Compare before/after evaluations to check whether remediation resolved findings.
Verify runs the same controls against two sets of observations (before and after
remediation) and reports which findings were resolved, which remain, and which
are newly introduced. Use it after applying fixes to confirm that violations
have been addressed without introducing regressions.
Inputs:
--before, -b Path to before-remediation observations (required)
--after, -a Path to after-remediation observations (required)
--controls, -i Path to control definitions directory (default: controls)
--max-unsafe Maximum allowed unsafe duration
--now Override current time (RFC3339) for deterministic output
Outputs:
stdout Verification report JSON showing resolved, remaining,
and introduced findings
stderr Error messages (if any)
Exit Codes:
0 - All findings resolved; no remaining or introduced violations
3 - Remaining or introduced violations exist
130 - Interrupted (SIGINT)
Offline-only: reads local files; makes zero network connections; no cloud credentials.
Usage:
stave check [flags]
Examples:
# Compare before/after observations
stave check --before ./obs-before --after ./obs-after --controls ./controls
# Deterministic output for CI
stave check --before ./obs-before --after ./obs-after --controls ./controls \
--now 2026-01-15T00:00:00Z
# With a custom unsafe duration threshold
stave check --before ./obs-before --after ./obs-after --controls ./controls \
--max-unsafe 72h
Flags:
-a, --after string Path to after-remediation observations (required)
-b, --before string Path to before-remediation observations (required)
-i, --controls string Path to control definitions directory (default "controls")
-h, --help help for check
--max-unsafe string Maximum allowed unsafe duration Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--now string Override current time (RFC3339) for deterministic output
Global Flags:
--allow-symlink-output Allow writing output through symlinks (default: refuse)
--force Allow overwriting existing output files
--log-file string Write logs to file (default: stderr)
--log-format string Log format: text|json (default "text")
--log-level string Log level: debug|info|warn|error (overrides -v)
--log-timestamps Include timestamps in logs (breaks determinism)
--log-timings Include timing information (breaks determinism)
--no-color Disable ANSI colors in output
--path-mode string Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--quiet Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--require-offline Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
--sanitize Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--strict Enable strict integrity checks for embedded registries and references
-v, --verbose count Increase verbosity (-v=INFO, -vv=DEBUG)
-y, --yes Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)