stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Gaps fill up, fixes, ui restructuring

Browse Source
This commit is contained in:
master
2026-02-19 22:10:54 +02:00
parent b5829dce5c
commit 04cacdca8a
331 changed files with 42859 additions and 2174 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
docs/product/claims-citation-index.md
View File

@@ -4,8 +4,8 @@
This document is the **authoritative source** for all competitive positioning claims made by StellaOps. All marketing materials, sales collateral, and documentation must reference claims from this index to ensure accuracy and consistency.
**Last Updated:** 2025-12-20
**Next Review:** 2026-03-20
**Last Updated:** 2026-02-19
**Next Review:** 2026-05-19
---
@@ -28,6 +28,8 @@ This document is the **authoritative source** for all competitive positioning cl
| REACH-002 | "Signed reachability graphs with DSSE attestation" | `src/Attestor/` module; DSSE envelope implementation | High | 2025-12-14 | 2026-03-14 |
| REACH-003 | "~85% of critical vulnerabilities in containers are in inactive code" | Sysdig 2024 Container Security Report (external) | Medium | 2025-11-01 | 2026-02-01 |
| REACH-004 | "Multi-language support: Java, C#, Go, JavaScript, TypeScript, Python" | Language analyzer implementations in `src/Scanner/Analyzers/` | High | 2025-12-14 | 2026-03-14 |
| REACH-005 | "Symbolized call-stack proofs with demangled names, build-ID binding, and source file references" | `src/Symbols/` module; `src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native/`; Symbol Manifest v1 spec | High | 2026-02-19 | 2026-05-19 |
| REACH-006 | "OCI-attached symbol packs as first-class referrer artifacts" | Symbol manifest OCI artifact type `application/vnd.stella.symbols.manifest.v1+json`; `src/Symbols/` server REST API | High | 2026-02-19 | 2026-05-19 |
### 3. VEX & Lattice Claims
@@ -53,6 +55,7 @@ This document is the **authoritative source** for all competitive positioning cl
| ATT-002 | "Optional Sigstore Rekor transparency logging" | `src/Attestor/StellaOps.Attestor.Rekor/` integration | High | 2025-12-14 | 2026-03-14 |
| ATT-003 | "in-toto attestation format support" | in-toto predicates in attestation module | High | 2025-12-14 | 2026-03-14 |
| ATT-004 | "Regional crypto support: eIDAS, FIPS, GOST, SM" | `StellaOps.Cryptography` with plugin architecture | Medium | 2025-12-14 | 2026-03-14 |
| ATT-005 | "Size-aware Rekor pointer strategy: hash pointer in transparency log, full payload in Evidence Locker CAS" | `src/Attestor/` detached payload references; `src/EvidenceLocker/` CAS storage; Rekor v2 submission with hash pre-check | High | 2026-02-19 | 2026-05-19 |
### 4a. Proof & Evidence Chain Claims
@@ -117,6 +120,26 @@ This document is the **authoritative source** for all competitive positioning cl
| COMP-SNYK-002 | "Snyk's reachability is limited to specific languages" | Snyk documentation review | Medium | 2025-12-14 | 2026-03-14 |
| COMP-SNYK-003 | "Snyk lacks offline/air-gap capability" | Snyk architecture documentation | High | 2025-12-14 | 2026-03-14 |
### vs. Docker Scout
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| COMP-SCOUT-001 | "Docker Scout produces SBOM/VEX/provenance attestations via cosign but lacks symbolized call-stack proofs, deterministic replay, and lattice VEX reasoning" | Docker Scout documentation (docs.docker.com/scout); DHI surface analysis | High | 2026-02-19 | 2026-05-19 |
| COMP-SCOUT-002 | "Docker Scout does not address Rekor payload size constraints or provide size-aware pointer strategies" | Docker Scout attestation flow analysis; Rekor public instance constraints | High | 2026-02-19 | 2026-05-19 |
### vs. JFrog (Xray + Evidence Collection)
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| COMP-JFROG-001 | "JFrog Evidence Collection centralizes signed evidence across SDLC but lacks deterministic scoring envelopes, replayable verdicts, and formal VEX lattice reasoning" | JFrog Evidence documentation (jfrog.com/evidence); solution sheet analysis | High | 2026-02-19 | 2026-05-19 |
| COMP-JFROG-002 | "JFrog lacks signed reachability graphs and call-stack symbolization; evidence is SBOM/provenance-level, not function-level" | JFrog Xray feature matrix; Evidence Collection solution sheet | High | 2026-02-19 | 2026-05-19 |
### vs. Oligo Security
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| COMP-OLIGO-001 | "Oligo Security provides runtime call-stack exploitability evidence but lacks SBOM/VEX integration, deterministic replay, lattice VEX reasoning, signed reachability graphs, and offline/air-gap capability" | Oligo Security blog post on call-stack evidence; product positioning as runtime-only tool | Medium | 2026-02-19 | 2026-05-19 |
---
## Confidence Levels
@@ -209,6 +232,10 @@ When a claim becomes false (e.g., competitor adds feature):
| 2025-12-20 | Added DET-004 (content-addressed proof bundles) | Agent |
| 2025-12-20 | Added PROOF-001/002/003 (deterministic proof ledgers, proof chains, score replay) | Agent |
| 2025-12-20 | Added UNKNOWNS-001/002/003 (two-factor ranking, band prioritization, competitor gap) | Agent |
| 2026-02-19 | Added REACH-005/006 (symbolized call-stacks, OCI symbol packs) from competitive advisory review | Product Manager |
| 2026-02-19 | Added ATT-005 (Rekor size-aware pointer strategy) from competitive advisory review | Product Manager |
| 2026-02-19 | Added COMP-SCOUT-001/002 (Docker Scout gaps) and COMP-JFROG-001/002 (JFrog gaps) from competitive advisory review | Product Manager |
| 2026-02-19 | Added COMP-OLIGO-001 (Oligo Security runtime-only gaps) from VEX/call-stack/determinism competitive advisory | Product Manager |
---

20
docs/product/competitive-landscape.md
View File

@@ -21,7 +21,7 @@ Source: internal advisories "23-Nov-2025 - Stella Ops vs Competitors" and "09-Ja
| **CI/CD Tools** | GitHub Actions, Jenkins, GitLab CI | Running pipelines, build automation | No central release authority; no audit-grade evidence; deployment is afterthought |
| **CD Orchestrators** | Octopus, Harness, Spinnaker | Deployment automation, Kubernetes | Security is bolt-on; non-K8s is second-class; pricing punishes automation |
| **Registries** | Harbor, JFrog Artifactory | Artifact storage, scanning | No release governance; no promotion workflows; no deployment execution |
| **Scanners/CNAPP** | Trivy, Snyk, Aqua | Vulnerability detection | No release orchestration; findings don't integrate with promotion gates |
| **Scanners/CNAPP** | Trivy, Snyk, Aqua (incl. VEX Hub) | Vulnerability detection; centralized VEX consumption (Aqua VEX Hub) | No release orchestration; findings don't integrate with promotion gates; VEX Hub reduces noise but lacks lattice logic and provenance |
### Stella Ops Suite Positioning
@@ -100,9 +100,9 @@ These comparisons focus on where release governance, evidence export, and audit
| Field | Value |
|-------|-------|
| **Last Updated** | 2026-01-03 |
| **Last Verified** | 2025-12-14 |
| **Next Review** | 2026-03-14 |
| **Last Updated** | 2026-02-19 |
| **Last Verified** | 2026-02-19 |
| **Next Review** | 2026-05-19 |
| **Claims Index** | [`docs/product/claims-citation-index.md`](claims-citation-index.md) |
| **Verification Method** | Source code audit (OSS), documentation review, feature testing |
@@ -123,6 +123,8 @@ The scanner market evolved from three distinct origins. Each origin created arch
| **Developer UX** | Snyk | IDE integration, fix PRs, onboarding | SaaS-only (offline impossible); no attestation infrastructure; reachability limited to specific languages |
| **Policy/Compliance** | Prisma Cloud, Aqua | Runtime protection, CNAPP breadth | No deterministic replay; no cryptographic provenance for verdicts; no semantic diff |
| **SBOM Operations** | Anchore | SBOM storage, lifecycle | No lattice VEX reasoning; no signed reachability graphs; no regional crypto profiles |
| **Supply Chain Evidence** | Docker Scout, JFrog | SBOM/VEX/provenance attestations; signed evidence collection | Evidence is SBOM/VEX/provenance-level; no symbolized call-stack proofs; no deterministic signed scoring envelopes; no replayable micro-witnesses; no size-aware Rekor pointer strategy; no formal VEX lattice reasoning |
| **Runtime Exploitability** | Oligo Security | Runtime call-stack evidence showing where vulns actually execute | Runtime-only; not an SBOM/VEX integrator; no deterministic replay; no lattice VEX; no offline/air-gap; no signed reachability graphs; single signal source vs. Stella's three-layer fusion |
### The Core Problem
@@ -195,13 +197,17 @@ This isn't a feature gap—it's a category difference. Retrofitting it requires:
| **No signed reachability** | Reachability claims are assertions, not proofs. There's no cryptographic binding between "this CVE is reachable" and the call path that proves it. | COMP-GRYPE-001, REACH-002 | 2025-12-14 |
| **No semantic diff** | Tools report "+3 CVEs" without context. They can't say "exploitable surface decreased despite new CVEs" because they don't track reachability deltas. | | 2025-12-14 |
| **Offline/sovereign gaps** | Snyk is SaaS-only. Others have partial offline support but no regional crypto (GOST, SM2, eIDAS) and no sealed knowledge snapshots for air-gapped reproducibility. | COMP-SNYK-003, ATT-004 | 2025-12-14 |
| **No symbolized call-stack proofs** | Docker Scout, Trivy, and JFrog produce SBOM/VEX/provenance attestations but none deliver symbolized, replayable call-stack evidence tied to the shipping binary. Stella provides DSSE-signed reachability graphs with demangled symbols, build-ID binding, and edge-bundle attestations. | REACH-002, REACH-005, REACH-006 | 2026-02-19 |
| **No deterministic signed scoring** | JFrog centralizes signed evidence but doesn't produce deterministic scoring envelopes that can be re-computed. Stella's Policy Engine produces seeded, deterministic verdicts signed via DSSE with full intermediate state for byte-for-byte replay. | DET-001, DET-004, PROOF-003 | 2026-02-19 |
| **No Rekor size-aware strategy** | Public Rekor has ~100 KB upload limits. Docker Scout and Trivy submit attestations without addressing this. Stella uses hash-pointer-in-Rekor + full-payload-in-vault (Evidence Locker CAS) with detached payload references, solving the size/UX gap. | ATT-005 | 2026-02-19 |
## Snapshot table (condensed)
| Vendor | SBOM Gen | SBOM Ingest | Attest (DSSE) | Rekor | Offline | Primary gaps vs Stella | Related Claims |
|--------|----------|-------------|---------------|-------|---------|------------------------|----------------|
| Trivy | Yes | Yes | Cosign | Query | Strong | No replay, no lattice | COMP-TRIVY-001, COMP-TRIVY-002, COMP-TRIVY-003 |
| Trivy | Yes | Yes | Cosign | Query | Strong | No replay, no lattice, no symbolized call-stacks | COMP-TRIVY-001, COMP-TRIVY-002, COMP-TRIVY-003 |
| Syft/Grype | Yes | Yes | Cosign-only | Indir | Medium | No replay, no lattice | COMP-GRYPE-001, COMP-GRYPE-002, COMP-GRYPE-003 |
| Docker Scout | Yes | Yes | Cosign (DHI) | Query | Medium | SBOM/VEX/provenance attestations via cosign, but no signed reachability, no deterministic replay, no call-stack symbolization, no lattice VEX | COMP-SCOUT-001, COMP-SCOUT-002 |
| Snyk | Yes | Limited | No | No | Weak | No attest/VEX/replay | COMP-SNYK-001, COMP-SNYK-002, COMP-SNYK-003 |
| Prisma | Yes | Limited | No | No | Strong | No attest/replay | |
| AWS (Inspector/Signer) | Partial | Partial | Notary v2 | No | Weak | Closed, no replay | |
@@ -210,10 +216,11 @@ This isn't a feature gap—it's a category difference. Retrofitting it requires:
| GitLab | Yes | Limited | Partial | No | Medium | No replay/lattice | |
| Microsoft Defender | Partial | Partial | No | No | Weak | No attest/reachability | |
| Anchore Enterprise | Yes | Yes | Some | No | Good | No sovereign crypto | |
| JFrog Xray | Yes | Yes | No | No | Medium | No attest/lattice | |
| JFrog (Xray + Evidence) | Yes | Yes | Signed evidence | No | Medium | Centralized signed evidence collection but no deterministic replay, no lattice VEX, no signed reachability graphs, no call-stack replay | COMP-JFROG-001, COMP-JFROG-002 |
| Tenable | Partial | Limited | No | No | Weak | Not SBOM/VEX-focused | |
| Qualys | Limited | Limited | No | No | Medium | No attest/lattice | |
| Rezilion | Yes | Yes | No | No | Medium | Runtime-only; no DSSE | |
| Oligo Security | No | No | No | No | No | Runtime call-stack evidence only; no SBOM/VEX/attestation integration; no replay | COMP-OLIGO-001 |
| Chainguard | Yes | Yes | Yes | Yes | Medium | No replay/lattice | |
## How to use this doc
@@ -281,4 +288,5 @@ This isn't a feature gap—it's a category difference. Retrofitting it requires:
## Sources
- Full advisory: `docs/product/advisories/23-Nov-2025 - Stella Ops vs Competitors.md`
- VEX/call-stack/determinism advisory (archived, no gaps): `docs-archived/product/advisories/2026-02-19-vex-callstack-determinism-competitive-landscape.md`
- Claims Citation Index: `docs/product/claims-citation-index.md`

21
docs/product/moat-strategy-summary.md
View File

@@ -85,6 +85,11 @@ Use these in sales conversations, marketing materials, and internal alignment.
| Trust scoring of VEX sources | P1 | 4500_0001_0002 |
| Tier 4 binary fingerprinting | P1 | 7204-7206 |
| SBOM historical lineage | P2 | 4600_0001_* |
| Signed execution evidence (trace-to-DSSE) | P2 | 20260219_013 |
| Runtime beacon attestations | P3 | 20260219_014 |
| Symbol/Debug Pack Marketplace | P1 | 20260220_001-003 |
| Privacy-Preserving Federated Telemetry | P1 | 20260220_005-009 |
| Developer-Facing Remediation Marketplace | P1 | 20260220_010-015 |
## Competitor Positioning
@@ -96,6 +101,9 @@ Use these in sales conversations, marketing materials, and internal alignment.
| **Prisma Cloud** | CNAPP breadth, graph investigation | Platform completeness | Decision integrity, deterministic replay, semantic diff |
| **Anchore** | SBOM operations maturity | SBOM storage | Lattice VEX, signed reachability, proof chains |
| **Aqua/Trivy** | Runtime protection, broad coverage | Ecosystem breadth | Forensic reproducibility, K4 logic, regional crypto |
| **Docker Scout** | DHI integration, SBOM/VEX/provenance attestations via cosign | Registry-native UX | Symbolized call-stack proofs, deterministic replay, lattice VEX, Rekor size-aware pointer strategy |
| **JFrog** | Evidence Collection centralizing signed SDLC evidence | Artifact management breadth | Deterministic scoring envelopes, function-level reachability proofs, replayable verdicts, formal VEX reasoning |
| **Oligo Security** | Runtime call-stack exploitability proofs | Runtime-only depth | Three-layer fusion (static+binary+runtime), SBOM/VEX integration, deterministic replay, offline/air-gap, signed graphs |
### Our Winning Positions
@@ -108,11 +116,16 @@ Use these in sales conversations, marketing materials, and internal alignment.
### Where We're Ahead
1. **VEX decisioning** — K4 lattice with conflict detection; no competitor has this
1. **VEX decisioning** — K4 lattice with conflict detection; no competitor has this (including Docker Scout, JFrog)
2. **Smart-Diff** — Semantic risk deltas with priority scoring; unique
3. **Signed reachability** — DSSE graphs + edge bundles; unique
4. **Deterministic replay** — Bit-for-bit reproducibility; unique
3. **Signed reachability** — DSSE graphs + edge bundles; unique. Docker Scout/JFrog/Trivy stop at SBOM/VEX/provenance attestations
4. **Deterministic replay** — Bit-for-bit reproducibility; unique. JFrog Evidence Collection centralizes evidence but can't replay verdicts
5. **Regional crypto** — FIPS/eIDAS/GOST/SM/PQC; unique
6. **Symbolized call-stack proofs + Symbol Marketplace** — Demangled symbols, build-ID binding, OCI symbol packs as first-class referrer artifacts; no competitor has function-level symbol evidence. The Symbol Marketplace adds source trust scoring (freshness/signature/coverage/SLA), browsable catalog with DSSE-verified install, and multi-provider federation (Microsoft Symbols, debuginfod distros, partner feeds)
7. **Privacy-Preserving Federated Telemetry** — Differential privacy (Laplacian noise, epsilon budget) + k-anonymity over federated runtime signals with DSSE-signed consent proofs; no competitor has privacy-safe cross-site exploit intelligence sharing. Network-effect moat.
8. **Developer-Facing Remediation Marketplace** — Signed-PR fix attestations verified against reachability proof deltas with contributor trust scoring; no competitor has PR-level fix verification tied to reachability evidence. Six-module integration depth.
9. **Rekor size-aware pointer strategy** — Hash pointer in transparency log + full payload in vault; addresses real Rekor ~100KB upload constraints that competitors ignore
10. **Deterministic signed scoring envelopes** — Seeded, replayable score computation with DSSE-signed intermediates; competitors sign evidence but not deterministic scoring traces
### Where Competitors Lead (For Now)
@@ -159,4 +172,4 @@ stella scan --offline --image <digest>
---
**Last Updated**: 2026-01-03
**Last Updated**: 2026-02-19