Skip to main content

stave test

Run test cases embedded in control YAML files. Each control can
define a tests: block with inline test assets and expected verdicts.

The test runner uses the exact same CEL evaluation path as stave apply
— same property normalization, same isMissing behavior.

Verdicts: PASS, VIOLATION, INCONCLUSIVE

Inputs:
  --control PATH    Test a single control YAML file
  --controls PATH   Test all controls in a directory (default: controls)
  --format STRING   Output format: table (default) | json | tap
  --fail-fast       Stop on first failure
  --filter STRING   Run only tests matching pattern (e.g. CTL.S3.*)
  --verbose         Show passing tests (default: failures only)

Exit Codes:
  0   All tests passed
  1   One or more tests failed
  2   Invalid input

Usage:
  stave test [flags]

Examples:
  # Test all controls
  stave test --controls ./controls

  # Test a single control
  stave test --control controls/s3/access/CTL.S3.PUBLIC.001.yaml

  # TAP output for CI
  stave test --controls ./controls --format tap

  # Filter to S3 controls only
  stave test --controls ./controls --filter "CTL.S3.*"

Flags:
      --control string    test a single control YAML file
  -i, --controls string   test all controls in directory
      --fail-fast         stop on first failure
      --filter string     run only controls matching pattern
  -f, --format string     output format: table | json | tap (default "table")
  -h, --help              help for test
  -v, --verbose           show passing tests

Global Flags:
      --allow-symlink-output   Allow writing output through symlinks (default: refuse)
      --force                  Allow overwriting existing output files
      --log-file string        Write logs to file (default: stderr)
      --log-format string      Log format: text|json (default "text")
      --log-level string       Log level: debug|info|warn|error (overrides -v)
      --log-timestamps         Include timestamps in logs (breaks determinism)
      --log-timings            Include timing information (breaks determinism)
      --no-color               Disable ANSI colors in output
      --path-mode string       Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --quiet                  Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --require-offline        Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
      --sanitize               Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --strict                 Enable strict integrity checks for embedded registries and references
  -y, --yes                    Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)