Skip to main content

stave compare

Analyze the gap between a baseline framework (e.g. HIPAA) and a
target framework (e.g. FedRAMP Moderate). Identifies shared
violations (fix once, satisfy both), marginal work (target-only),
and free coverage (already passing).

Answers: "What is the marginal cost to adopt framework B given
we already comply with framework A?"

Inputs:
  --from STRING       Baseline framework key (required)
  --to STRING         Target framework key (required)
  --assessment PATH   stave apply JSON output (required)
  --format STRING     table (default) | json | markdown

Framework keys: hipaa, nist_800_53_r5, fedramp_moderate,
  soc2, pci_dss_v4.0, cis_aws_v3.0, gdpr, iso_27001_2022

Exit Codes:
  0   Gap analysis produced
  2   Invalid input

Usage:
  stave compare [flags]

Examples:
  stave compare --from hipaa --to fedramp_moderate \
    --assessment findings.json

  stave compare --from hipaa --to soc2 \
    --assessment findings.json --format markdown

Flags:
      --after string        After assessment path (--mode remediation)
      --assessment string   stave apply JSON output (required)
      --before string       Before assessment path (--mode remediation)
  -f, --format string       output format: table | json | markdown (default "table")
      --from string         baseline framework key (required)
  -h, --help                help for compare
      --mode string         Comparison mode: remediation
      --out string          write to file
      --simulated string    Simulated output for efficiency comparison
      --to string           target framework key (required)

Global Flags:
      --allow-symlink-output   Allow writing output through symlinks (default: refuse)
      --force                  Allow overwriting existing output files
      --log-file string        Write logs to file (default: stderr)
      --log-format string      Log format: text|json (default "text")
      --log-level string       Log level: debug|info|warn|error (overrides -v)
      --log-timestamps         Include timestamps in logs (breaks determinism)
      --log-timings            Include timing information (breaks determinism)
      --no-color               Disable ANSI colors in output
      --path-mode string       Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --quiet                  Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --require-offline        Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
      --sanitize               Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --strict                 Enable strict integrity checks for embedded registries and references
  -v, --verbose count          Increase verbosity (-v=INFO, -vv=DEBUG)
  -y, --yes                    Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)