Add Decision Capsules, hybrid reachability, and evidence-linked VEX docs
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Introduces new marketing bridge documents for Decision Capsules, Hybrid Reachability, and Evidence-Linked VEX. Updates product vision, README, key features, moat, reachability, and VEX consensus docs to reflect four differentiating capabilities: signed reachability (hybrid static/runtime), deterministic replay, explainable policy with evidence-linked VEX, and sovereign/offline operation. All scan decisions are now described as sealed, reproducible, and audit-grade, with explicit handling of 'Unknown' states and hybrid reachability evidence.
This commit is contained in:
Vladimir Moushkov
@@ -1,52 +1,59 @@
|
||||
# Stella Ops
|
||||
# Stella Ops
|
||||
|
||||
> Stella Ops is the sovereign, SBOM‑first security platform that proves every container decision with deterministic scans, explainable policy verdicts, and offline‑ready provenance.
|
||||
> Stella Ops isn't just another scanner—it's a different product category: **deterministic, evidence-linked vulnerability decisions** that survive auditors, regulators, and supply-chain propagation.
|
||||
|
||||
- **Sovereign by design** – bring your own trust roots, vulnerability advisory sources, VEX sources, regional crypto, and Offline Update Kits that never phone home.
|
||||
- **Deterministic + replayable** – every scan can be reproduced bit‑for‑bit with DSSE + OpenVEX evidence.
|
||||
- **Actionable signal** – lattice logic ranks exploitability, and the policy engine lets you tailor VEX handling, muting, and expiration rules for your environment.
|
||||
<!-- TODO: Review for separate approval - updated value proposition -->
|
||||
Stella Ops delivers **four capabilities no competitor offers together**:
|
||||
|
||||
**Proof points:** SBOM dependency and vulnerability dependency cartographing work, deterministic replay manifests, lattice policy UI with OpenVEX, and post‑quantum trust packs ready for regulated sectors.
|
||||
1. **Signed Reachability** – Every reachability graph is sealed with DSSE; optional edge-bundle attestations for runtime/init/contested paths. Both static call-graph edges and runtime-derived edges can be attested—true hybrid reachability.
|
||||
2. **Deterministic Replay** – Scans run bit-for-bit identical from frozen feeds and analyzer manifests. Auditors and incident responders can re-run historical findings and trust the results weren't tampered with.
|
||||
3. **Explainable Policy (Lattice VEX)** – The lattice engine merges SBOM data, advisories, VEX statements, and waivers into a single verdict with human-readable justifications. Explicit "Unknown" state handling ensures incomplete data never leads to false safety.
|
||||
4. **Sovereign + Offline Operation** – FIPS, eIDAS, GOST, SM, or PQC profiles are first-class toggles. Offline Kits and regional crypto profiles keep every decision inside your perimeter—air-gapped verification works by default.
|
||||
|
||||
**Proof points:** Decision Capsules (sealed evidence bundles), SBOM cartographing, deterministic replay manifests, lattice policy UI with OpenVEX, evidence-linked VEX decisions, and post‑quantum trust packs ready for regulated sectors.
|
||||
|
||||
## Choose Your Path
|
||||
|
||||
| If you want to… | Open this | Read time |
|
||||
|-----------------|-----------|-----------|
|
||||
| Understand the promise and pain we solve | `overview.md` | ≈ 2 min |
|
||||
| Run a first scan and see the CLI | `quickstart.md` | ≈ 5 min |
|
||||
| Browse key capabilities at a glance | `key-features.md` | ≈ 3 min |
|
||||
| Check architecture, road to production, or evaluate fit | See “Dig deeper” below | ≤ 30 min curated set |
|
||||
| Understand the promise and pain we solve | `overview.md` | ≈ 2 min |
|
||||
| Run a first scan and see the CLI | `quickstart.md` | ≈ 5 min |
|
||||
| Browse key capabilities at a glance | `key-features.md` | ≈ 3 min |
|
||||
| Check architecture, road to production, or evaluate fit | See "Dig deeper" below | ≤ 30 min curated set |
|
||||
|
||||
## Explore the Essentials
|
||||
|
||||
1. **Value in context** – [Overview](overview.md) compresses the “Why” + “What” stories and shows how Stella Ops stands apart.
|
||||
1. **Value in context** – [Overview](overview.md) compresses the "Why" + "What" stories and shows how Stella Ops stands apart.
|
||||
2. **Try it fast** – [Quickstart](quickstart.md) walks through fetching the signed bundles, configuring `.env`, and verifying the first scan.
|
||||
3. **Feature confidence** – [Key Features](key-features.md) gives five capability cards covering Delta SBOM, VEX-first policy, Sovereign crypto, Deterministic replay, and Transparent quotas.
|
||||
3. **Feature confidence** – [Key Features](key-features.md) gives nine capability cards covering Decision Capsules, Delta SBOM, VEX-first policy, Sovereign crypto, Deterministic replay, and more.
|
||||
4. **Up-next checkpoints** – [Evaluation checklist](evaluate/checklist.md) helps teams plan Day-0 to Day-30 adoption milestones.
|
||||
5. **Be dev-ready** – [Developer Quickstart](onboarding/dev-quickstart.md) (29-Nov-2025 advisory) walks through the core repos, determinism tests, attestations, and starter issues for a mid-level .NET engineer.
|
||||
|
||||
## Key capabilities that define Stella Ops
|
||||
## Key capabilities that define Stella Ops
|
||||
|
||||
<!-- TODO: Review for separate approval - updated capabilities table -->
|
||||
| Capability | What ships | Why it matters |
|
||||
|------------|------------|----------------|
|
||||
| **Decision Capsules** | Every scan result is sealed in a content-addressed bundle containing SBOM, vuln feed snapshots, reachability evidence, policy version, derived VEX, and signatures. | Auditors can re-run any capsule bit-for-bit to verify the outcome—audit-grade evidence bundles. |
|
||||
| **Deterministic Δ‑SBOM & replay bundles** | Layer-aware cache + replay manifests keep scans reproducible even months later. | Auditors can re-run any verdict with identical inputs, proving integrity without SaaS dependencies. |
|
||||
| **Pristine advisory mirrors** | OSV, GHSA, NVD, CNVD, CNNVD, ENISA, JVN, BDU, etc. are mirrored as immutable, per-source snapshots—never merged. | Policy (via `scanner.*` / `SCANNER__*`) can trust, down-rank, or ignore sources without rewriting upstream data. |
|
||||
| **Lattice VEX engine** | OpenVEX, waivers, mitigations, and configs flow through deterministic lattice logic. | Every block/allow decision is explainable, replayable, and environment-specific. |
|
||||
| **Context fabric** | Static reachability now, optional runtime/eBPF probes at GA so build + runtime signals share one verdict. | Prioritisation spans first-party code, base images, and live telemetry. |
|
||||
| **Lattice VEX engine (Evidence-Linked)** | OpenVEX, waivers, mitigations, and configs flow through deterministic lattice logic with proof-linked decisions. | Every block/allow decision is explainable, replayable, evidence-linked, and environment-specific. Explicit "Unknown" state handling ensures incomplete data never leads to false safety. |
|
||||
| **Hybrid Reachability** | Static call-graph analysis + optional runtime/eBPF probes; both edge types can be attested with DSSE. | Build + runtime signals share one verdict; prioritisation spans first-party code, base images, and live telemetry. |
|
||||
| **Transparency log + trust credits** | Cosign/DSSE bundles push to a Rekor-compatible log; the trust-credit ledger records who accepted a risk. | Compliance teams get provenance plus accountable ownership trails. |
|
||||
| **Sovereign crypto profiles** | Swap in FIPS, eIDAS, GOST, SM, or PQ-ready providers without code changes. | Meets regional crypto rules while keeping attestations verifiable. |
|
||||
| **Offline-first operations** | Offline Kit packages the pristine feeds, plug-ins, and configs; import CLI verifies everything locally. | Air-gapped clouds get the same security posture as connected sites. |
|
||||
| **VEX Propagation** | Generate vulnerability status attestations your downstream consumers can automatically trust and ingest. | Scalable VEX sharing across the supply chain—competitors export VEX formats; Stella provides a unified proof model that can be verified independently. |
|
||||
| **Enterprise readiness** | Transparent quotas, LDAP/AD SSO, restart-time plug-in SDK, generous free tier. | Large teams keep their workflows without surrendering control to SaaS platforms. |
|
||||
|
||||
## Where Stella Ops differs from incumbents
|
||||
## Where Stella Ops differs from incumbents
|
||||
|
||||
| Vendor | Where they stop | Stella Ops difference |
|
||||
| Vendor | Where they stop | Stella Ops difference |
|
||||
|--------|-----------------|-----------------------|
|
||||
| **Trivy / Syft** | SBOM generation as a CLI add-on; policy left to other products. | SBOM + VEX are the system of record with deterministic replay and signed evidence. |
|
||||
| **Snyk Container** | Static reachability bounded to first-party code. | Lattice links code, base images, cluster policies, and optional runtime probes so the entire stack shares one score. |
|
||||
| **JFrog Xray** | Contextual scoring lives behind a closed service. | Policies, DSSE bundles, and transparency logs are open, auditable, and portable. |
|
||||
| **Docker Scout** | Provenance remains inside Docker’s ecosystem. | Any OCI provenance is ingested, signed with your crypto profile, and replayed offline. |
|
||||
| **Wiz / runtime sensors** | Runtime telemetry is separate from build-time SBOM/VEX evidence. | Optional runtime probes feed the same deterministic lattice so build- and run-time context stay consistent. |
|
||||
| **Trivy / Syft** | SBOM generation as a CLI add-on; policy left to other products. | SBOM + VEX are the system of record with deterministic replay, Decision Capsules, and signed evidence. |
|
||||
| **Snyk Container** | Static reachability bounded to first-party code. | Hybrid reachability links code, base images, cluster policies, and optional runtime probes so the entire stack shares one score. |
|
||||
| **JFrog Xray** | Contextual scoring lives behind a closed service. | Policies, DSSE bundles, Decision Capsules, and transparency logs are open, auditable, and portable. |
|
||||
| **Docker Scout** | Provenance remains inside Docker's ecosystem. | Any OCI provenance is ingested, signed with your crypto profile, and replayed offline with full evidence. |
|
||||
| **Wiz / runtime sensors** | Runtime telemetry is separate from build-time SBOM/VEX evidence. | Optional runtime probes feed the same deterministic lattice so build- and run-time context stay consistent; all evidence sealed in Decision Capsules. |
|
||||
|
||||
## Dig Deeper (curated reading)
|
||||
|
||||
@@ -63,4 +70,4 @@ Need more? The full documentation tree – ADRs, per‑module operations, schema
|
||||
|
||||
> **Configuration note:** Feature exposure stays governed by `StellaOps.Scanner.WebService` (`scanner.*` / `SCANNER__*`) settings. See [modules/scanner/architecture.md](modules/scanner/architecture.md) and [modules/scanner/design/surface-env.md](modules/scanner/design/surface-env.md) for the authoritative schema; the docs remain pristine while configuration decides what surfaces for each deployment.
|
||||
|
||||
© 2025 Stella Ops contributors – AGPL‑3.0‑or‑later
|
||||
© 2025 Stella Ops contributors – AGPL‑3.0‑or‑later
|
||||
|
||||
Reference in New Issue
Block a user