DEV Community: Bala Paranj The latest articles on DEV Community by Bala Paranj (@bala_paranj_059d338e44e7e). https://dev.to/bala_paranj_059d338e44e7e https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3862804%2F7ea6c560-63cb-4daf-a713-450532280b0a.jpg DEV Community: Bala Paranj https://dev.to/bala_paranj_059d338e44e7e en Designing Errors Out of Your Go CLI Bala Paranj Tue, 07 Apr 2026 13:29:34 +0000 https://dev.to/bala_paranj_059d338e44e7e/designing-errors-out-of-your-go-cli-36in https://dev.to/bala_paranj_059d338e44e7e/designing-errors-out-of-your-go-cli-36in <p>Most Go CLIs have too many error checks. Not because error handling is wrong — because the errors themselves are wrong.</p> <p>I read the Power of Go Tools by John Arundel. Based on his book, I audited a 50,000-line Go CLI for functions that return errors unnecessarily. The result: 10 functions refactored, 50+ <code>if err != nil</code> checks eliminated, and the remaining error checks now mean something.</p> <p>This is John Ousterhout's philosophy from <em>A Philosophy of Software Design</em>: don't handle errors better — <strong>design them out of existence</strong>.</p> <h2> The Four Patterns </h2> <p>I searched for four specific anti-patterns:</p> <ol> <li> <strong>Idempotent No-ops</strong> — returning an error for a state that already matches the desired outcome</li> <li> <strong>Empty-Set Errors</strong> — returning an error when a slice is empty instead of treating it as "no work to do"</li> <li> <strong>Recoverable Internals</strong> — returning an error when the function could make a sensible default decision</li> <li> <strong>Crash-Only Candidates</strong> — returning an error from initialization code where failure is truly fatal</li> </ol> <p>Here's what I found and how I fixed each one.</p> <h2> Pattern 1: Idempotent No-ops </h2> <h3> The temp file cleanup </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: returns error if temp file is already gone</span> <span class="k">func</span> <span class="n">IsDirectoryWritable</span><span class="p">(</span><span class="n">dir</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">f</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">CreateTemp</span><span class="p">(</span><span class="n">dir</span><span class="p">,</span> <span class="s">".stave-write-check-*"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="n">path</span> <span class="o">:=</span> <span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">()</span> <span class="n">_</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="k">return</span> <span class="n">os</span><span class="o">.</span><span class="n">Remove</span><span class="p">(</span><span class="n">path</span><span class="p">)</span> <span class="c">// ← why does this error matter?</span> <span class="p">}</span> </code></pre> </div> <p>The function's job is to check if a directory is writable. If <code>os.Remove</code> fails because the temp file is already gone, the check already passed. The post-condition is met.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: cleanup errors are irrelevant</span> <span class="k">func</span> <span class="n">IsDirectoryWritable</span><span class="p">(</span><span class="n">dir</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">f</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">CreateTemp</span><span class="p">(</span><span class="n">dir</span><span class="p">,</span> <span class="s">".stave-write-check-*"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="n">path</span> <span class="o">:=</span> <span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">()</span> <span class="n">_</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="n">_</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">Remove</span><span class="p">(</span><span class="n">path</span><span class="p">)</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p><strong>Rule</strong>: If the post-condition is satisfied, the function succeeds. Period.</p> <h2> Pattern 2: Empty-Set Safety </h2> <h3> The empty registry </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: empty registry is treated as an error</span> <span class="k">func</span> <span class="n">NewIndex</span><span class="p">(</span><span class="n">data</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">Index</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">idx</span> <span class="n">registryIndex</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">yaml</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">idx</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">idx</span><span class="o">.</span><span class="n">Packs</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">ErrEmptyRegistry</span> <span class="c">// ← is zero packs really an error?</span> <span class="p">}</span> <span class="c">// ...</span> <span class="p">}</span> </code></pre> </div> <p>An empty registry means "no packs enabled." That's a valid state — the caller already checks <code>len(packs)</code> before iterating. The error just forces every caller to handle a case that isn't exceptional.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: empty registry is a valid zero-work state</span> <span class="k">func</span> <span class="n">NewIndex</span><span class="p">(</span><span class="n">data</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">Index</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">idx</span> <span class="n">registryIndex</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">yaml</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">idx</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// Zero packs is valid — the registry simply has nothing enabled.</span> <span class="n">r</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">Index</span><span class="p">{</span> <span class="n">version</span><span class="o">:</span> <span class="n">strings</span><span class="o">.</span><span class="n">TrimSpace</span><span class="p">(</span><span class="n">idx</span><span class="o">.</span><span class="n">Version</span><span class="p">),</span> <span class="c">// ...</span> <span class="p">}</span> <span class="c">// ...</span> <span class="p">}</span> </code></pre> </div> <p><strong>Rule</strong>: If an empty input means "nothing to do," the function should succeed with a zero-value result, not fail.</p> <h3> The empty predicate </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: empty expression is an error</span> <span class="k">if</span> <span class="n">expr</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="n">CompiledPredicate</span><span class="p">{},</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"predicate produced empty expression"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// AFTER: empty predicate = always-pass (no rules = compliant)</span> <span class="k">if</span> <span class="n">expr</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">expr</span> <span class="o">=</span> <span class="s">"true"</span> <span class="p">}</span> </code></pre> </div> <p>An empty predicate in a security tool means "no rules defined for this control." That's not an error — it's compliance by default.</p> <h2> Pattern 3: Recoverable Internals </h2> <h3> The nil dependency </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: nil loader is a fatal error</span> <span class="k">func</span> <span class="n">ListSnapshotFilesFlat</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">dir</span> <span class="kt">string</span><span class="p">,</span> <span class="n">opts</span> <span class="n">ScannerOptions</span><span class="p">)</span> <span class="p">([]</span><span class="n">SnapshotFile</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">opts</span><span class="o">.</span><span class="n">MetadataLoader</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errMetadataLoaderRequired</span> <span class="p">}</span> <span class="c">// ...</span> <span class="p">}</span> </code></pre> </div> <p>The <code>MetadataLoader</code> extracts timestamps from snapshot files. If it's nil, there's a perfectly good fallback: use the file's modification time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: nil loader falls back to filesystem metadata</span> <span class="k">if</span> <span class="n">opts</span><span class="o">.</span><span class="n">MetadataLoader</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">opts</span><span class="o">.</span><span class="n">MetadataLoader</span> <span class="o">=</span> <span class="k">func</span><span class="p">(</span><span class="n">filePath</span><span class="p">,</span> <span class="n">_</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Time</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">fi</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Stat</span><span class="p">(</span><span class="n">filePath</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span><span class="p">{},</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="n">fi</span><span class="o">.</span><span class="n">ModTime</span><span class="p">(),</span> <span class="no">nil</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Rule</strong>: If a sensible default exists, use it instead of forcing the caller to provide a value they probably don't care about.</p> <h3> The zero time </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: zero time is rejected</span> <span class="k">func</span> <span class="n">NewActiveWindow</span><span class="p">(</span><span class="n">openedAt</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span><span class="p">)</span> <span class="p">(</span><span class="n">ExposureWindow</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">openedAt</span><span class="o">.</span><span class="n">IsZero</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="n">ExposureWindow</span><span class="p">{},</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"opened_at is required"</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">ExposureWindow</span><span class="p">{</span><span class="n">openedAt</span><span class="o">:</span> <span class="n">openedAt</span><span class="p">,</span> <span class="n">active</span><span class="o">:</span> <span class="no">true</span><span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>A zero time means "not specified." The window should still be created — the caller can check <code>w.OpenedAt().IsZero()</code> if they care. Most don't.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: zero time is accepted — callers check if they care</span> <span class="k">func</span> <span class="n">NewActiveWindow</span><span class="p">(</span><span class="n">openedAt</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span><span class="p">)</span> <span class="n">ExposureWindow</span> <span class="p">{</span> <span class="k">return</span> <span class="n">ExposureWindow</span><span class="p">{</span><span class="n">openedAt</span><span class="o">:</span> <span class="n">openedAt</span><span class="p">,</span> <span class="n">active</span><span class="o">:</span> <span class="no">true</span><span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This one removed error checks from <strong>30+ call sites</strong>. Most were already using <code>tl, _ := NewActiveWindow(...)</code> — the Go equivalent of saying "I know this error doesn't matter."</p> <h2> Pattern 4: Crash-Only Candidates </h2> <h3> The programming error </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// BEFORE: returns error that no caller can recover from</span> <span class="k">func</span> <span class="n">NewExposureLifecycle</span><span class="p">(</span><span class="n">a</span> <span class="n">Asset</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">ExposureLifecycle</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">a</span><span class="o">.</span><span class="n">ID</span><span class="o">.</span><span class="n">IsEmpty</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"asset ID must not be empty"</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">ExposureLifecycle</span><span class="p">{</span><span class="n">ID</span><span class="o">:</span> <span class="n">a</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="n">asset</span><span class="o">:</span> <span class="n">a</span><span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>An empty asset ID is a programming error at the call site — the caller constructed the asset. If the ID is empty, there's a bug upstream. No caller can meaningfully recover from this. They all either <code>t.Fatal(err)</code> in tests or propagate it up the stack until someone logs it and exits.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// AFTER: panic on contract violation</span> <span class="k">func</span> <span class="n">NewExposureLifecycle</span><span class="p">(</span><span class="n">a</span> <span class="n">Asset</span><span class="p">)</span> <span class="o">*</span><span class="n">ExposureLifecycle</span> <span class="p">{</span> <span class="k">if</span> <span class="n">a</span><span class="o">.</span><span class="n">ID</span><span class="o">.</span><span class="n">IsEmpty</span><span class="p">()</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="s">"contract violated: NewExposureLifecycle requires non-empty asset ID"</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">ExposureLifecycle</span><span class="p">{</span><span class="n">ID</span><span class="o">:</span> <span class="n">a</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="n">asset</span><span class="o">:</span> <span class="n">a</span><span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This matches the <code>checkContracts()</code> pattern already used in the same file for internal state validation. It eliminated error-check boilerplate from <strong>40+ call sites</strong>.</p> <p><strong>Rule</strong>: If the error means "you have a bug," use <code>panic</code>. If the error means "the user gave bad input," return an error. Don't conflate programming errors with operational errors.</p> <h2> The Impact </h2> <p>Before:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>10 functions returning errors 50+ if err != nil checks across the codebase Many callers using tl, _ := ... (ignoring the error anyway) </code></pre> </div> <p>After:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>10 functions with clear contracts 50+ fewer error checks Every remaining if err != nil represents a truly exceptional event </code></pre> </div> <h2> How to Find These in Your CLI </h2> <p>Search for these patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Functions where callers ignore the error</span> <span class="nb">grep</span> <span class="nt">-rn</span> <span class="s1">', _ :='</span> <span class="nt">--include</span><span class="o">=</span><span class="s1">'*.go'</span> | <span class="nb">grep</span> <span class="nt">-v</span> vendor/ | <span class="nb">sort</span> | <span class="nb">uniq</span> <span class="nt">-c</span> | <span class="nb">sort</span> <span class="nt">-rn</span> <span class="c"># Empty-set errors</span> <span class="nb">grep</span> <span class="nt">-rn</span> <span class="s1">'len(.*) == 0'</span> <span class="nt">--include</span><span class="o">=</span><span class="s1">'*.go'</span> | <span class="nb">grep</span> <span class="s1">'Errorf\|errors.New'</span> <span class="c"># Existing panic patterns (your team already uses crash-only where appropriate)</span> <span class="nb">grep</span> <span class="nt">-rn</span> <span class="s1">'panic('</span> <span class="nt">--include</span><span class="o">=</span><span class="s1">'*.go'</span> | <span class="nb">grep</span> <span class="nt">-v</span> vendor/ | <span class="nb">grep</span> <span class="nt">-v</span> _test.go </code></pre> </div> <p>The first command is the most revealing. If you see 40 call sites ignoring an error, the error shouldn't exist.</p> <h2> When NOT to Do This </h2> <ul> <li> <strong>User input boundaries</strong>: Always validate and return errors for user-supplied data</li> <li> <strong>Network/IO operations</strong>: These fail for real external reasons</li> <li> <strong>Cross-package contracts</strong>: If the caller is in a different package, errors are the right contract</li> <li> <strong>Data integrity</strong>: Schema validation, hash mismatches, malformed input — these are real errors</li> </ul> <p>The goal isn't to eliminate error handling. It's to make every <code>if err != nil</code> mean something. When a developer sees an error check, they should know it represents a truly exceptional event — not a no-op, not an empty set, not a sensible default, and not a programming bug.</p> <p><em>These refactorings were applied to <a href="https://github.com/sufield/stave" rel="noopener noreferrer">Stave</a>, an offline configuration safety evaluator.</em></p> cli codequality design go Why the Capital One Breach Wasn't About One Misconfiguration Bala Paranj Mon, 06 Apr 2026 12:26:51 +0000 https://dev.to/bala_paranj_059d338e44e7e/why-the-capital-one-breach-wasnt-about-one-misconfiguration-5gdd https://dev.to/bala_paranj_059d338e44e7e/why-the-capital-one-breach-wasnt-about-one-misconfiguration-5gdd <p>In 2019, a former AWS employee exploited a server-side request forgery (SSRF) vulnerability in Capital One's web application firewall. The breach exposed over 100 million customer records.</p> <p>But here's the thing security scanners missed: <strong>no single misconfiguration caused the breach.</strong></p> <p>It was the <em>correlation</em> of three weak signals that produced a critical finding:</p> <ol> <li>An SSRF vulnerability in the WAF configuration</li> <li>An overly permissive IAM role attached to the compromised instance</li> <li>Unencrypted S3 buckets containing sensitive customer data</li> </ol> <p>Each finding alone? Low to medium severity. Together? A $190 million breach.</p> <h2> The Problem with Flat Scanners </h2> <p>Most cloud security tools evaluate configurations in isolation. They produce a flat list of findings:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>WARN S3 bucket has public access enabled WARN IAM role has overly broad permissions INFO Server-side encryption not enabled </code></pre> </div> <p>Three warnings. No critical alert. The tool did its job — it found each misconfiguration. But it missed the <em>compound risk</em> because it never correlated the signals.</p> <p>This is the fundamental gap: <strong>a scanner that evaluates one configuration at a time cannot reason about the interaction between configurations.</strong></p> <h2> Introducing Stave </h2> <p><a href="https://github.com/sufield/stave" rel="noopener noreferrer">Stave</a> is an offline configuration safety evaluator. It takes two inputs — security controls written in YAML and observation snapshots of your cloud infrastructure — and produces a deterministic security assessment. No agents, no API keys, no network access required. It runs entirely on local data, which makes it suitable for air-gapped environments and audit-sensitive workflows.</p> <p>The examples below use Stave's control language to illustrate how compound predicate evaluation closes the signal correlation gap.</p> <h2> Signal Correlation: The Missing Primitive </h2> <p>What security teams actually need is a way to express compound conditions — predicates that fire only when multiple weak signals appear together on the same asset:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">id</span><span class="pi">:</span> <span class="s">CTL.S3.EXPOSURE.COMPOUND.001</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Unencrypted Public Bucket with Broad IAM Access</span> <span class="na">description</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">S3 bucket is publicly accessible, lacks encryption, and is</span> <span class="s">accessible by an overly permissive IAM role. This combination</span> <span class="s">creates a high-severity data exfiltration risk.</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">unsafe_predicate</span><span class="pi">:</span> <span class="na">all</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">field</span><span class="pi">:</span> <span class="s">public_access</span> <span class="na">op</span><span class="pi">:</span> <span class="s">eq</span> <span class="na">value</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">field</span><span class="pi">:</span> <span class="s">server_side_encryption</span> <span class="na">op</span><span class="pi">:</span> <span class="s">eq</span> <span class="na">value</span><span class="pi">:</span> <span class="kc">false</span> <span class="pi">-</span> <span class="na">field</span><span class="pi">:</span> <span class="s">iam_role_scope</span> <span class="na">op</span><span class="pi">:</span> <span class="s">eq</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">overly_permissive"</span> </code></pre> </div> <p>The <code>all</code> combinator is the key. This control only fires when <strong>every condition is true simultaneously.</strong> Three medium-severity signals become one critical finding because the predicate explicitly models the compound risk.</p> <h2> How Compound Predicates Work </h2> <p>The evaluation model supports two combinators:</p> <p><strong><code>all</code></strong> — Every condition must be true (logical AND). Use this for compound risk scenarios where the danger comes from the intersection of weak signals.</p> <p><strong><code>any</code></strong> — At least one condition must be true (logical OR). Use this for detection breadth where multiple indicators point to the same root cause.</p> <p>These nest arbitrarily:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">unsafe_predicate</span><span class="pi">:</span> <span class="na">all</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">field</span><span class="pi">:</span> <span class="s">public_access</span> <span class="na">op</span><span class="pi">:</span> <span class="s">eq</span> <span class="na">value</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">any</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">field</span><span class="pi">:</span> <span class="s">server_side_encryption</span> <span class="na">op</span><span class="pi">:</span> <span class="s">eq</span> <span class="na">value</span><span class="pi">:</span> <span class="kc">false</span> <span class="pi">-</span> <span class="na">field</span><span class="pi">:</span> <span class="s">kms_key_id</span> <span class="na">op</span><span class="pi">:</span> <span class="s">missing</span> </code></pre> </div> <p>This reads: "The bucket is publicly accessible AND (encryption is disabled OR no KMS key is configured)." Two different paths to the same compound risk.</p> <h2> Adding Time as a Correlation Axis </h2> <p>Here's where it gets interesting. A misconfiguration that appeared 2 hours ago is different from one that's been open for 90 days.</p> <p>If your evaluation engine tracks <em>when</em> a configuration became unsafe — not just <em>whether</em> it's unsafe — you gain a temporal correlation axis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Finding</span><span class="pi">:</span> <span class="s">CTL.S3.PUBLIC.001</span> <span class="s">Asset</span><span class="err">:</span> <span class="s">patient-records-bucket</span> <span class="s">First unsafe</span><span class="err">:</span> <span class="s">2026-01-01T00:00:00Z</span> <span class="s">Duration</span><span class="err">:</span> <span class="s">2160 hours (90 days)</span> <span class="s">SLA threshold</span><span class="err">:</span> <span class="s">168 hours (7 days)</span> <span class="s">Status</span><span class="err">:</span> <span class="s">NON_COMPLIANT</span> </code></pre> </div> <p>The same <code>public_access: true</code> finding has radically different severity depending on duration. A bucket that went public 2 hours ago during a deploy is an incident. A bucket that's been public for 90 days is a governance failure.</p> <p>This requires <strong>observation snapshots</strong> — point-in-time captures of configuration state. With at least two snapshots, you can compute:</p> <ul> <li>When the unsafe state first appeared</li> <li>How long it has persisted</li> <li>Whether it's a new regression or a chronic drift</li> <li>Whether it exceeds the team's SLA threshold</li> </ul> <h2> The Three Correlation Dimensions </h2> <p>Putting it together, configuration risk is a function of three dimensions:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Dimension</th> <th>Question</th> <th>Signal</th> </tr> </thead> <tbody> <tr> <td><strong>Predicate</strong></td> <td>What combination of fields is unsafe?</td> <td>Compound <code>all</code>/<code>any</code> conditions</td> </tr> <tr> <td><strong>Temporal</strong></td> <td>How long has it been unsafe?</td> <td>Duration vs SLA threshold</td> </tr> <tr> <td><strong>Contextual</strong></td> <td>What else is true about this asset?</td> <td>Cross-field correlation</td> </tr> </tbody> </table></div> <p>A flat scanner only covers the first dimension — and only one field at a time. Adding predicate composition catches Capital One-style compound risks. Adding temporal tracking catches chronic drift that compliance teams care about.</p> <h2> What This Looks Like in Practice </h2> <p>Given two observation snapshots of an S3 bucket captured a week apart, and a set of controls with compound predicates, the evaluation produces:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ASSESSMENT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"summary"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"total_assets"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"violations"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"NON_COMPLIANT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"findings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"control_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CTL.S3.PUBLIC.001"</span><span class="p">,</span><span class="w"> </span><span class="nl">"asset_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"patient-records-bucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"evidence"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"first_unsafe_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-01-01T00:00:00Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"unsafe_duration_hours"</span><span class="p">:</span><span class="w"> </span><span class="mi">336</span><span class="p">,</span><span class="w"> </span><span class="nl">"threshold_hours"</span><span class="p">:</span><span class="w"> </span><span class="mi">168</span><span class="p">,</span><span class="w"> </span><span class="nl">"temporal_risk"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SLA_EXCEEDED"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The output is machine-readable JSON. Teams pipe it into their SIEM, Splunk, or ticketing system. The <code>evidence</code> block provides the temporal proof that auditors need — not just "this is misconfigured" but "this has been misconfigured for 336 hours, exceeding your 168-hour SLA."</p> <h2> The Remediation Attestation </h2> <p>After fixing the findings, teams need proof that the fix worked. A before/after comparison produces an attestation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ATTESTATION"</span><span class="p">,</span><span class="w"> </span><span class="nl">"summary"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"previous_violations"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"current_violations"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"remediated"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"open"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"regressions"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Zero regressions. Three remediated. This is the artifact that goes into the compliance record — formal proof that the compound risk was identified and resolved.</p> <h2> Building This Into Your Security Pipeline </h2> <p>The design decisions:</p> <ol> <li><p><strong>Controls are data, not code.</strong> Express compound predicates in YAML/JSON, not in Go/Python functions. This lets security teams author and review controls without touching the evaluation engine.</p></li> <li><p><strong>Observations are snapshots, not streams.</strong> Capture configuration state at discrete points in time. Two snapshots a week is enough for SLA tracking. This works offline and doesn't require agent installation.</p></li> <li><p><strong>The evaluation engine is deterministic.</strong> Given the same controls, observations, and timestamp, the output is byte-identical. This matters for audit reproducibility.</p></li> <li><p><strong>Separate the assessment from the remediation.</strong> The engine produces findings. A separate step verifies the fix. These are different artifacts with different schemas because they answer different questions.</p></li> </ol> <h2> Conclusion </h2> <p>The Capital One breach wasn't caused by one misconfiguration. It was caused by the <em>correlation</em> of three. Most security tools would have flagged each one individually. None would have flagged the compound risk.</p> <p>If your configuration evaluation can express <code>all</code>/<code>any</code> predicate composition, track temporal duration against SLA thresholds, and produce machine-readable evidence — you're not just scanning. You're doing security assessment.</p> <p>The difference matters when the auditor asks: "How long was this configuration unsafe, and what else was true at the same time?"</p> <p><em>This article describes the evaluation model behind <a href="https://github.com/sufield/stave" rel="noopener noreferrer">Stave</a>, an offline configuration safety evaluator that uses compound predicate composition and temporal tracking to produce security assessments and remediation attestations.</em></p> aws cloud cybersecurity security