Skip to main content

stave diff

Compare two observation snapshots or two control catalog versions.

Snapshot mode (default):
  Shows property changes, new/removed assets between two snapshots.

Catalog mode (--catalogs):
  Shows new/removed controls and severity changes between catalog versions.

Inputs:
  --snapshot-before PATH   Earlier snapshot JSON
  --snapshot-after PATH    Later snapshot JSON
  --catalogs               Compare control catalogs instead of snapshots
  --catalog-before PATH    Earlier catalog directory (with --catalogs)
  --catalog-after PATH     Later catalog directory (with --catalogs)

Exit Codes:
  0   Diff produced
  2   Invalid input

Usage:
  stave diff [flags]

Examples:
  stave diff --snapshot-before snap1.json --snapshot-after snap2.json
  stave diff --catalogs --catalog-before ./controls-v1/ --catalog-after ./controls-v2/

Flags:
      --catalog-after string     path to after catalog (with --catalogs)
      --catalog-before string    path to before catalog (with --catalogs)
      --catalogs                 compare control catalogs instead of snapshots
  -f, --format string            output format: text | json (default "text")
  -h, --help                     help for diff
      --snapshot-after string    path to after snapshot JSON
      --snapshot-before string   path to before snapshot JSON

Global Flags:
      --allow-symlink-output   Allow writing output through symlinks (default: refuse)
      --force                  Allow overwriting existing output files
      --log-file string        Write logs to file (default: stderr)
      --log-format string      Log format: text|json (default "text")
      --log-level string       Log level: debug|info|warn|error (overrides -v)
      --log-timestamps         Include timestamps in logs (breaks determinism)
      --log-timings            Include timing information (breaks determinism)
      --no-color               Disable ANSI colors in output
      --path-mode string       Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --quiet                  Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --require-offline        Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
      --sanitize               Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --strict                 Enable strict integrity checks for embedded registries and references
  -v, --verbose count          Increase verbosity (-v=INFO, -vv=DEBUG)
  -y, --yes                    Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)