Apply executes control evaluation and produces safety findings.
Modes:
Default Evaluate observations against controls in a project directory.
--dry-run Run readiness checks only, without evaluating controls.
--profile Evaluate a bundled observations file against a built-in control pack.
Requires --input. Example: stave apply --profile aws-s3 --input obs.json
Inputs:
--controls, -i Path to control definitions directory (default: controls/s3)
--observations, -o Path to observation snapshots directory (default: observations)
--profile, -p Evaluation profile (e.g., aws-s3)
--input Path to observations bundle file (required with --profile)
--max-unsafe Maximum allowed unsafe duration (default: from project config)
--now Override current time (RFC3339) for deterministic output
--format, -f Output format: text, json, or sarif (default: text)
--dry-run Run readiness checks only
Outputs:
stdout Evaluation findings (JSON, text, or SARIF)
stderr Progress and diagnostic messages
Exit Codes:
0 - Evaluation completed with no violations
2 - Invalid input or configuration error
3 - Violations found
4 - Internal error
130 - Interrupted (SIGINT)
Remediation scope:
Stave produces findings with structured remediation data
(asset-parameterized CLI in findings[].fix_plan.command,
property-level changes in findings[].remediation_context.changes,
AI-prompt-ready context in findings[].remediation_context). It
does NOT execute remediation. Pipe apply output to downstream
tooling — AI prompts, CI/CD pipelines, ticket systems — for fix
generation. There is no --apply-fixes flag and no auto-fix mode;
the boundary is the data, not the change.
Offline-only: reads local files; makes zero network connections; no cloud credentials.
Usage:
stave apply [flags]
Examples:
# Standard evaluation
stave apply --controls ./controls --observations ./obs --format json
# Readiness check only (dry run)
stave apply --dry-run
# Profile-based evaluation with bundled observations
stave apply --profile aws-s3 --input observations.json --now 2026-01-15T00:00:00Z
Flags:
--acknowledgment-file string Path to acknowledgment config YAML file
--assert-recent string Fail if no snapshot newer than this duration (e.g. 48h)
--assets string asset sensitivity classification manifest YAML
--baseline string SARIF baseline file for baseline state comparison
--bucket-allowlist strings Bucket names/ARNs to include
-i, --controls string Path to control definitions directory (default "controls")
--dry-run Run readiness checks only, without evaluating controls
--exemption-file string Path to asset exemption list YAML file
-f, --format string Output format (text, json, or sarif) (default "text")
-h, --help help for apply
--history string Directory of historical assessment JSON files (for --new-only)
--include-all Disable health scope filtering
--input string Path to observations bundle file (required with --profile)
--integrity-manifest string Path to manifest JSON containing expected hashes
--integrity-public-key string Path to Ed25519 public key for signed manifests
--max-unsafe string Maximum allowed unsafe duration Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--new-only Show only findings not present in previous assessment
--new-since string Show only findings not present in assessments within this window (e.g. 7d)
--now string Override current time (RFC3339) for deterministic output
-o, --observations string Path to observation snapshots directory (default "observations")
--overlay string environment-specific severity overlay YAML
--owner-filter strings Team IDs to filter findings (repeatable or comma-separated)
-p, --profile string Evaluation profile (e.g. aws-s3)
--profile-file strings custom compliance profile YAML (can be repeated)
--show-suppressed include overlay-suppressed controls in output
--sla-policy string SLA breach exit code behavior: warn, strict, critical-only (default "warn")
--sla-profile string SLA policy profile (pci_dss_v4, hipaa, soc2, fedramp_moderate, default)
--sla-profile-file string path to custom SLA policy YAML file
--team-manifest string Path to stave-teams.yaml for owner routing
--trace string Write full step-by-step audit trace to file. Every finding already emits a compact reasoning_trace inline (rendered as prose in text output, as raw DSL in JSON/SARIF); this flag writes the full Assessment.Steps[] superset to a separate file for users who want the precise predicate-DSL form or per-step timing.
Global Flags:
--allow-symlink-output Allow writing output through symlinks (default: refuse)
--force Allow overwriting existing output files
--log-file string Write logs to file (default: stderr)
--log-format string Log format: text|json (default "text")
--log-level string Log level: debug|info|warn|error (overrides -v)
--log-timestamps Include timestamps in logs (breaks determinism)
--log-timings Include timing information (breaks determinism)
--no-color Disable ANSI colors in output
--path-mode string Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--quiet Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--require-offline Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
--sanitize Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--strict Enable strict integrity checks for embedded registries and references
-v, --verbose count Increase verbosity (-v=INFO, -vv=DEBUG)
-y, --yes Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)