Skip to main content

stave coverage

Analyze which controls can evaluate against a snapshot by checking
whether all fields referenced in control predicates are present in
the snapshot's asset properties.

Controls are classified as:
  EVALUABLE    All referenced fields present in snapshot
  INCOMPLETE   Some fields missing — INCOMPLETE verdict expected
  SILENT_RISK  Missing fields could produce false PASS verdicts
  NO_ASSETS    No assets of the required type in snapshot

Inputs:
  --snapshot PATH     Path to observation snapshot JSON (required)
  --controls PATH     Path to controls directory (default: controls)
  --format STRING     Output format: table (default) | json
  --out PATH          Write to file instead of stdout

Exit Codes:
  0   No silent risk controls
  2   Invalid input
  3   Silent risk controls detected

Usage:
  stave coverage [flags]

Examples:
  # Analyze coverage against snapshot
  stave coverage --snapshot snapshot.json

  # JSON output for automation
  stave coverage --snapshot snapshot.json --format json

  # Check before assessment
  stave coverage --snapshot snapshot.json && stave apply --snapshot snapshot.json

Flags:
  -i, --controls string   path to controls directory (default "controls")
  -f, --format string     output format: table | json (default "table")
  -h, --help              help for coverage
      --out string        write to file instead of stdout
      --snapshot string   path to observation snapshot JSON (required)

Global Flags:
      --allow-symlink-output   Allow writing output through symlinks (default: refuse)
      --force                  Allow overwriting existing output files
      --log-file string        Write logs to file (default: stderr)
      --log-format string      Log format: text|json (default "text")
      --log-level string       Log level: debug|info|warn|error (overrides -v)
      --log-timestamps         Include timestamps in logs (breaks determinism)
      --log-timings            Include timing information (breaks determinism)
      --no-color               Disable ANSI colors in output
      --path-mode string       Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --quiet                  Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --require-offline        Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
      --sanitize               Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --strict                 Enable strict integrity checks for embedded registries and references
  -v, --verbose count          Increase verbosity (-v=INFO, -vv=DEBUG)
  -y, --yes                    Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)