Introduction

Stave is a configuration safety evaluator that detects infrastructure misconfigurations by analyzing exported configuration snapshots locally, without requiring cloud credentials or API access.

Infrastructure misconfigurations — public S3 buckets, missing encryption, overly permissive IAM policies are the root cause of most cloud data breaches. Traditional security scanners require live API access to your cloud accounts. This expands your attack surface and creates credential management overhead. Stave's approach is different: export your infrastructure configuration as JSON snapshots, and Stave evaluates them against a library of safety controls offline. No credentials leave your environment. No network calls are made.

Stave is built for platform engineers, DevSecOps teams, and security teams at companies with compliance requirements like HIPAA. It ships with 43 controls covering S3 public access, encryption, access control, lifecycle management, data retention, and tenant isolation. It tracks how long resources remain in unsafe states over time, detects recurrence patterns, and produces structured findings with remediation guidance.

TODO

This is out of date. We now use docker compose.

Try it without installing anything:

docker build -f docs-content/demo/Dockerfile -t stave-demo .
docker run --rm stave-demo

This runs 7 curated scenarios based on real HackerOne bug bounty reports. See the Demo for details.

Or build from source:

git clone https://github.com/sufield/stave.git && cd stave && make build
./stave apply --controls controls/s3 --observations ./observations --max-unsafe 7d