Compute a normalized 0-100 security posture score from assessment
output. The score is a weighted combination of severity distribution,
SLA compliance, chain activity, and framework coverage.
Inputs:
--output PATH Path to a single out.v0.1.json assessment file
--history DIR Directory of out.v0.1.json files for score trend
--compliance LIST Comma-separated compliance profile names for coverage
--sla-profile NAME SLA profile name for SLA component scoring
--weights STRING Override default weights (severity=0.45,sla=0.25,
chain=0.20,coverage=0.10)
--format FORMAT Output format: table (default) | json | openmetrics
Outputs:
stdout Score report in the selected format
Exit Codes:
0 Score computed
2 Invalid input
4 Internal error
Usage:
stave score [flags]
Examples:
# Current score from assessment output
stave score --output assessment.json
# Score with compliance coverage
stave score --output assessment.json --compliance hipaa
# Score trend over history
stave score --history ./assessments/ --compliance hipaa
# JSON output for automation
stave score --output assessment.json --format json
# OpenMetrics for Prometheus scraping
stave score --output assessment.json --format openmetrics
# Custom weights
stave score --output assessment.json --weights severity=0.60,sla=0.20,chain=0.15,coverage=0.05
Flags:
--compliance string comma-separated compliance profiles for coverage
-f, --format string output format: table | json | openmetrics (default "table")
-h, --help help for score
--history string directory of out.v0.1.json files for trend
--output string path to out.v0.1.json assessment file
--sla-profile string SLA profile name for SLA scoring
--weights string override weights (severity=N,sla=N,chain=N,coverage=N)
Global Flags:
--allow-symlink-output Allow writing output through symlinks (default: refuse)
--force Allow overwriting existing output files
--log-file string Write logs to file (default: stderr)
--log-format string Log format: text|json (default "text")
--log-level string Log level: debug|info|warn|error (overrides -v)
--log-timestamps Include timestamps in logs (breaks determinism)
--log-timings Include timing information (breaks determinism)
--no-color Disable ANSI colors in output
--path-mode string Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--quiet Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--require-offline Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
--sanitize Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--strict Enable strict integrity checks for embedded registries and references
-v, --verbose count Increase verbosity (-v=INFO, -vv=DEBUG)
-y, --yes Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)