stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Gaps fill up, fixes, ui restructuring

Browse Source
This commit is contained in:
master
2026-02-19 22:10:54 +02:00
parent b5829dce5c
commit 04cacdca8a
331 changed files with 42859 additions and 2174 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
docs/product/claims-citation-index.md
View File

@@ -4,8 +4,8 @@
This document is the **authoritative source** for all competitive positioning claims made by StellaOps. All marketing materials, sales collateral, and documentation must reference claims from this index to ensure accuracy and consistency.
**Last Updated:** 2025-12-20
**Next Review:** 2026-03-20
**Last Updated:** 2026-02-19
**Next Review:** 2026-05-19
---
@@ -28,6 +28,8 @@ This document is the **authoritative source** for all competitive positioning cl
| REACH-002 | "Signed reachability graphs with DSSE attestation" | `src/Attestor/` module; DSSE envelope implementation | High | 2025-12-14 | 2026-03-14 |
| REACH-003 | "~85% of critical vulnerabilities in containers are in inactive code" | Sysdig 2024 Container Security Report (external) | Medium | 2025-11-01 | 2026-02-01 |
| REACH-004 | "Multi-language support: Java, C#, Go, JavaScript, TypeScript, Python" | Language analyzer implementations in `src/Scanner/Analyzers/` | High | 2025-12-14 | 2026-03-14 |
| REACH-005 | "Symbolized call-stack proofs with demangled names, build-ID binding, and source file references" | `src/Symbols/` module; `src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native/`; Symbol Manifest v1 spec | High | 2026-02-19 | 2026-05-19 |
| REACH-006 | "OCI-attached symbol packs as first-class referrer artifacts" | Symbol manifest OCI artifact type `application/vnd.stella.symbols.manifest.v1+json`; `src/Symbols/` server REST API | High | 2026-02-19 | 2026-05-19 |
### 3. VEX & Lattice Claims
@@ -53,6 +55,7 @@ This document is the **authoritative source** for all competitive positioning cl
| ATT-002 | "Optional Sigstore Rekor transparency logging" | `src/Attestor/StellaOps.Attestor.Rekor/` integration | High | 2025-12-14 | 2026-03-14 |
| ATT-003 | "in-toto attestation format support" | in-toto predicates in attestation module | High | 2025-12-14 | 2026-03-14 |
| ATT-004 | "Regional crypto support: eIDAS, FIPS, GOST, SM" | `StellaOps.Cryptography` with plugin architecture | Medium | 2025-12-14 | 2026-03-14 |
| ATT-005 | "Size-aware Rekor pointer strategy: hash pointer in transparency log, full payload in Evidence Locker CAS" | `src/Attestor/` detached payload references; `src/EvidenceLocker/` CAS storage; Rekor v2 submission with hash pre-check | High | 2026-02-19 | 2026-05-19 |
### 4a. Proof & Evidence Chain Claims
@@ -117,6 +120,26 @@ This document is the **authoritative source** for all competitive positioning cl
| COMP-SNYK-002 | "Snyk's reachability is limited to specific languages" | Snyk documentation review | Medium | 2025-12-14 | 2026-03-14 |
| COMP-SNYK-003 | "Snyk lacks offline/air-gap capability" | Snyk architecture documentation | High | 2025-12-14 | 2026-03-14 |
### vs. Docker Scout
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| COMP-SCOUT-001 | "Docker Scout produces SBOM/VEX/provenance attestations via cosign but lacks symbolized call-stack proofs, deterministic replay, and lattice VEX reasoning" | Docker Scout documentation (docs.docker.com/scout); DHI surface analysis | High | 2026-02-19 | 2026-05-19 |
| COMP-SCOUT-002 | "Docker Scout does not address Rekor payload size constraints or provide size-aware pointer strategies" | Docker Scout attestation flow analysis; Rekor public instance constraints | High | 2026-02-19 | 2026-05-19 |
### vs. JFrog (Xray + Evidence Collection)
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| COMP-JFROG-001 | "JFrog Evidence Collection centralizes signed evidence across SDLC but lacks deterministic scoring envelopes, replayable verdicts, and formal VEX lattice reasoning" | JFrog Evidence documentation (jfrog.com/evidence); solution sheet analysis | High | 2026-02-19 | 2026-05-19 |
| COMP-JFROG-002 | "JFrog lacks signed reachability graphs and call-stack symbolization; evidence is SBOM/provenance-level, not function-level" | JFrog Xray feature matrix; Evidence Collection solution sheet | High | 2026-02-19 | 2026-05-19 |
### vs. Oligo Security
| ID | Claim | Evidence | Confidence | Verified | Next Review |
|----|-------|----------|------------|----------|-------------|
| COMP-OLIGO-001 | "Oligo Security provides runtime call-stack exploitability evidence but lacks SBOM/VEX integration, deterministic replay, lattice VEX reasoning, signed reachability graphs, and offline/air-gap capability" | Oligo Security blog post on call-stack evidence; product positioning as runtime-only tool | Medium | 2026-02-19 | 2026-05-19 |
---
## Confidence Levels
@@ -209,6 +232,10 @@ When a claim becomes false (e.g., competitor adds feature):
| 2025-12-20 | Added DET-004 (content-addressed proof bundles) | Agent |
| 2025-12-20 | Added PROOF-001/002/003 (deterministic proof ledgers, proof chains, score replay) | Agent |
| 2025-12-20 | Added UNKNOWNS-001/002/003 (two-factor ranking, band prioritization, competitor gap) | Agent |
| 2026-02-19 | Added REACH-005/006 (symbolized call-stacks, OCI symbol packs) from competitive advisory review | Product Manager |
| 2026-02-19 | Added ATT-005 (Rekor size-aware pointer strategy) from competitive advisory review | Product Manager |
| 2026-02-19 | Added COMP-SCOUT-001/002 (Docker Scout gaps) and COMP-JFROG-001/002 (JFrog gaps) from competitive advisory review | Product Manager |
| 2026-02-19 | Added COMP-OLIGO-001 (Oligo Security runtime-only gaps) from VEX/call-stack/determinism competitive advisory | Product Manager |
---