Stave finds dangerous combinations in your cloud configuration that single-check scanners miss. A correctly-scoped IAM role, a properly-private S3 bucket, and a correctly-configured Cognito identity pool can compose into a path that lets anonymous users reach patient data. Stave detects these compound risks on static configuration snapshots — no cloud credentials required.
One-click: Use the Open in GitHub Codespaces badge above — pre-configured; start at Skill 2.
VS Code / Cursor: Clone and reopen in the devcontainer (.devcontainer/) — start at Skill 2.
Docker: docker run --rm -v ~/snapshot:/data:ro ghcr.io/sufield/stave apply --observations /data/
Manual: See _skills/_setup, then follow the progression.
Six executable skills guide you from install to real-environment evaluation. Each skill is a markdown file your AI coding agent (Claude Code, Cursor) can read and execute — or you can follow manually.
| # | Skill | Time | AWS needed? |
|---|---|---|---|
| 1 | _setup | 5 min | No |
| 2 | first-evaluation | 10 min | No |
| 3 | lab-validation | 30 min | Sandbox ($0) |
| 4 | write-your-first-control | 20 min | No |
| 5 | reasoning-engines | 30 min | No |
| 6 | snapshot-your-account | 30 min | Yes (read-only) |
Devcontainer and Codespaces users skip Skill 1 — the environment is pre-configured.
Your AI agent has admin access. Your scanner says you're compliant.
bash examples/demo-ai-security/run.shA Bedrock agent with broad Lambda invoke + no guardrail + a Lambda tool that reaches a PHI-tagged S3 bucket is the canonical AI compound failure mode: every component-level check passes.
- Encryption ✅
- VPC ✅
- Model allowlist ✅
- Public access blocked ✅
The dashboard is green. Stave's compound chains compose those individually-passing settings into the attack story they describe — agent → Lambda → S3 PHI, no audit trail.
The five-act demo above is the 90-second version. The 20-minute conference talk lives at docs/talks/ai-security-2026/ with slides, speaker notes, voiceover script, and a recording runbook for the YouTube / dev.to MP4.
Every AI control maps to the OWASP Non-Human Identity (NHI) Top 10 — see docs/compliance/owasp-nhi-top10.md for the full 235-control mapping.
| Checklist scanners | Stave | |
|---|---|---|
| Checks | Individual settings on individual resources | Compositions across multiple resources |
| Finds | "Bucket not encrypted" (attribute) | "This bucket is reachable through an unauthenticated identity pool" (path) |
| Knows your intent? | No — universal baselines | Yes — reads your tags, trust policies, and declared purpose |
| Output | Hundreds of findings, most are known | A handful of compound chains, each naming root cause and fix |
| Proof | Scan result (point-in-time opinion) | Deterministic, traceable evidence chain |
| Credentials | Requires cloud API access | Runs on static snapshots — air-gapped, no credentials |
Stave doesn't replace your scanner. It finds what your scanner structurally cannot — the compound risks that exist in the relationships between individually-correct configurations.
Static configuration snapshots in, deterministic findings out. No cloud credentials, no API calls, no network access. Same inputs produce the same outputs; every conclusion carries the evidence chain that derived it.
- 2673 built-in controls across 74 domains — S3, IAM, VPC, EC2, RDS, Lambda, ECS, EKS, CloudTrail, KMS, OpenSearch, SageMaker, Bedrock, Cognito, and 60 more.
- 23 ghost-reference controls — cross-inventory detection of pointers to deleted resources (IAM → role, agent → Lambda, CNAME → S3 bucket). Single-resource scanners can't see absence.
- 603 compound chain definitions — multi-step attack paths across identity, data, audit, and recovery surfaces; 5 of those land on AI agent identity (Bedrock + Lambda + S3 PHI, RAG → PHI, notebook → prod role).
- 10 compliance profiles — HIPAA, CIS AWS v3.0, SOC 2, PCI-DSS v4.0, NIST 800-53, FedRAMP, GDPR, FFIEC, ISO 27001, NIST CSF 2.0.
- Coverage benchmarks — Full OWASP Top 10, 15/15 ATT&CK cloud techniques tested by Atomic Red Team, 20/21 Rhino Security Labs privilege-escalation techniques.
Every control in the catalog traces to a documented security failure — HackerOne disclosures, public breach postmortems, AWS security advisories, and Mandiant/GTIG incident reports. The catalog wasn't designed from a compliance checklist. It was built backward from how infrastructure actually gets compromised.
See docs/index.md for the full feature index: drift, watch, rank, bundle, graph export, custom controls, CI gating, SARIF, evidence bundles.
Three options, lowest-friction first. All three end at the same first command — bash examples/demo-ai-security/run.sh — and all three honor every flag/path in the workflow guides.
A pre-configured workspace with stave, stave-mcp, Steampipe, the full catalog, and every example already in place:
# From a checkout of this repo:
coder templates push stave --directory stave-workspace
coder create my-stave --template staveSee stave-workspace/README.md for import, customization (own fork, additional Steampipe plugins), and what the template does and doesn't include.
Same image, run directly:
# Build from this checkout (no daemon-side Coder needed):
cd stave && docker build -f stave-workspace/Dockerfile -t stave-workspace:edge .
docker run --rm -it stave-workspace:edge bash -lc 'bash ~/examples/demo-ai-security/run.sh'go install github.com/sufield/stave/cmd/stave@latest
go install github.com/sufield/stave/cmd/stave-mcp@latest
# Or build from a clone:
git clone https://github.com/sufield/stave.git && cd stave && make buildFor formal verification, blast-radius enumeration, or compound-attack proofs, install the optional reasoning engines (Z3, cvc5, Soufflé, Clingo, Prolog, PySAT) — or click Open in Codespaces above, which pre-installs all of them.
bash examples/demo-s3-public-read/run.sh # Public S3 bucket
bash examples/demo-ai-security/run.sh # Bedrock + Lambda + S3 PHIbash scripts/aws-snapshot.sh ./my-snapshot # read-only AWS CLI calls; AES/SecurityAudit creds suffice
stave apply --observations ./my-snapshotSee docs/quickstart-own-data.md for prerequisites, the property mapping, and the time-budget breakdown.
Bring your own data: See examples/agents/ for starter templates that transform Steampipe output into Stave observations.
# Place observation snapshots in observations/
# (at least two snapshots for duration-based controls)
# Validate inputs
stave validate
# Evaluate and produce findings
stave apply
# Investigate unexpected results
stave diagnoseThe pipeline is Extract → Apply → Act.
- Extract. An external collector (cloud APIs, Terraform state, the bundled
scripts/aws-snapshot.sh, or your own) producesobs.v0.1JSON. Stave never touches your cloud directly. - Apply. Stave evaluates each control's predicate against each asset, then composes the resulting findings into compound chains (multiple co-failing controls on related assets = one chain finding).
- Act. Findings ship with explicit remediation, severity, and the evidence chain that justified them. Optionally pipe to nine external reasoning engines (Z3, Soufflé, Clingo, Prolog, …) for formal proofs, blast-radius enumeration, or attacker-cost ROI.
Full architecture in docs/architecture/overview.md. The reasoning-engine catalog and what each one answers: docs/engines.md (in docs/index.md).
stave apply --profile hipaa --input observations.json --include-all
# Also: cis-aws-v3.0, soc2, pci-dss-v4.0, nist-800-53, fedramp,
# gdpr, ffiec, iso-27001, nist-csf-2.0stave ci baseline save
stave apply --format sarif > results.sarif # for GitHub Security
stave apply --format json | stave ci gate --fail-on newNew controls are YAML — no Go changes required. The forge toolchain handles the full lifecycle:
stave forge paths --snapshot obs.json --asset-type aws_s3_bucket # 1. discover fields
stave forge preview --snapshot obs.json --field ... --op eq --value true # 2. test predicate
stave forge new --id CTL.S3.TAGS.001 --name "..." --field ... --severity high # 3. generate control + fixtures
stave forge test --control controls/s3/... --pass fix-pass.json --fail fix-fail.json # 4. TDD
stave forge lint --control controls/s3/ --semantic --strict # 5. static analysis
stave validate --controls controls/ --observations obs/ # 6. structural check
stave apply --controls ./my-controls --observations obs/ # 7. end-to-end proofControls are unsafe_predicate: match rules (all:/any: groups of field/op/value). Point stave apply --controls ./my-controls at any directory and the engine evaluates them alongside the built-in catalog. See authoring controls.
2673 controls across 74 domains. Largest surfaces today: AWS S3 (124), AWS IAM (177), AWS OpenSearch (132), GCP Cloud Storage (7), DNS (3, vendor-agnostic dangling-reference detection).
Full reference and per-domain breakdowns: docs/controls/reference.md.
| Quickstart | Get your first finding in 5 minutes |
| Building an extractor | Steampipe, CloudQuery, AWS Config, or custom |
| Authoring controls | Write custom YAML controls with the forge toolchain |
| Pre-commit hook | Block unsafe configs before commit |
| Atlantis integration | Evaluate Terraform plans before apply |
| Risk reasoning | Compound risk scoring and safety chains |
| Identity blast radius | Credential compromise reach analysis |
| Unauthenticated reachability | Anonymous access path detection |
| Data exfiltration | Reverse reachability: how data gets out |
| Drift detection | Configuration drift as violation |
| Evidence bundling | Signed portable evidence for GRC |
| Remediation ranking | Prioritized remediation roadmap |
| Evaluation semantics | How duration tracking works |
| Architecture | System design overview |
| FAQ | Common questions |
| Full docs index | Everything else |
See CONTRIBUTING.md for setup, development workflow, and PR guidelines.