Skip to main content

Try Stave

1. See what it finds

No install, no signup, nothing to run. See the full demo output → — real stave apply output from a misconfigured AI agent environment, with compound attack chains, near-miss chains, and standard findings annotated.


2. Run in a sandbox

Docker — nothing installed on your machine:

docker run --rm -v "$(pwd)/docs-content/demo/scenarios:/work/scenarios" \
stave-demo

Stop the container and it's gone. See Docker Scenarios for the full set of curated misconfiguration scenarios.


3. Install and run against demo data

go install github.com/sufield/stave/cmd/stave@latest  # or: brew install sufield/tap/stave (macOS)
stave apply --observations ./examples/demo-fixtures/ --format text

Reads local files, writes to stdout. No network calls, no credentials, no access to your AWS account.


4. Run against your own snapshots

aws s3 sync s3://your-config-bucket/AWSLogs/ ./my-snapshot/
stave apply --observations ./my-snapshot/

Stave reads the files you give it. The snapshot is a copy — your account is unaffected.


5. Add to your pipeline

stave apply --observations ./snapshot/ --format sarif > findings.sarif
# exit 0 = clean, exit 3 = findings above threshold

Next: First Evaluation — install the binary and run it against demo data.