Skip to main content

Unified Security Record Schema

Version: schema_version: "1" — increment on breaking changes.

Top-Level Fields

FieldTypeDescription
schema_versionstringAlways "1"
generated_atISO 8601When the unified record was produced
resource_arnstringAWS resource ARN — the join key
resource_typestringAsset type (e.g., lambda_function, s3_bucket)

stave Section

Populated directly from out.v0.1 finding fields. No transformation.

FieldTypeSource
finding_idstringfinding.finding_id
control_idstringfinding.control_id
control_namestringfinding.control_name
severitystringfinding.control_severity (critical/high/medium/low)
attack_stagestringFrom control params (initial_access, exfiltration, etc.)
verdictstringfail or pass
finding_messagestringfinding.evidence.temporal_risk
compliancearrayfinding.control_compliance mapped to [{framework, requirement}]
remediationobjectfinding.remediation with action, confidence, changes
assessed_atISO 8601run.now from the assessment

vulnerabilities Section

Populated by the adapter from scanner tool output. Zero entries is valid.

FieldTypeSource
sourcestringScanner name (grype, trivy)
cve_idstringCVE identifier
package_namestringVulnerable package
package_versionstringInstalled version
fixed_versionstringVersion with fix (empty if none)
cvss_scorefloatCVSS v3 base score
cvss_vectorstringCVSS v3 vector string
severitystringScanner's severity classification
descriptionstringCVE description

combined_risk Section

Computed by the adapter from both inputs.

FieldTypeDescription
stave_severitystringFrom Stave finding
max_vuln_cvssfloatHighest CVSS score from vulnerabilities (0 if none)
compound_risk_notestringHuman-readable observation when Stave severity is critical/high AND max CVSS > 7.0. Empty otherwise.

Join Algorithm

  1. Load all Stave findings from out.v0.1 (findings[] array)
  2. Load all scanner vulnerabilities from scanner JSON output
  3. For each Stave finding, match scanner vulnerabilities where the scanned target corresponds to the finding's resource_arn
  4. Emit one unified record per finding with matched vulnerabilities attached
  5. Findings with no matching vulnerabilities get an empty vulnerabilities: []

Valid Values

  • severity: critical, high, medium, low, info
  • attack_stage: initial_access, credential_access, persistence, privilege_escalation, lateral_movement, exfiltration, detection_evasion, resilience
  • verdict: fail, pass, acknowledged