Skip to main content

stave bundle

Bundle runs a full assessment and packages the results into a
portable, cryptographically sealed evidence archive (.stave-bundle).
The bundle contains the assessment, logic trace, pruned resource
snapshots, and a SHA-256 manifest — optionally signed with an Ed25519
private key.

This enables air-gapped environments to produce verifiable compliance
evidence that can be transferred to GRC platforms (Vanta, Drata,
ServiceNow) via data diode or manual transfer.

Inputs:
  --controls, -i     Path to control definitions directory
  --observations, -o Path to observation snapshots directory
  --sign-key         Path to Ed25519 private key PEM for signing
  --output           Output file path (default: evidence-<timestamp>.stave-bundle)
  --include-asff     Include ASFF-formatted findings for Security Hub integration

Outputs:
  .stave-bundle      Tar.gz archive with assessment, trace, snapshots, manifest

Exit Codes:
  0   Bundle created, no violations
  2   Input or configuration error
  3   Bundle created with violations
  4   Internal error

Usage:
  stave bundle [flags]
  stave bundle [command]

Examples:
  stave bundle --controls ./controls --observations ./observations
  stave bundle -i ./controls -o ./observations --sign-key audit-private.pem
  stave bundle -i ./controls -o ./observations --include-asff --output evidence.stave-bundle

Available Commands:
  audit       Assemble a compliance-period evidence package

Flags:
  -i, --controls string       Path to control definitions directory (default "controls")
  -h, --help                  help for bundle
      --include-asff          Include ASFF-formatted findings
      --max-unsafe string     Maximum allowed unsafe duration (default "168h")
  -o, --observations string   Path to observation snapshots directory (default "observations")
      --output string         Output file path
      --sign-key string       Path to Ed25519 private key PEM for signing

Global Flags:
      --allow-symlink-output   Allow writing output through symlinks (default: refuse)
      --force                  Allow overwriting existing output files
      --log-file string        Write logs to file (default: stderr)
      --log-format string      Log format: text|json (default "text")
      --log-level string       Log level: debug|info|warn|error (overrides -v)
      --log-timestamps         Include timestamps in logs (breaks determinism)
      --log-timings            Include timing information (breaks determinism)
      --no-color               Disable ANSI colors in output
      --path-mode string       Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --quiet                  Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --require-offline        Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
      --sanitize               Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --strict                 Enable strict integrity checks for embedded registries and references
  -v, --verbose count          Increase verbosity (-v=INFO, -vv=DEBUG)
  -y, --yes                    Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)

Use "stave bundle [command] --help" for more information about a command.