Learn

Hands-on in a few minutes. Here's the fastest path and what to expect.

1. Time to "Hello World"

Install, then evaluate a bundled fixture — first finding in well under a minute:

# build the binary (syncs schemas, then go build)
cd stave && make build

# evaluate a snapshot against the built-in controls
stave apply --observations ./examples/challenge-fixtures/ --format text --now 2025-01-01T00:00:00Z

You'll see findings like:

CTL.S3.PUBLIC.001  NON_COMPLIANT
  asset:    s3://acme-prod-assets
  evidence: bucket policy grants s3:GetObject to Principal:* ; no Public Access Block
  verdict:  publicly readable
security_state: NON_COMPLIANT

A control is just YAML with a CEL predicate — here's the shape:

dsl_version: ctrl.v1
id: CTL.S3.PUBLIC.001
applicable_asset_types: [aws_s3_bucket]
unsafe_predicate:
  all:
    - field: properties.storage.access.public_read
      op: eq
      value: true

→ Full walkthrough: Quick Start guide.

2. Are the docs a good experience?

The docs are organised by the Diátaxis model so you can find what you need by intent:

• Tutorials — learn by doing (guaranteed-success paths)
• How-to Guides — task recipes
• Reference — control catalog, CLI, schemas
• Explanation — concepts and the reasoning model

3. Do I have confidence?

• Every finding includes an evidence line and a reasoning trace (--verbose) — you can see why, not just what.
• Output is deterministic — reproducible in review and CI.
• The case studies show the engine against 30 real incidents.

4. Is there a community?

• 💬 Reddit: r/stave (placeholder — community link)
• 🐛 Issues & discussion: GitHub

Built your mental model? Time to make something → Build.