Skip to main content

How to Detect Regressions

Identify controls that fail repeatedly in a pattern.


Scan for All Violation Windows

stave bisect \
--controls ./controls \
--observations ./snapshots \
--control-id CTL.S3.PUBLIC.001 \
--mode scan

--mode scan walks the full history (O(N)) and reports every violation window — each PASS → VIOLATION → PASS cycle — rather than just the most recent transition. A control that repeatedly re-enters violation after being fixed is a regression pattern: the more windows, the more frequent the recurrence.

Correlate with Git Log

git log --all --oneline snapshots/ | head -20

A recurrence pattern that aligns with deployment timestamps indicates a pipeline-introduced regression. A pattern with no corresponding deployment may indicate manual changes or attacker reversion.