Skip to main content

stave path

Produce a structured data export describing active chain findings,
directed edges between chains (postcondition of A satisfies
precondition of B), and control remediation actions per chain.

An external program performs path finding — BFS, DFS, shortest
path, centrality analysis, or any other graph algorithm. Stave
does not implement graph algorithms.

Inputs:
  --output PATH     Path to stave apply JSON output (required)
  --chains PATH     Path to chains directory (default: chains)
  --format STRING   Output format: json (default) | dot | csv-edges
  --out PATH        Write to file instead of stdout

Outputs:
  stdout            Attack path graph in selected format

Exit Codes:
  0   Graph produced
  2   Invalid input
  4   Internal error

Usage:
  stave path [flags]

Examples:
  # Produce graph data for external analysis
  stave path --output findings.json > attack-graph.json

  # Graphviz visualization
  stave path --output findings.json --format dot | dot -Tsvg > paths.svg

  # CSV edges for Python NetworkX
  stave path --output findings.json --format csv-edges > edges.csv

Flags:
      --chains string   path to chains directory (default "chains")
  -f, --format string   output format: json | dot | csv-edges (default "json")
  -h, --help            help for path
      --out string      write to file instead of stdout
      --output string   path to stave apply JSON output (required)

Global Flags:
      --allow-symlink-output   Allow writing output through symlinks (default: refuse)
      --force                  Allow overwriting existing output files
      --log-file string        Write logs to file (default: stderr)
      --log-format string      Log format: text|json (default "text")
      --log-level string       Log level: debug|info|warn|error (overrides -v)
      --log-timestamps         Include timestamps in logs (breaks determinism)
      --log-timings            Include timing information (breaks determinism)
      --no-color               Disable ANSI colors in output
      --path-mode string       Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --quiet                  Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --require-offline        Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
      --sanitize               Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --strict                 Enable strict integrity checks for embedded registries and references
  -v, --verbose count          Increase verbosity (-v=INFO, -vv=DEBUG)
  -y, --yes                    Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)