stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

audit notes work completed, test fixes work (95% done), new sprints, new data sources setup and configuration

Browse Source
This commit is contained in:
master
2026-01-14 10:48:00 +02:00
parent d7be6ba34b
commit 95d5898650
379 changed files with 40695 additions and 19041 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/product/advisories/14-Jan-2026 - Competitor UX patterns and friction points.md Normal file
View File

@@ -0,0 +1,29 @@
Im sharing this because its a crisp snapshot of how some modern AppSec and supplychain tools *feel* in real workflows—where they fit, and what tradeoffs teams bump into as they try to shift left without losing signal or evidence.
![Image](https://res.cloudinary.com/snyk/image/upload/v1749147041/Snyk_Analytics_Demo_Clip_1.mov_w1xkbd.gif)
![Image](https://speedmedia2.jfrog.com/08612fe1-9391-4cf3-ac1a-6dd49c36b276/media.jfrog.com/wp-content/uploads/2024/11/07153912/Graphic-6.png)
![Image](https://us1.discourse-cdn.com/gitlab/original/3X/6/b/6b5e371792ffaa492ed5a41aaf3c67f3b3db02f2.png)
![Image](https://docs.gitlab.com/user/application_security/policies/img/scan_result_policy_example_bot_message_artifacts_v17_0.png)
![Image](https://us1.discourse-cdn.com/gitlab/original/3X/c/1/c1f1803adab9df1c2fba7d10aab9533b301580e4.jpeg)
**Snyk** leans hard into developerfirst onboarding and inline feedback early in IDE/CI flows, with rich docs and inproduct training that help catch issues before builds, though its still mostly about surfacing textual context and guidance rather than anchored cryptographic evidence about what changed. ([Snyk][1])
**JFrog Xray** brings deep SCA into the artifactcentric world of Artifactory, with detailed binary and vulnerability context tied to your repos; its strong for repocentric enforcement and policy gating, but typical remediation flows are policy or ticketoriented rather than built around machineverifiable proofs. ([JFrog][2])
**GitLabs security scanners** are embedded into its CI/CD and MR experience, showing vulnerability data right in merge requests and making triage visible where devs work; panels tend to prioritize traditional metadata like CVSS and advisory info rather than deterministic proofs or binary diff traces. ([JFrog][3])
**Aqua Security** scans containers and runtimes across lifecycle stages with rich integrations and AIguided remediation suggestions that help push fixes into ticketing/workflows, but such guidance often feels generic without machineverifiable evidence of safety. ([strongdm.com][4])
**Anchores open tools (Syft & Grype)** are SBOMfirst: Syft generates detailed bills of materials, Grype scans them for vulnerabilities; they excel at inventory and actionable plans but their UIs and workflows dont inherently include cryptographic attestations or tight evidenceanchored remediation flows. ([Anchore][5])
Each of these tools is useful in its niche, but the subtle differences in how they onboard devs, present context, and *anchor evidence* matter a lot when youre aiming for deterministic, supplychainproof workflows.
[1]: https://snyk.io/articles/developer-first-security/?utm_source=chatgpt.com "Developer-First Security"
[2]: https://jfrog.com/help/r/jfrog-security-user-guide/products/xray?utm_source=chatgpt.com "Xray"
[3]: https://jfrog.com/jfrog-vs-gitlab/?utm_source=chatgpt.com "JFrog vs GitLab Comparison"
[4]: https://www.strongdm.com/blog/devsecops-tools?utm_source=chatgpt.com "8 DevSecOps Tools for Modern Security-First Teams in 2026"
[5]: https://anchore.com/opensource/?utm_source=chatgpt.com "Open Source Container Security with Syft & Grype"