First Findings
Produce real findings from a one-asset observation so you see the output shape — finding, evidence, and remediation. No AWS needed.
Time: ~10 minutes.
Steps
1. Confirm Stave is built
./stave version
2. Create a minimal observation
mkdir -p /tmp/stave-demo/obs
cat > /tmp/stave-demo/obs/2026-01-01T000000Z.json << 'EOF'
{
"schema_version": "obs.v0.1",
"source": "deployed",
"generated_by": { "source_type": "manual" },
"captured_at": "2026-01-01T00:00:00Z",
"assets": [
{
"id": "arn:aws:iam::111111111111:user/demo-user",
"type": "aws_iam_user",
"vendor": "aws",
"properties": {
"identity": {
"kind": "user",
"name": "demo-user",
"arn": "arn:aws:iam::111111111111:user/demo-user",
"policies": { "has_admin_access": true, "service_wildcards_granted": true }
}
}
}
]
}
EOF
jq . /tmp/stave-demo/obs/*.json > /dev/null && echo "valid JSON"
Key requirements:
sourcemust bedeployed,planned, orlocalschema_versionmust beobs.v0.1
3. Run Stave
./stave apply --observations /tmp/stave-demo/obs/ --eval-time 2026-01-02T00:00:00Z
Expected: 2 violations on demo-user:
CTL.IAM.POLICY.ADMIN.001— user has admin accessCTL.IAM.CROSSCLOUD.ADMIN.001
Exit code 3 = violations found (0 = clean, 2 = input error, 3 = violations).
4. Read the output
Each finding shows: the control + asset, evidence (when the violation began), the root-cause property, and remediation guidance.
5. Try machine-readable formats
./stave apply --observations /tmp/stave-demo/obs/ --eval-time 2026-01-02T00:00:00Z --format json
./stave apply --observations /tmp/stave-demo/obs/ --eval-time 2026-01-02T00:00:00Z --format sarif
JSON follows the out.v0.1 schema; SARIF carries a runs array for code-scanning tools.
Done
You produced findings from an observation and understand the output shape and exit codes.
Next: Lab Validation