Build
Proof of concept
A working PoC is three steps:
- Snapshot your config — point the AWS CLI, Terraform, or an extractor at
the resources you care about and emit
obs.v0.1JSON. → How to create snapshots. - Pick or write controls — start with the built-in catalog; add your own when you need to. → Write your first custom control.
- Evaluate + gate — run
stave applyin CI and gate on exit code 3. → CI integration.
stave apply --observations ./snapshot/ --format sarif > findings.sarif
# exit 0 = clean, 3 = violations (fail the pipeline), 2 = input error
Most teams get a finding on their own config the same afternoon.
Developer experience
- Sandbox: the bundled demo scenarios are a ready-made sandbox —
curated S3 misconfigurations you can run, read, and modify without any cloud
setup. Clone,
stave apply, tweak a setting, watch the verdict change. - Plain-file inputs, deterministic output, grep-friendly text or structured JSON/SARIF — it drops into existing pipelines without fuss.
- Fail-loud philosophy: degraded/unknown states are surfaced, never silently passed.
Support
Email bparanj@gmail.com — bug reports, control-authoring
questions, "is this the right tool for X?". Include the command you ran and the
output. Use --sanitize to scrub identifiers before sharing.
Next: Scale — run Stave continuously, expand coverage, generate evidence.