Stave

Stave finds dangerous combinations in your cloud configuration that single-check scanners miss. A correctly-scoped IAM role, a properly-private S3 bucket, and a correctly-configured Cognito identity pool can compose into a path that lets anonymous users reach patient data. Stave detects these compound risks on static configuration snapshots — no cloud credentials required.

What it finds

Your AI agent has admin access. Your scanner says you're compliant.

bash examples/demo-ai-security/run.sh

A Bedrock agent with broad Lambda invoke + no guardrail + a Lambda tool that reaches a PHI-tagged S3 bucket is the canonical AI compound failure mode: every component-level check passes.

• Encryption ✅
• VPC ✅
• Model allowlist ✅
• Public access blocked ✅

The dashboard is green. Stave's compound chains compose those individually-passing settings into the attack story they describe — agent → Lambda → S3 PHI, no audit trail.

The five-act demo above is the 90-second version. The 20-minute conference talk lives at docs/talks/ai-security-2026/ with slides, speaker notes, voiceover script, and a recording runbook for the YouTube / dev.to MP4.

AI surface	Controls	Compound chains
Bedrock agent overprivilege + lifecycle	8	1 (bedrock_agent_overpermissioned)
SageMaker execution-role overprivilege + lifecycle	8	1 (sagemaker_training_role_overprivileged)
AI data-boundary violations (RAG indexing PHI, cross-account training)	6	1 (bedrock_rag_phi_exposure)
Cross-service AI compounds (agent → Lambda → S3, notebook → prod role)	4	2 (bedrock_agent_tool_phi_exposure, sagemaker_notebook_production_escape)
Shadow agent governance + ghost references	6	0
Total	32	5 (taxonomy)

Every AI control maps to the OWASP Non-Human Identity (NHI) Top 10 — see docs/compliance/owasp-nhi-top10.md for the full 235-control mapping.

Scanners vs Risk Reasoners

	Checklist scanners	Stave
Checks	Individual settings on individual resources	Compositions across multiple resources
Finds	"Bucket not encrypted" (attribute)	"This bucket is reachable through an unauthenticated identity pool" (path)
Knows your intent?	No — universal baselines	Yes — reads your tags, trust policies, and declared purpose
Output	Hundreds of findings, most are known	A handful of compound chains, each naming root cause and fix
Proof	Scan result (point-in-time opinion)	Deterministic, traceable evidence chain
Credentials	Requires cloud API access	Runs on static snapshots — air-gapped, no credentials

Stave doesn't replace your scanner. It finds what your scanner structurally cannot — the compound risks that exist in the relationships between individually-correct configurations.

Operating model

Static configuration snapshots in, deterministic findings out. No cloud credentials, no API calls, no network access. Same inputs produce the same outputs; every conclusion carries the evidence chain that derived it.

Catalog at a glance

• 2658 built-in controls across 74 domains — S3, IAM, VPC, EC2, RDS, Lambda, ECS, EKS, CloudTrail, KMS, OpenSearch, SageMaker, Bedrock, Cognito, and 60 more.
• 23 ghost-reference controls — cross-inventory detection of pointers to deleted resources (IAM → role, agent → Lambda, CNAME → S3 bucket). Single-resource scanners can't see absence.
• 585 compound chain definitions — multi-step attack paths across identity, data, audit, and recovery surfaces; 5 of those land on AI agent identity (Bedrock + Lambda + S3 PHI, RAG → PHI, notebook → prod role).
• 10 compliance profiles — HIPAA, CIS AWS v3.0, SOC 2, PCI-DSS v4.0, NIST 800-53, FedRAMP, GDPR, FFIEC, ISO 27001, NIST CSF 2.0.
• Coverage benchmarks — Full OWASP Top 10, 15/15 ATT&CK cloud techniques tested by Atomic Red Team, 20/21 Rhino Security Labs privilege-escalation techniques.

Why these controls exist

Every control in the catalog traces to a documented security failure — HackerOne disclosures, public breach postmortems, AWS security advisories, and Mandiant/GTIG incident reports. The catalog wasn't designed from a compliance checklist. It was built backward from how infrastructure actually gets compromised.

See docs/index.md for the full feature index: drift, watch, rank, bundle, graph export, custom controls, CI gating, SARIF, evidence bundles.

Install

go install github.com/sufield/stave@latest
# or build from source:
git clone https://github.com/sufield/stave.git && cd stave && make build

For formal verification, blast-radius enumeration, or compound-attack proofs, install the optional reasoning engines (Z3, cvc5, Soufflé, Clingo, Prolog, PySAT) — or click Open in Codespaces above, which pre-installs all of them.

Quick start

Try a demo against a bundled snapshot (30 seconds, zero AWS access)

bash examples/demo-s3-public-read/run.sh        # Public S3 bucket
bash examples/demo-ai-security/run.sh           # Bedrock + Lambda + S3 PHI

Run against your own AWS account (5 minutes)

bash scripts/aws-snapshot.sh ./my-snapshot      # read-only AWS CLI calls; AES/SecurityAudit creds suffice
stave apply --observations ./my-snapshot --allow-unknown-input

See docs/quickstart-own-data.md for prerequisites, the property mapping, and the time-budget breakdown.

Bring your own data: See examples/agents/ for starter templates that transform Steampipe output into Stave observations.

Long form — workflow for a real project

# Place observation snapshots in observations/
# (at least two snapshots for duration-based controls)

# Validate inputs
stave validate

# Evaluate and produce findings
stave apply

# Investigate unexpected results
stave diagnose

How it works

The pipeline is Extract → Apply → Act.

1. Extract. An external collector (cloud APIs, Terraform state, the bundled scripts/aws-snapshot.sh, or your own) produces obs.v0.1 JSON. Stave never touches your cloud directly.
2. Apply. Stave evaluates each control's predicate against each asset, then composes the resulting findings into compound chains (multiple co-failing controls on related assets = one chain finding).
3. Act. Findings ship with explicit remediation, severity, and the evidence chain that justified them. Optionally pipe to nine external reasoning engines (Z3, Soufflé, Clingo, Prolog, …) for formal proofs, blast-radius enumeration, or attacker-cost ROI.

Full architecture in docs/architecture/overview.md. The reasoning-engine catalog and what each one answers: docs/engines.md (in docs/index.md).

Compliance profiles

stave apply --profile hipaa --input observations.json --include-all
# Also: cis-aws-v3.0, soc2, pci-dss-v4.0, nist-800-53, fedramp,
#       gdpr, ffiec, iso-27001, nist-csf-2.0

CI/CD

stave ci baseline save
stave apply --format sarif > results.sarif          # for GitHub Security
stave apply --format json | stave ci gate --fail-on new

Custom controls

New controls are YAML — no Go changes. Write an unsafe_predicate, point stave apply --controls ./my-controls at the directory, and the engine evaluates them alongside the built-in catalog. See authoring controls.

Built-in controls

2658 controls across 74 domains. Largest surfaces today: AWS S3 (118), AWS IAM (168), AWS OpenSearch (132), GCP Cloud Storage (7), DNS (3, vendor-agnostic dangling-reference detection).

Full reference and per-domain breakdowns: docs/controls/reference.md.

Documentation

Quickstart	Get your first finding in 5 minutes
Building an extractor	Steampipe, CloudQuery, AWS Config, or custom
Authoring controls	Write custom YAML controls
Pre-commit hook	Block unsafe configs before commit
Atlantis integration	Evaluate Terraform plans before apply
Risk reasoning	Compound risk scoring and safety chains
Identity blast radius	Credential compromise reach analysis
Unauthenticated reachability	Anonymous access path detection
Data exfiltration	Reverse reachability: how data gets out
Drift detection	Configuration drift as violation
Evidence bundling	Signed portable evidence for GRC
Remediation ranking	Prioritized remediation roadmap
Evaluation semantics	How duration tracking works
Architecture	System design overview
FAQ	Common questions
Full docs index	Everything else

Contributing

See CONTRIBUTING.md for setup, development workflow, and PR guidelines.

License

Apache License 2.0