Skip to main content

stave inspect

Inspect provides direct access to Stave's domain analysis engines.

Each subcommand reads JSON from --file or stdin and outputs analysis results
as JSON. These are building blocks for custom tooling and debugging.

Subcommands:
  policy      S3 bucket policy analysis
  acl         S3 ACL grant analysis
  exposure    Exposure classification
  risk        Risk scoring
  compliance  Framework crosswalk
  aliases     Predicate alias listing

Offline-only: reads local files; makes zero network connections; no cloud credentials.

Usage:
  stave inspect [command]

Available Commands:
  acl         Analyze S3 ACL grants
  aliases     List predicate aliases with metadata
  compliance  Resolve compliance framework crosswalk
  exposure    Classify resource exposure vectors
  policy      Analyze an S3 bucket policy document
  risk        Score risk from policy statement context

Flags:
  -h, --help   help for inspect

Global Flags:
      --allow-symlink-output   Allow writing output through symlinks (default: refuse)
      --force                  Allow overwriting existing output files
      --log-file string        Write logs to file (default: stderr)
      --log-format string      Log format: text|json (default "text")
      --log-level string       Log level: debug|info|warn|error (overrides -v)
      --log-timestamps         Include timestamps in logs (breaks determinism)
      --log-timings            Include timing information (breaks determinism)
      --no-color               Disable ANSI colors in output
      --path-mode string       Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --quiet                  Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --require-offline        Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
      --sanitize               Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --strict                 Enable strict integrity checks for embedded registries and references
  -v, --verbose count          Increase verbosity (-v=INFO, -vv=DEBUG)
  -y, --yes                    Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)

Use "stave inspect [command] --help" for more information about a command.