Skip to main content

CLI Reference

Complete reference for all Stave commands. Run stave <command> --help for full usage, flags, and exit codes.

161 commands.

CommandDescription
stave aliasManage command aliases
stave alias deleteDelete an alias
stave alias listList all aliases
stave alias setCreate or update an alias
stave applyRun control evaluation after plan checks pass
stave attestSnapshot tamper detection via Ed25519 signatures
stave attest keygenGenerate a new Ed25519 key pair for snapshot attestation
stave attest signSign a snapshot's assets with an Ed25519 private key
stave attest verifyVerify an attested snapshot against a public key
stave bisectFind when a control was first violated
stave bundleGenerate a sealed evidence bundle for air-gap GRC integration
stave bundle auditAssemble a compliance-period evidence package
stave capabilitiesPrint supported input types and version constraints (default) or a user-facing catalog (subcommand)
stave capabilities catalogPrint the user-facing capability catalog
stave capabilities catalog coverageShow per-service control coverage
stave capabilities catalog gapsCompare catalog against an external checklist
stave capabilities catalog inspectShow full metadata for a single control
stave capabilities catalog matrixShow taxonomy × service cross-product with gap cells
stave capabilities catalog statsPrint aggregate catalog statistics
stave capabilities catalog taxonomyList taxonomy categories with control counts
stave catalogPrint the user-facing capability catalog
stave catalog coverageShow per-service control coverage
stave catalog gapsCompare catalog against an external checklist
stave catalog inspectShow full metadata for a single control
stave catalog matrixShow taxonomy × service cross-product with gap cells
stave catalog statsPrint aggregate catalog statistics
stave catalog taxonomyList taxonomy categories with control counts
stave celCEL expression tools
stave cel evalEvaluate a CEL expression against observation assets
stave checkCompare before/after evaluations to check remediation
stave ciCI/CD policy and baseline commands
stave ci baselineManage baseline findings for fail-on-new CI workflows
stave ci baseline checkCompare evaluation findings against baseline and detect new findings
stave ci baseline saveSave evaluation findings as baseline
stave ci diffCompare two evaluations and report new findings
stave ci fixShow machine-readable fix plan for a finding
stave ci fix-loopRun apply-before/apply-after/verify in one command
stave ci gateEnforce CI failure policy modes from config or flags
stave compareCompare compliance posture between two frameworks
stave completionGenerate shell completion scripts
stave complianceEvaluate a snapshot against a compliance framework and report coverage
stave configConfiguration commands
stave config contextNamed project context commands
stave config context createCreate or update a named context
stave config context deleteDelete a context
stave config context listList available contexts
stave config context showShow selected context
stave config context useSet active context
stave config deleteRemove a project config key (reverts to default)
stave config envManage environment variables
stave config env listList supported STAVE_* environment variables
stave config explainExplain resolved config values and sources
stave config getGet a config value
stave config setSet a project config value in stave.yaml
stave config showShow effective project configuration and value sources
stave contractInspect Stave's per-asset-type input contracts
stave contract showShow the agent-facing contract for an asset type
stave controlsWork with control definitions
stave controls alias-explainShow expanded predicate for an alias
stave controls aliasesList built-in semantic predicate aliases
stave controls explainExplain a specific control
stave controls listList control IDs and names
stave controls qualityAnalyze control catalog metadata completeness and coverage gaps
stave controls searchSearch the built-in control catalog
stave coverageAnalyze observation field coverage against control predicates
stave diagnoseDiagnose evaluation inputs and results
stave diagnose explainGenerate guided remediation playbook for a finding
stave diagnose findingDeep-dive analysis of a single finding
stave diagnose reportGenerate a plain-text report from evaluation output
stave diagnose traceTrace predicate evaluation for a single control against a single asset
stave diffCompare two observation snapshots or control catalogs
stave discoverResolve AWS services to the data Stave needs (the collection manifest)
stave doctorCheck local environment readiness for Stave workflows
stave enforceGenerate deterministic enforcement templates from evaluation output
stave exemptManage risk acceptances (acknowledgments, exceptions, exemptions)
stave exempt acknowledgeAdd a formal risk acceptance
stave exempt assetAdd a scope exclusion (exemption)
stave exempt exceptAdd an operational suppression
stave exempt exportExport risk register as OSCAL POA&M
stave exempt historyShow full audit trail including expired entries
stave exempt listList all active risk acceptances
stave exempt removeMark an acknowledgment as revoked
stave exempt suggestSuggest exemptions for chronic/oscillating findings
stave exempt upcomingShow acceptances approaching expiry
stave exempt validateValidate the acceptance file
stave expandShow every control sharing a structural defect archetype
stave explainExplain how a control evaluates and which fields it needs
stave exportExport controls and compliance evidence
stave export changesExport remediation property changes from assessment findings
stave export complianceExport compliance evidence package
stave export ocsfExport findings as OCSF 1.1 Compliance Finding events
stave export oscalExport findings as OSCAL 1.1.2 Assessment Results JSON
stave export ticketsExport findings as canonical ticket records
stave export-controlsExport the control catalog for external solver consumption
stave export-sirExport the Stave Intermediate Representation as JSON
stave featuresShow what Stave does and deliberately does not do
stave fingerprintPolicy fingerprint diagnostics
stave fingerprint explainShow the policy fingerprint preimage and diagnosis
stave fmtFormat control and observation files deterministically
stave forgeAuthor and test custom controls
stave forge chainAuthor and validate custom chains
stave forge chain lintValidate chain YAML
stave forge lintStatic analysis for control YAML files
stave forge newInteractive control authoring wizard
stave forge pathsList available observation property paths from a snapshot
stave forge previewEvaluate a predicate against a snapshot without writing files
stave forge scaffoldGenerate test fixtures from a real snapshot
stave forge testRun fixture-based assertions against a control
stave gapsReport which observation properties are absent + what they unlock
stave generateGenerate starter artifacts
stave generate observationGenerate an observation template
stave graphVisualize control and asset relationships
stave graph coverageShow which controls cover which assets
stave graph exportExport assessment as JSON, STIX 2.1, JSON-LD, or GraphML
stave inspectLow-level security analysis primitives
stave inspect aclAnalyze S3 ACL grants
stave inspect aliasesList predicate aliases with metadata
stave inspect complianceResolve compliance framework crosswalk
stave inspect exposureClassify resource exposure vectors
stave inspect policyAnalyze an S3 bucket policy document
stave inspect riskScore risk from policy statement context
stave lintLint control files for design quality
stave mapATT&CK tactic coverage and gap analysis
stave metricsWrite Prometheus scrape file for node_exporter
stave packConcern packs — named control groupings and their data requirements
stave pack listList available concern packs and their control counts
stave pack showShow a pack's requirements manifest (AWS calls, signals, collector permissions)
stave packsInspect built-in control packs
stave packs listList available built-in packs
stave packs showShow one built-in pack and its control IDs
stave pathExport attack path graph data from active chain findings
stave permissionsQuery net effective permissions from a snapshot
stave permissions principalResolve permissions for a specific principal ARN
stave permissions resourceShow who has effective access to a resource
stave permissions summaryAggregate NEP metrics across all principals
stave planPreview which controls will evaluate, by service and severity
stave profileManage compliance profiles
stave profile createGenerate a starter profile YAML
stave profile listList available compliance profiles
stave profile validateValidate a profile file
stave proveRun Z3 SMT queries against a Stave assessment
stave readinessReport what Stave can/can't evaluate given the supplied observations
stave reportGenerate executive security posture report
stave sanitizeSanitize a snapshot for cross-boundary sharing
stave schemasList all contract schemas
stave scoreCompute security posture score (0-100)
stave scorecardMulti-framework compliance scorecard
stave searchFind catalog entries matching a free-form intent
stave snapshotSnapshot inspection commands
stave snapshot diffCompare the latest two observation snapshots
stave statusShow project context and the next recommended command
stave telemetryEmit structured NDJSON telemetry from assessment output
stave testRun embedded control test cases
stave transformConvert raw AWS CLI snapshots into obs.v0.1 observations (built-in jq)
stave trendAnalyze compliance posture trends across assessment runs
stave trend forecastProject posture score trajectory with SLA breach warnings
stave trend oscillationClassify violation oscillation patterns across assessment history
stave trend predictProject compliance readiness achievement date
stave validateValidate inputs without evaluation
stave validate-mappingValidate a Steampipe→Stave mapping file before use
stave versionPrint version and environment state

Exit Codes

CodeMeaning
0Success
1Security-audit gating failure
2Invalid input or validation failure
3Violations found (apply) or diagnostics found (diagnose)
4Internal error
130Interrupted (SIGINT)