshot. No cloud credentials. No AWS account. No setup beyond the install.
Install
go install github.com/sufield/stave/cmd/stave@latest
Or on macOS:
brew install sufield/tap/stave
Verify:
stave --version
Run against the demo snapshot
stave apply --observations ./examples/demo-ai-security/ --format text
The demo evaluates a fixture AWS account with a Bedrock AI agent. Everything runs against local JSON files — no network, no credentials.
Exit code 3 means violations were found. This is expected for the
demo snapshot — it contains intentional misconfigurations.
What you see
The output shows:
- Security state:
NON_COMPLIANT(the demo has active violations) - Findings: each one names a control, an asset, a severity, and the evidence line that triggered it
- Chain findings (marked ★): compound risks where several conditions stack into an exploitable path
CRITICAL CTL.CLOUDTRAIL.GHOST.DEST.001 ★ STAVE ONLY
CloudTrail trail "prod-trail" references destination bucket
"prod-logs-2024" which does not appear in this account snapshot
evidence: trail.s3_bucket_name has no matching asset
Exit codes: 0 = no violations, 3 = violations found,
2 = input error, 4 = internal error.
For the full security state definitions (COMPLIANT / AT_RISK / NON_COMPLIANT), see Output Formats.
Next: Installation Options — brew, go install, binary download, or build from source.