Skip to main content

Learn

Hello World

Install, then evaluate a bundled fixture — first finding in well under a minute:

# build the binary (syncs schemas, then go build)
cd stave && make build

# evaluate a snapshot against the built-in controls
stave apply --observations ./examples/challenge-fixtures/ --format text --eval-time 2025-01-01T00:00:00Z

You'll see findings like:

CTL.S3.PUBLIC.001  NON_COMPLIANT
asset: s3://acme-prod-assets
evidence: bucket policy grants s3:GetObject to Principal:* ; no Public Access Block
verdict: publicly readable
security_state: NON_COMPLIANT

A control is just YAML with a CEL predicate — here's the shape:

dsl_version: ctrl.v1
id: CTL.S3.PUBLIC.001
applicable_asset_types: [aws_s3_bucket]
unsafe_predicate:
all:
- field: properties.storage.access.public_read
op: eq
value: true

→ Full walkthrough: Your First Evaluation.

Your environment: first finding in 15 minutes

If you have data already, skip the fixture and go straight to a finding:

Already running AWS Config?

# Sync Config snapshots from your delivery bucket
aws s3 sync s3://your-config-bucket/AWSLogs/ACCOUNT/Config/ ./config-snapshots/
stave transform --source aws-config --input ./config-snapshots/ --output ./observations/
stave apply --observations ./observations/

→ See Import Config Snapshots.

Have Steampipe installed?

steampipe query "select arn, policy, tags from aws_s3_bucket" --output json > buckets.json
python3 steampipe_to_obs.py buckets.json > observations/s3.json
stave apply --observations ./observations/

→ See From Steampipe to Stave.

Starting from scratch?

./examples/collectors/aws_minimal_collector.py --services s3,iam,cloudtrail > observations/snapshot.json
stave apply --observations ./observations/

→ See Create Snapshots.

The critical-findings template targets S3, IAM, and CloudTrail first — the services with the highest expected findings per minute:

stave recommend --snapshot ./observations/
stave template init critical-findings
stave apply --values ./stave-values.yaml --observations ./observations/

Zero findings?

A clean run is a negative-assurance artifact: the controls were evaluated, the services were covered, and no unsafe state was found. In audit and diligence framing, this is a positive deliverable.

Documentation

The docs are organised by the Diátaxis model so you can find what you need by intent:

Confidence

  • Every finding includes an evidence line and a reasoning trace via --verbose — you can see why.
  • Output is deterministic — reproducible in review and CI.
  • The case studies show the engine against 30 real incidents.

Next: Build — fix a finding, write a custom control, gate a pipeline.