CLI Reference
Complete reference for all Stave commands. Run stave <command> --help for
full usage, flags, and exit codes.
161 commands.
| Command | Description |
|---|---|
stave alias | Manage command aliases |
stave alias delete | Delete an alias |
stave alias list | List all aliases |
stave alias set | Create or update an alias |
stave apply | Run control evaluation after plan checks pass |
stave attest | Snapshot tamper detection via Ed25519 signatures |
stave attest keygen | Generate a new Ed25519 key pair for snapshot attestation |
stave attest sign | Sign a snapshot's assets with an Ed25519 private key |
stave attest verify | Verify an attested snapshot against a public key |
stave bisect | Find when a control was first violated |
stave bundle | Generate a sealed evidence bundle for air-gap GRC integration |
stave bundle audit | Assemble a compliance-period evidence package |
stave capabilities | Print supported input types and version constraints (default) or a user-facing catalog (subcommand) |
stave capabilities catalog | Print the user-facing capability catalog |
stave capabilities catalog coverage | Show per-service control coverage |
stave capabilities catalog gaps | Compare catalog against an external checklist |
stave capabilities catalog inspect | Show full metadata for a single control |
stave capabilities catalog matrix | Show taxonomy × service cross-product with gap cells |
stave capabilities catalog stats | Print aggregate catalog statistics |
stave capabilities catalog taxonomy | List taxonomy categories with control counts |
stave catalog | Print the user-facing capability catalog |
stave catalog coverage | Show per-service control coverage |
stave catalog gaps | Compare catalog against an external checklist |
stave catalog inspect | Show full metadata for a single control |
stave catalog matrix | Show taxonomy × service cross-product with gap cells |
stave catalog stats | Print aggregate catalog statistics |
stave catalog taxonomy | List taxonomy categories with control counts |
stave cel | CEL expression tools |
stave cel eval | Evaluate a CEL expression against observation assets |
stave check | Compare before/after evaluations to check remediation |
stave ci | CI/CD policy and baseline commands |
stave ci baseline | Manage baseline findings for fail-on-new CI workflows |
stave ci baseline check | Compare evaluation findings against baseline and detect new findings |
stave ci baseline save | Save evaluation findings as baseline |
stave ci diff | Compare two evaluations and report new findings |
stave ci fix | Show machine-readable fix plan for a finding |
stave ci fix-loop | Run apply-before/apply-after/verify in one command |
stave ci gate | Enforce CI failure policy modes from config or flags |
stave compare | Compare compliance posture between two frameworks |
stave completion | Generate shell completion scripts |
stave compliance | Evaluate a snapshot against a compliance framework and report coverage |
stave config | Configuration commands |
stave config context | Named project context commands |
stave config context create | Create or update a named context |
stave config context delete | Delete a context |
stave config context list | List available contexts |
stave config context show | Show selected context |
stave config context use | Set active context |
stave config delete | Remove a project config key (reverts to default) |
stave config env | Manage environment variables |
stave config env list | List supported STAVE_* environment variables |
stave config explain | Explain resolved config values and sources |
stave config get | Get a config value |
stave config set | Set a project config value in stave.yaml |
stave config show | Show effective project configuration and value sources |
stave contract | Inspect Stave's per-asset-type input contracts |
stave contract show | Show the agent-facing contract for an asset type |
stave controls | Work with control definitions |
stave controls alias-explain | Show expanded predicate for an alias |
stave controls aliases | List built-in semantic predicate aliases |
stave controls explain | Explain a specific control |
stave controls list | List control IDs and names |
stave controls quality | Analyze control catalog metadata completeness and coverage gaps |
stave controls search | Search the built-in control catalog |
stave coverage | Analyze observation field coverage against control predicates |
stave diagnose | Diagnose evaluation inputs and results |
stave diagnose explain | Generate guided remediation playbook for a finding |
stave diagnose finding | Deep-dive analysis of a single finding |
stave diagnose report | Generate a plain-text report from evaluation output |
stave diagnose trace | Trace predicate evaluation for a single control against a single asset |
stave diff | Compare two observation snapshots or control catalogs |
stave discover | Resolve AWS services to the data Stave needs (the collection manifest) |
stave doctor | Check local environment readiness for Stave workflows |
stave enforce | Generate deterministic enforcement templates from evaluation output |
stave exempt | Manage risk acceptances (acknowledgments, exceptions, exemptions) |
stave exempt acknowledge | Add a formal risk acceptance |
stave exempt asset | Add a scope exclusion (exemption) |
stave exempt except | Add an operational suppression |
stave exempt export | Export risk register as OSCAL POA&M |
stave exempt history | Show full audit trail including expired entries |
stave exempt list | List all active risk acceptances |
stave exempt remove | Mark an acknowledgment as revoked |
stave exempt suggest | Suggest exemptions for chronic/oscillating findings |
stave exempt upcoming | Show acceptances approaching expiry |
stave exempt validate | Validate the acceptance file |
stave expand | Show every control sharing a structural defect archetype |
stave explain | Explain how a control evaluates and which fields it needs |
stave export | Export controls and compliance evidence |
stave export changes | Export remediation property changes from assessment findings |
stave export compliance | Export compliance evidence package |
stave export ocsf | Export findings as OCSF 1.1 Compliance Finding events |
stave export oscal | Export findings as OSCAL 1.1.2 Assessment Results JSON |
stave export tickets | Export findings as canonical ticket records |
stave export-controls | Export the control catalog for external solver consumption |
stave export-sir | Export the Stave Intermediate Representation as JSON |
stave features | Show what Stave does and deliberately does not do |
stave fingerprint | Policy fingerprint diagnostics |
stave fingerprint explain | Show the policy fingerprint preimage and diagnosis |
stave fmt | Format control and observation files deterministically |
stave forge | Author and test custom controls |
stave forge chain | Author and validate custom chains |
stave forge chain lint | Validate chain YAML |
stave forge lint | Static analysis for control YAML files |
stave forge new | Interactive control authoring wizard |
stave forge paths | List available observation property paths from a snapshot |
stave forge preview | Evaluate a predicate against a snapshot without writing files |
stave forge scaffold | Generate test fixtures from a real snapshot |
stave forge test | Run fixture-based assertions against a control |
stave gaps | Report which observation properties are absent + what they unlock |
stave generate | Generate starter artifacts |
stave generate observation | Generate an observation template |
stave graph | Visualize control and asset relationships |
stave graph coverage | Show which controls cover which assets |
stave graph export | Export assessment as JSON, STIX 2.1, JSON-LD, or GraphML |
stave inspect | Low-level security analysis primitives |
stave inspect acl | Analyze S3 ACL grants |
stave inspect aliases | List predicate aliases with metadata |
stave inspect compliance | Resolve compliance framework crosswalk |
stave inspect exposure | Classify resource exposure vectors |
stave inspect policy | Analyze an S3 bucket policy document |
stave inspect risk | Score risk from policy statement context |
stave lint | Lint control files for design quality |
stave map | ATT&CK tactic coverage and gap analysis |
stave metrics | Write Prometheus scrape file for node_exporter |
stave pack | Concern packs — named control groupings and their data requirements |
stave pack list | List available concern packs and their control counts |
stave pack show | Show a pack's requirements manifest (AWS calls, signals, collector permissions) |
stave packs | Inspect built-in control packs |
stave packs list | List available built-in packs |
stave packs show | Show one built-in pack and its control IDs |
stave path | Export attack path graph data from active chain findings |
stave permissions | Query net effective permissions from a snapshot |
stave permissions principal | Resolve permissions for a specific principal ARN |
stave permissions resource | Show who has effective access to a resource |
stave permissions summary | Aggregate NEP metrics across all principals |
stave plan | Preview which controls will evaluate, by service and severity |
stave profile | Manage compliance profiles |
stave profile create | Generate a starter profile YAML |
stave profile list | List available compliance profiles |
stave profile validate | Validate a profile file |
stave prove | Run Z3 SMT queries against a Stave assessment |
stave readiness | Report what Stave can/can't evaluate given the supplied observations |
stave report | Generate executive security posture report |
stave sanitize | Sanitize a snapshot for cross-boundary sharing |
stave schemas | List all contract schemas |
stave score | Compute security posture score (0-100) |
stave scorecard | Multi-framework compliance scorecard |
stave search | Find catalog entries matching a free-form intent |
stave snapshot | Snapshot inspection commands |
stave snapshot diff | Compare the latest two observation snapshots |
stave status | Show project context and the next recommended command |
stave telemetry | Emit structured NDJSON telemetry from assessment output |
stave test | Run embedded control test cases |
stave transform | Convert raw AWS CLI snapshots into obs.v0.1 observations (built-in jq) |
stave trend | Analyze compliance posture trends across assessment runs |
stave trend forecast | Project posture score trajectory with SLA breach warnings |
stave trend oscillation | Classify violation oscillation patterns across assessment history |
stave trend predict | Project compliance readiness achievement date |
stave validate | Validate inputs without evaluation |
stave validate-mapping | Validate a Steampipe→Stave mapping file before use |
stave version | Print version and environment state |
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | Security-audit gating failure |
| 2 | Invalid input or validation failure |
| 3 | Violations found (apply) or diagnostics found (diagnose) |
| 4 | Internal error |
| 130 | Interrupted (SIGINT) |