Interpreting Findings

Use findings to answer four questions quickly:

Which control failed?
Which resource failed?
What evidence proves it?
What is the remediation and fix plan?

Anatomy of a finding

{
  "control_id": "CTL.S3.PUBLIC.001",
  "resource_id": "res:aws:s3:bucket:example",
  "evidence": {
    "unsafe_duration_hours": 120,
    "threshold_hours": 24,
    "matched_properties": [
      {"path": "properties.storage.visibility.public_read", "value": true}
    ],
    "why_now": "Resource has been unsafe longer than threshold."
  },
  "mitigation": {
    "description": "Bucket is publicly readable.",
    "action": "Enable block public access and remove public grants."
  },
  "remediation": "Enable block public access and remove public grants.",
  "fix_plan": {
    "id": "fix-1234abcd",
    "actions": [
      {"action_type": "set", "path": "properties.storage.controls.block_public_policy", "value": true}
    ]
  }
}

Fast triage checklist

control_id and control_name: identify rule intent
resource_id: locate ownership target
evidence.matched_properties: exact failing fields
evidence.why_now: timing reason
mitigation.action: immediate remediation
fix_plan.actions: machine-readable action list for tracking/automation

Show one fix plan in terminal

stave fix --input ./evaluation.json --finding CTL.S3.PUBLIC.001@res:aws:s3:bucket:example

This command is read-only and does not patch IaC.

When results look unexpected

stave diagnose --controls ./controls --observations ./observations --now 2026-01-15T00:00:00Z

Common causes:

threshold higher than available observation span
resource became safe before threshold was exceeded
predicate field path missing from observations

Anatomy of a finding​

Fast triage checklist​

Show one fix plan in terminal​

When results look unexpected​

Anatomy of a finding

Fast triage checklist

Show one fix plan in terminal

When results look unexpected