CLI Reference
Generated by publisher tooling from CLI help output.
| Command | Description |
|---|---|
stave | Root command |
stave alias | Manage command aliases |
stave apply | Run control evaluation after plan checks pass |
stave attest | Snapshot tamper detection via Ed25519 signatures |
stave bisect | Find when a security invariant was first violated |
stave bundle | Generate a sealed evidence bundle for air-gap GRC integration |
stave capabilities | Print supported input types and version constraints (default) or a user-facing catalog (subcommand) |
stave cel | CEL expression tools |
stave check | Compare before/after evaluations to check remediation |
stave ci | CI/CD policy and baseline commands |
stave compare | Compare compliance posture between two frameworks |
stave completion | Generate shell completion scripts |
stave config | Configuration commands |
stave contract | Inspect Stave's per-asset-type input contracts |
stave controls | Work with control definitions |
stave coverage | Analyze observation field coverage against control predicates |
stave diagnose | Diagnose evaluation inputs and results |
stave diff | Compare two observation snapshots or control catalogs |
stave doctor | Check local environment readiness for Stave workflows |
stave enforce | Generate deterministic enforcement templates from evaluation output |
stave exempt | Manage risk acceptances (acknowledgments, exceptions, exemptions) |
stave expand | Show every control sharing a structural defect archetype |
stave explain | Explain how a control evaluates and which fields it needs |
stave export-invariants | Export control catalog as solver-ready invariants |
stave export-sir | Export the Stave Intermediate Representation as JSON |
stave export | Export controls and compliance evidence |
stave features | Show what Stave does and deliberately does not do |
stave fmt | Format control and observation files deterministically |
stave forge | Author and test custom controls |
stave gaps | Report which observation properties are absent + what they unlock |
stave generate | Generate starter artifacts |
stave graph | Visualize control and asset relationships |
stave help | Help about any command |
stave inspect | Low-level security analysis primitives |
stave lint | Lint control files for design quality |
stave map | ATT&CK tactic coverage and gap analysis |
stave metrics | Write Prometheus scrape file for node_exporter |
stave packs | Inspect built-in control packs |
stave path | Export attack path graph data from active chain findings |
stave permissions | Query net effective permissions from a snapshot |
stave profile | Manage compliance profiles |
stave readiness | Report what Stave can/can't evaluate given the supplied observations |
stave report | Generate executive security posture report |
stave sanitize | Sanitize a snapshot for cross-boundary sharing |
stave schemas | List all contract schemas |
stave scorecard | Multi-framework compliance scorecard |
stave score | Compute security posture score (0-100) |
stave search | Find catalog entries matching a free-form intent |
stave snapshot | Snapshot inspection commands |
stave status | Show project context and the next recommended command |
stave telemetry | Emit structured NDJSON telemetry from assessment output |
stave test | Run embedded control test cases |
stave trend | Analyze compliance posture trends across assessment runs |
stave validate-mapping | Validate a Steampipe→Stave mapping file before use |
stave validate | Validate inputs without evaluation |
stave version | Print version and environment state |