alias | Manage command aliases |
alias delete | Delete an alias |
alias list | List all aliases |
alias set | Create or update an alias |
attest | Snapshot tamper detection via Ed25519 signatures |
attest keygen | Generate a new Ed25519 key pair for snapshot attestation |
attest sign | Sign a snapshot's assets with an Ed25519 private key |
attest verify | Verify an attested snapshot against a public key |
bisect | Find when a control was first violated |
bundle | Generate a sealed evidence bundle for air-gap GRC integration |
bundle audit | Assemble a compliance-period evidence package |
capabilities | Print supported input types and version constraints (default) or a user-facing catalog (subcommand) |
capabilities catalog | Print the user-facing capability catalog |
cel | CEL expression tools |
cel eval | Evaluate a CEL expression against observation assets |
check | Compare before/after evaluations to check remediation |
compare | Compare compliance posture between two frameworks |
contract | Inspect Stave's per-asset-type input contracts |
contract show | Show the agent-facing contract for an asset type |
controls | Work with control definitions |
controls alias-explain | Show expanded predicate for an alias |
controls aliases | List built-in semantic predicate aliases |
controls explain | Explain a specific control |
controls list | List control IDs and names |
controls quality | Analyze control catalog metadata completeness and coverage gaps |
controls search | Search the built-in control catalog |
coverage | Analyze observation field coverage against control predicates |
diff | Compare two observation snapshots or control catalogs |
doctor | Check local environment readiness for Stave workflows |
exempt | Manage risk acceptances (acknowledgments, exceptions, exemptions) |
exempt acknowledge | Add a formal risk acceptance |
exempt asset | Add a scope exclusion (exemption) |
exempt except | Add an operational suppression |
exempt export | Export risk register as OSCAL POA&M |
exempt history | Show full audit trail including expired entries |
exempt list | List all active risk acceptances |
exempt remove | Mark an acknowledgment as revoked |
exempt suggest | Suggest exemptions for chronic/oscillating findings |
exempt upcoming | Show acceptances approaching expiry |
exempt validate | Validate the acceptance file |
export | Export controls and compliance evidence |
export changes | Export remediation property changes from assessment findings |
export compliance | Export compliance evidence package |
export ocsf | Export findings as OCSF 1.1 Compliance Finding events |
export oscal | Export findings as OSCAL 1.1.2 Assessment Results JSON |
export tickets | Export findings as canonical ticket records |
export-controls | Export the control catalog for external solver consumption |
export-sir | Export the Stave Intermediate Representation as JSON |
fingerprint | Policy fingerprint diagnostics |
fingerprint explain | Show the policy fingerprint preimage and diagnosis |
fmt | Format control and observation files deterministically |
forge | Author and test custom controls |
forge chain | Author and validate custom chains |
forge chain lint | Validate chain YAML |
forge lint | Static analysis for control YAML files |
forge new | Interactive control authoring wizard |
forge paths | List available observation property paths from a snapshot |
forge preview | Evaluate a predicate against a snapshot without writing files |
forge scaffold | Generate test fixtures from a real snapshot |
forge test | Run fixture-based assertions against a control |
gaps | Report which observation properties are absent + what they unlock |
graph | Visualize control and asset relationships |
graph coverage | Show which controls cover which assets |
graph export | Export assessment as JSON, STIX 2.1, JSON-LD, or GraphML |
lint | Lint control files for design quality |
map | ATT&CK tactic coverage and gap analysis |
metrics | Write Prometheus scrape file for node_exporter |
packs | Inspect built-in control packs |
packs list | List available built-in packs |
packs show | Show one built-in pack and its control IDs |
path | Export attack path graph data from active chain findings |
permissions | Query net effective permissions from a snapshot |
permissions principal | Resolve permissions for a specific principal ARN |
permissions resource | Show who has effective access to a resource |
permissions summary | Aggregate NEP metrics across all principals |
profile | Manage compliance profiles |
profile create | Generate a starter profile YAML |
profile list | List available compliance profiles |
profile validate | Validate a profile file |
readiness | Report what Stave can/can't evaluate given the supplied observations |
sanitize | Sanitize a snapshot for cross-boundary sharing |
schemas | List all contract schemas |
score | Compute security posture score (0-100) |
scorecard | Multi-framework compliance scorecard |
search | Find catalog entries matching a free-form intent |
telemetry | Emit structured NDJSON telemetry from assessment output |
test | Run embedded control test cases |
trend | Analyze compliance posture trends across assessment runs |
trend forecast | Project posture score trajectory with SLA breach warnings |
trend oscillation | Classify violation oscillation patterns across assessment history |
trend predict | Project compliance readiness achievement date |
validate-mapping | Validate a Steampipe→Stave mapping file before use |
version | Print version and environment state |