Skip to content

sufield/stave

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

832 Commits
.github
.github
 
 
build/docker
build/docker
 
 
cmd
cmd
 
 
controls
controls
 
 
docs
docs
 
 
examples
examples
 
 
integrations
integrations
 
 
internal
internal
 
 
schemas
schemas
 
 
scripts
scripts
 
 
testdata
testdata
 
 
vendor
vendor
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
.goreleaser.yaml
.goreleaser.yaml
 
 
ARCHITECTURE.md
ARCHITECTURE.md
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
DEMO.md
DEMO.md
 
 
GLOSSARY.md
GLOSSARY.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
RELEASING.md
RELEASING.md
 
 
SECURITY.md
SECURITY.md
 
 
VERSION
VERSION
 
 
codecov.yml
codecov.yml
 
 
docker-compose.yaml
docker-compose.yaml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

Stave

Detect insecure cloud configurations using local snapshots — no credentials, no network access, no runtime agents.

OpenSSF Scorecard Go Report Card codecov

Why Stave

Cloud security tools either require live API access (CSPM) or only lint templates before deployment (IaC policy). Neither evaluates actual running configurations offline or tracks how long misconfigurations persist.

Stave fills this gap. Define safety controls in YAML, compile them to CEL, and evaluate JSON configuration snapshots locally. Any vendor, any asset type, deterministic output, air-gapped by design.

Features

  • 53 built-in S3 controls across 15 categories — public exposure, ACL escalation, encryption, network restriction, Access Grants, Multi-Region Access Points, CloudFront OAC, and more
  • Unsafe duration tracking — detects how long assets remain misconfigured across snapshots
  • HIPAA compliance pack — controls mapped to HIPAA Security Rule sections with compound risk detection
  • Custom controls — YAML with unsafe_predicate for any asset type, no code changes
  • CI/CD ready — exit codes, SARIF output, baseline tracking, policy gating
  • Extensible by design — new properties and controls are additive and backward-compatible

Install

brew tap sufield/tap && brew install stave

Or build from source:

git clone https://github.com/sufield/stave.git
cd stave && make build

Quick start

# Initialize project with built-in S3 controls
stave init --profile aws-s3

# Place observation snapshots in observations/
# (at least two snapshots for duration-based controls)

# Validate inputs
stave validate

# Evaluate and produce findings
stave apply --format json

# Investigate unexpected results
stave diagnose

How it works

Extract → Validate → Apply → Act

1. Extract    Capture asset configs as obs.v0.1 JSON (extractor is external)
2. Validate   Check inputs are well-formed and complete
3. Apply      Evaluate snapshots against safety controls, produce findings
4. Act        Review findings, remediate, re-evaluate

Extraction is out of scope — Stave evaluates observations, it does not fetch data from cloud providers. Extractors are separate programs (any language) that produce obs.v0.1 JSON. See Building an Extractor.

Usage examples

Standard evaluation

stave apply --format json > evaluation.json

HIPAA compliance

stave apply --profile hipaa --input observations.json --format json

CI/CD gating

stave ci baseline save
stave apply --format json | stave ci gate --fail-on new

SARIF for GitHub Security

stave apply --format sarif > results.sarif

Extensibility

Add new detection capabilities without engine changes:

  1. Extract — write an extractor that outputs obs.v0.1 JSON
  2. Author — write a YAML control with unsafe_predicate
  3. Evaluatestave apply --controls ./my-controls

New observation properties are additive and backward-compatible. Existing controls ignore new fields. New controls check them. This is how the Access Grants, MRAP, and CloudFront OAC controls were added — zero Go changes, 6 YAML files, 6 test fixtures.

Built-in controls

53 controls across 15 categories:

Category Count What they detect
public 15 Public read/write/list, website hosting, prefix exposure, CloudFront bypass
acl 3 ACL escalation, reconnaissance, FULL_CONTROL grants
access 8 Cross-account, wildcard actions, presigned URLs, Access Grants
encrypt 4 Missing encryption at rest/in transit, KMS for PHI
network 5 VPC/IP conditions, VPC endpoint policy, Multi-Region Access Point PAB
versioning 2 Disabled versioning, missing MFA delete
lock 3 Object lock mode, retention period
logging 2 Access logging, CloudTrail object-level audit
lifecycle 2 Lifecycle rules, PHI retention
governance 1 Data classification tags
write_scope 2 Upload scope, content type restriction
tenant 1 Prefix-based tenant isolation
takeover 2 Dangling bucket references, CDN origins
artifacts 1 VCS artifacts on public buckets
misc 2 Incomplete data, completeness checks

Full reference: Control authoring guide

Documentation
Quickstart Get your first finding in 5 minutes
Building an extractor LLM-assisted extractor generation
Authoring controls Write custom YAML controls
Evaluation semantics How duration tracking works
Architecture System design overview
FAQ Common questions
Full docs index Everything else

Contributing

See CONTRIBUTING.md for setup, development workflow, and PR guidelines.

License

Apache License 2.0

About

Cloud configuration analysis engine. Detects insecure setups using local snapshots—no cloud credentials required.

Topics

security security-audit terraform aws-s3 ci-cd cybersecurity compliance cicd hipaa cyber-security security-tools hippa compliance-automation cybersecurity-tools hipaa-compliance

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

v0.0.3 Latest
Mar 10, 2026
+ 2 releases

Packages

 
 
 

Contributors

Languages