Skip to main content

stave exempt acknowledge

Add a formal risk acceptance

Usage

stave exempt acknowledge [flags]

Description

Add a formal risk acceptance (acknowledgment) for a specific finding. Requires approver identity, rationale, and expiry date. The entry is written to the acceptance YAML file with a full audit trail.

Exit Codes: 0 Acknowledgment added 2 Invalid input 4 Internal error

Flags

FlagTypeDescription
--approverstringidentity of approving authority (required)
--asset-idstringasset ARN or ID (required)
--compensatingstringcomma-separated compensating control IDs
--control-idstringcontrol ID (required)
--expiresstringexpiry date YYYY-MM-DD (required)
--filestringpath to acceptance file (default: ./stave-acknowledgments.yaml)
--reasonstringrationale for accepting this risk (required)

Examples

stave exempt acknowledge \
--control-id CTL.S3.PUBLIC.001 \
--asset-id arn:aws:s3:::legacy-bucket \
--reason "Temporary public access during migration" \
--approver "jane.doe@example.com (CISO)" \
--expires 2026-09-01