stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 14 Releases Wiki Activity

add advisories

Browse Source
This commit is contained in:
master
2025-12-09 18:45:57 +02:00
committed by StellaOps Bot
parent 199aaf74d8
commit 96e5646977
23 changed files with 9284 additions and 762 deletions
Download Patch File Download Diff File Expand all files Collapse all files

470
docs/product-advisories/03-Dec-2025 - Comparing Proof‑Linked VEX UX Across Tools.md Normal file
View File

@@ -0,0 +1,470 @@
I thought youd be interested in this — theres real momentum toward exactly what you want for Stella Opss vision: tools now offer VEXbased attestations and more advanced UX around vulnerability context and suppression.
![Image](https://i.ytimg.com/vi/Ibt6o8M2IHw/maxresdefault.jpg)
![Image](https://anchore.com/wp-content/uploads/2019/07/1.webp)
![Image](https://community.cisco.com/t5/image/serverpage/image-id/182531i5AF166716BF84583?v=v2)
## ✅ What others are doing now that matches Stellas roadmap
* **Docker Scout** — already supports creating exceptions using VEX documents, both via CLI and GUI. That means you can attach a VEX (OpenVEX) statement to a container image marking certain CVEs nonapplicable, fixed, or mitigated. Scout then automatically suppresses those CVEs from scan results. ([Docker Documentation][1])
* The CLI now includes a command to fetch a merged VEX document (`docker scout vex get`), which allows retrieving the effective vulnerabilitystatus attestations for a given image. That gives a machinereadable manifest of “what is safe/justified.” ([Docker Documentation][2])
* Exception management via GUI: you can use the dashboard or Docker Desktop to create “Accepted risk” or “False positive” exceptions, with justifications and scopes (single image, repo, org-wide, etc.). That ensures flexibility when a vulnerability exists but is considered safe given context. ([Docker Documentation][3])
* **Anchore Enterprise** — with release 5.23 (Nov 10, 2025), it added support for exporting vulnerability annotations in the format of CycloneDX VEX, plus support for vulnerability disclosure reports (VDR). That means teams can annotate which CVEs are effectively mitigated, nonapplicable, or fixed, and generate standardized VEX/VDR outputs. ([Anchore][4])
* Anchores UI now gives improved UX: rather than just a severity pie chart, there are linear metrics — severity distribution, EPSS score ranges, KEV status, fix availability — and filtering tools to quickly assess risk posture. Annotations are accessible via UI or API, making vulnerability justification part of the workflow. ([Anchore Documentation][5])
Because of these developments, a product like Stella can realistically embed inline “Show Proof” / “Why safe?” panels that link directly to VEX documents or attestation digests — much like what Docker Scout and Anchore now support.
## 🔍 What this suggests for Stellas UX & Feature Moats
* **Inline attestation linkage is viable now.** Since Docker Scout allows exporting/ fetching VEX JSON attestation per image, Stella could similarly pull up a VEX file and link users to it (or embed it) in a “Why safe?” panel.
* **Vendor-agnostic VEX support makes dual-format export (OpenVEX + CycloneDX) a realistic baseline.** Anchores support for both formats shows that supply-chain tools are converging; Stella can adopt the same approach to increase interoperability.
* **Exception annotation + context-aware suppression is feasible.** The “Accepted risk / False positive” model from Docker Scout — including scope, justification, and organizational visibility — gives a blueprint for how Stella might let users record contextual judgments (e.g. “component unused”, “mitigated by runtime configuration”) and persist them in a standardized VEX message.
* **Better UX for risk prioritization and filtering.** Anchores shift from pie-chart severity to multi-dimensional risk summaries (severity, EPSS, fix status) gives a better mental model for users than raw CVE counts. Stellas prioritization UI could adopt a similar holistic scoring approach — perhaps further enriched by runtime context, as you envision.
## ⚠️ What to watch out for
* The field of VEXbased scanning tools is still maturing. A recent academic paper found that different VEXaware scanners often produce inconsistent vulnerabilitystatus results on the same container images — meaning that automated tools still differ substantially in interpretation. ([arXiv][6])
* As reported by some users of Docker Scout, there are occasional issues when attaching VEX attestations to images in practice — e.g. attestations arent always honored in the web dashboard or CLI unless additional steps are taken. ([Docker Community Forums][7])
---
Given all this — your Stella Ops moats around deterministic, auditready SBOM/VEX bundles and inline proof panels are *absolutely* aligned with the current trajectory of industry tooling.
If you like, I can collect **510 recent opensource implementations** (with links) that already use VEX or CycloneDX extents of exactly this kind — could be useful reference code or inspiration for Stella.
[1]: https://docs.docker.com/scout/how-tos/create-exceptions-vex/?utm_source=chatgpt.com "Create an exception using the VEX"
[2]: https://docs.docker.com/scout/release-notes/cli/?utm_source=chatgpt.com "Docker Scout CLI release notes"
[3]: https://docs.docker.com/scout/how-tos/create-exceptions-gui/?utm_source=chatgpt.com "Create an exception using the GUI"
[4]: https://anchore.com/blog/anchore-enterprise-5-23-cyclonedx-vex-and-vdr-support/?utm_source=chatgpt.com "Anchore Enterprise 5.23: CycloneDX VEX and VDR Support"
[5]: https://docs.anchore.com/current/docs/release_notes/enterprise/5230/?utm_source=chatgpt.com "Anchore Enterprise Release Notes - Version 5.23.0"
[6]: https://arxiv.org/abs/2503.14388?utm_source=chatgpt.com "Vexed by VEX tools: Consistency evaluation of container vulnerability scanners"
[7]: https://forums.docker.com/t/struggling-with-adding-vex-attestations-with-docker-scout/143422?utm_source=chatgpt.com "Struggling with adding vex attestations with docker scout"
Good, lets pivot explicitly to DevOps as the primary persona and strip the UX down to what helps them ship and sleep.
Ill frame this as a reusable guideline document you can drop into `docs/ux/ux-devops-guidelines.md`.
---
## 1. DevOps mental model
Design every surface assuming:
* They are under time pressure, context-switching, and on-call.
* They already live in:
* CI logs and pipeline dashboards
* Chat (alerts, incident rooms)
* Kubernetes / Docker / Terraform / Ansible
* They tolerate *some* complexity, but hate ceremony and “wizards”.
**Rule:** Stella UX for DevOps must always answer one of three questions clearly:
1. Can I ship this?
2. If not, what exactly blocks me?
3. Whats the minimum safe change to unblock?
Everything else is secondary.
---
## 2. Global UX principles for DevOps
1. **Pipeline-first, UI-second**
* Every decision surfaced in the UI must be reproducible via:
* CLI
* API
* Pipeline config (YAML)
* UI is the “explainer & debugger”, not the only interface.
2. **Time-to-evidence ≤ 30 seconds**
* From a red flag in the pipeline to concrete, human-readable evidence:
* Max 3 clicks / interactions.
* No abstract “risk scores” without a path to:
* SBOM line
* VEX statement
* Feed / CVE record
* Artifact / image name + digest
3. **Three-step resolution path**
For any finding in the UI:
1. See impact: “What is affected, where, and how bad?”
2. See options: “Fix now / Waive with proof / Defer with conditions”
3. Generate action: patch snippet, ticket, MR template, or policy change.
4. **No dead ends**
* Every screen must offer at least one next action:
* “Open in pipeline run”
* “Open in cluster view”
* “Create exception”
* “Open proof bundle”
* “Export as JSON”
5. **Deterministic, not magical**
* Always show *why* a decision was made:
* Why did the lattice say “not affected”?
* Why is this vulnerability prioritized over others?
* DevOps must be able to say in an incident review:
“Stella said this is safe because X, Y, Z.”
---
## 3. Core views DevOps actually need
### 3.1. Pipeline / run-centric view
**Use:** during CI/CD failures and investigations.
Key elements:
* List of recent runs with status:
* ✅ Passed with notes
* 🟡 Passed with waivers
* 🔴 Failed by policy
* Columns:
* Commit / branch
* Image(s) or artifacts involved
* Policy summary (“Blocked: critical vuln with no VEX coverage”)
* Time-to-evidence: clickable “Details” link
On clicking a failed run:
* Top section:
* “Why this run failed” in one sentence.
* Example:
`Blocked: CVE-2025-12345 (Critical, reachable, no fix, no VEX proof).`
* Immediately below:
* Button: **“Show evidence”** → opens vulnerability detail with:
* SBOM component
* Path in image (e.g. `/usr/lib/libfoo.so`)
* Feed record used
* VEX status (if any)
* Lattice verdict (“reachable because …”)
* Side rail:
* “Possible actions”:
* Propose upgrade (version suggestions)
* Draft exception (with required justification template)
* Open in cluster view (if deployed)
* Export proof bundle (for auditor / security team)
### 3.2. Artifact-centric view (image / component)
**Use:** when DevOps wants a clean risk story per image.
Key elements:
* Title: `<registry>/<repo>:<tag> @ sha256:…`
* Score block:
* Number of vulnerabilities by status:
* Affected
* Not affected (with VEX proof)
* Fixed in newer tag
* Policy verdict: “Allowed / Allowed with waivers / Blocked”
* “Proof Spine” panel:
* SBOM hash
* VEX attestation hashes
* Scan manifest hash
* Link to Rekor / internal ledger entry (if present)
* Table:
* Column set:
* CVE / ID
* Effective status (after VEX & lattice)
* Reachability (reachable / not reachable / unknown)
* Fix available?
* Exceptions applied?
* Filters:
* “Show only blockers”
* “Show only items with VEX”
* “Show only unknown reachability”
From here, DevOps should be able to:
* Promote / block this artifact in specific environments.
* Generate a short “risk summary” text to paste into change records.
### 3.3. Environment / cluster-centric view
**Use:** operational posture and compliance.
Key elements:
* Node: `environment → service → artifact`.
* Color-coded status:
* Green: no blockers / only accepted risk with proof
* Yellow: waivers that are close to expiry or weakly justified
* Red: policy-violating deployments
* For each service:
* Running image(s)
* Last scan age
* VEX coverage ratio:
* “80% of critical vulns have VEX or explicit policy decision”
Critical UX rule:
From a red environment tile, DevOps can drill down in 2 steps to:
1. The exact conflicting artifact.
2. The exact vulnerability + policy rule causing the violation.
---
## 4. Evidence & proof presentation
For DevOps, the key is: **“Can I trust this automated decision during an incident?”**
UX pattern for a single vulnerability:
1. **Summary strip**
* `CVE-2025-12345 · Critical · Reachable · No fix`
* Small chip: `Policy: BLOCK`
2. **Evidence tabs**
* `SBOM`
Exact component, version, and path.
* `Feeds`
Which feed(s) and timestamps were used.
* `VEX`
All VEX statements (source, status, time).
* `Lattice decision`
Human-readable explanation of why the final verdict is what it is.
* `History`
Changes over time: “Previously not affected via vendor VEX; changed to affected on <date>.”
3. **Action panel**
* For DevOps:
* “Suggest upgrade to safe version”
* “Propose temporary exception”
* “Re-run scan with latest feeds” (if allowed)
* Guardrail: exceptions require:
* Scope (image / service / environment / org)
* Duration / expiry
* Justification text
* Optional attachment (ticket link, vendor email)
---
## 5. Exception & waiver UX specifically for DevOps
DevOps needs fast but controlled handling of “we must ship with this risk.”
Guidelines:
1. **Default scope presets**
* “This run only”
* “This branch / service”
* “This environment (e.g. staging only)”
* “Global (requires higher role / Authority approval)”
2. **Strong, structured justification UI**
* Dropdown reason categories:
* “Not reachable in this deployment”
* “Mitigated by config / WAF”
* “Vendor VEX says not affected”
* “Business override / emergency”
* Required free-text field:
* 23 suggested sentence starters to prevent “OK” as justification.
3. **Expiry as first-class attribute**
* Every exception must show:
* End date
* “Time left” indicator
* UI warning when exceptions are about to expire in critical environments.
4. **Audit-friendly timeline**
* For each exception:
* Who created it
* Which run / artifact triggered it
* Policy evaluation before/after
DevOps UX goal:
Create waiver in < 60 seconds, but with enough structure that auditors and security are not furious later.
---
## 6. CLI and automation UX
DevOps often never open the web UI during normal work; they see:
* CLI output
* Pipeline logs
* Alerts in chat
Guidelines:
1. **Stable, simple exit codes**
* `0` = no policy violation
* `1` = policy violation
* `2` = scanner/system error (distinguish clearly from found vulns”)
2. **Dual output**
* Human-readable summary:
* Short, 35 lines by default
* Machine-readable JSON:
* `--output json` or auto-detected in CI
* Includes links to:
* Web UI run page
* Proof bundle ID
* Rekor / ledger reference
3. **Minimal default noise**
* Default CLI mode is concise; verbose details via `-v`/`-vv`.
* One-line per blocking issue, with an ID you can copy into the web UI.
4. **Copy/paste-friendly**
* IDs, hashes, URLs must be selectable and minimally noisy.
* Dont wrap hashes in decorations that make copy hard.
---
## 7. Alerting & incident integration
When DevOps is on-call, Stella UX should behave like a good colleague, not a chatty auditor.
1. **Alert text pattern**
* Subject / title:
* `[Stella] Production blocked: Image X (CVE-YYYY-NNNN)`
* First line:
* Policy blocked deployment of `<service>@<env>` due to: `<summary>`
* Then a single deep link:
* Open in Stella (Run #12345)”
2. **Degraded-mode cues**
* If feeds are stale or air-gapped kit is outdated:
* Clear banner in UI and in CLI output:
* Scanner currently operating with feeds from <date>. Confidence reduced.”
* This is vital for trustworthy DevOps decisions.
---
## 8. Metrics that matter for DevOps UX
To keep DevOps-focused UX honest, track:
* Median **time from pipeline failure to first evidence view**.
* Median **time from evidence view to decision** (fix / exception / revert).
* % of exceptions with:
* Valid justification
* Non-expired status
* % of blocked deployments that were later overruled by humans, by reason.
Use these to iteratively simplify screens and flows that DevOps clearly struggle with.
---
If you want, the next step can be:
* A concrete wireframe spec for **one key flow**, for example:
“Pipeline fails → DevOps opens Stella → applies time-bounded exception for staging, but not production.”
That can be expressed as step-by-step UI states that you hand to your frontend devs.
Stella DevOps UX Implementation Guide
1. DevOps Mental Model
Development Direction: Align the platforms design with a DevOps engineers mental model of the software delivery flow. All key entities (pipelines, builds, artifacts, environments, deployments) should be first-class concepts in both UI and API. The system must allow tracing the path from code commit through CI/CD pipeline to the artifact and finally to the running environment, reflecting how DevOps think about changes moving through stages. This means using consistent identifiers (e.g. commit SHA, artifact version, build number) across views so everything is linked in a coherent flow[1]. For example, an engineer should easily follow a chain from a security control or test result, to the artifact produced, to where that artifact is deployed.
Implementation Plan: Model the domain objects (pipeline runs, artifacts, environments) in the backend with clear relationships. For instance, store each pipeline run with metadata: commit ID, associated artifact IDs, and target environment. Implement linking in the UI: pipeline run pages link to the artifacts they produced; artifact pages link to the deployments or environments where theyre running. Use tags or labels (in a database or artifact repository metadata) to tie artifacts back to source commits or tickets. This could leverage existing CI systems (Jenkins, GitLab CI, etc.) by pulling their data via APIs, or be built on a custom pipeline engine (e.g. Tekton on Kubernetes for native pipeline CRDs). Ensure any integration (with Git or ticketing) populates these references automatically. By tagging and correlating objects, we enable deep linking: e.g. clicking an artifacts version shows which pipeline produced it and which environment it's in[1].
DevOps-facing Outcome: DevOps users will experience a platform that “thinks” the way they do. In practice, they can trace a story of a change across the system: for a given commit, see the CI/CD run that built it, view the artifact (container image, package, etc.) with its SBOM and test results attached, and see exactly which environment or cluster is running that version[1]. This traceability instills confidence its obvious where any given change is and what happened to it. New team members find the UI intuitive because it mirrors real deployment workflows rather than abstract concepts.
2. Global UX Principles for DevOps
Development Direction: Build the user experience with an emphasis on clarity, consistency, and minimal friction for DevOps tasks. The platform should be intuitive enough that common actions require few clicks and little to no documentation. Use familiar conventions from other DevOps tools (icons, terminology, keyboard shortcuts) to leverage existing mental models[2]. Prioritize core functionality over feature bloat to keep the interface straightforward focus on the top tasks DevOps engineers perform daily. Every part of the tool (UI, CLI, API) should follow the same design principles so that switching contexts doesnt confuse the user[3].
Implementation Plan: Adopt a consistent design system and navigation structure across all modules. For example, use standard color coding (green for success, red for failure) and layout similar to popular CI/CD tools for pipeline status to meet user expectations[2]. Implement safe defaults and templates: e.g. provide pipeline configuration templates and environment defaults so users arent overwhelmed with setup (following “convention over configuration” for common scenarios[4]). Ensure immediate, contextual feedback in the UI if a pipeline fails, highlight the failed step with error details right there (no hunting through logs unnecessarily). Incorporate guidance into the product: for instance, tooltips or inline hints for first-time setup, but design the flow so that the “right way” is also the easiest way (leveraging constraints to guide best practices[5]). Integrate authentication and SSO with existing systems (LDAP/OIDC) to avoid extra logins, and integrate with familiar interfaces (ChatOps, Slack, IDE plugins) to reduce context-switching. Maintain parity between the web UI and CLI by making both use the same underlying APIs this ensures consistency and that improvements apply to all interfaces. In development, use UX best practices such as usability testing with actual DevOps users to refine workflows (e.g. ensure creating a new environment or pipeline is a short, logical sequence). Keep pages responsive and lightweight for quick load times, as speed is part of good UX.
DevOps-facing Outcome: DevOps practitioners will find the tool intuitive and efficient. They can accomplish routine tasks (triggering a deployment, approving a change, checking logs) without referring to documentation, because the UI naturally leads them through workflows. The system provides feedback that is specific and actionable for example, error messages clearly state what failed (e.g. “Deployment to QA failed policy check X”) and suggest next steps (with a link to the policy or waiver option), rather than generic errors[6]. Users notice that everything feels familiar: the terminology matches their conventions, and even the CLI commands and outputs align with tools they know. Friction is minimized: they arent wasting time on redundant confirmations or searching for information across different screens. Overall, this leads to improved flow state and productivity the tool “gets out of the way” and lets DevOps focus on delivering software[3].
3. Core Views DevOps Actually Need
Pipeline/Run-Centric View
Development Direction: Provide a pipeline-run dashboard that gives a real-time and historical view of CI/CD pipeline executions. DevOps users need to see each pipeline runs status, stages, and logs at a glance, with the ability to drill down into any step. Key requirements include visual indicators of progress (running, passed, failed), links to related entities (commit, artifacts produced, deployment targets), and controls to re-run or rollback if needed. Essentially, we need to build what is often seen in tools like Jenkins Blue Ocean or GitLab Pipelines: a clear timeline or graph of pipeline stages with results. The view should support filtering (by branch, status, timeframe) and show recent pipeline outcomes to quickly spot failures[7].
Implementation Plan: Leverage the CI systems data to populate this view. If using an existing CI (Jenkins/GitLab/GitHub Actions), integrate through their APIs to fetch pipeline run details (jobs, status, logs). Alternatively, if building a custom pipeline service (e.g. Tekton on Kubernetes), use its pipeline CRDs and results to construct the UI. Implement a real-time update mechanism (WebSocket or long-poll) so users can watch a running pipelines progress live (e.g. seeing stages turn green or red as they complete). The UI could be a linear timeline of stages or a node graph for parallel stages. Each stage node should be clickable to view logs and any artifacts from that stage. Include a sidebar or modal for logs with search and highlight (so DevOps can quickly diagnose failures). Provide controls to download logs or artifacts right from the UI. Integrate links: e.g. the commit hash in the pipeline header links to the SCM, the artifact name links to the artifact repository or artifact-centric view. If a pipeline fails a quality gate or test, highlight it and possibly prompt next actions (create a ticket or issue, or jump to evidence). Use CI webhooks or event listeners to update pipeline status in the platform database, and maintain a history of past runs. This can be backed by a database table (storing run id, pipeline id, status, duration, initiator, etc.) for querying and metrics.
DevOps-facing Outcome: The pipeline-centric view becomes the mission control for builds and releases. A DevOps engineer looking at this dashboard can immediately answer: “Whats the state of our pipelines right now?” Theyll see perhaps a list or grid of recent runs, with status color-codes (e.g. green check for success, red X for failure, yellow for running). They can click a failed pipeline and instantly see which stage failed and the error message, without wading through raw logs. For a running deployment, they might see a live streaming log of tests and a progress bar of stages. This greatly speeds up troubleshooting and situational awareness[7]. Moreover, from this view they can trigger actions e.g. re-run a failed job or approve a manual gate making it a one-stop interface for pipeline operations. Overall, this view ensures that pipeline status and history are highly visible (no more digging through Jenkins job lists or disparate tools), which supports faster feedback and collaboration (e.g. a team board showing these pipeline dashboards to all team members[7]).
Artifact-Centric View
Development Direction: Create an artifact-centric view that tracks the build outputs (artifacts) through their lifecycle. DevOps teams often manage artifacts like container images, binaries, or packages that are built once and then promoted across environments. This view should list artifact versions along with metadata: what build produced it, which tests it passed, security scan results, and where its currently deployed. The guiding principle is “promote artifacts, not code” once an artifact is proven in one environment, it should be the same artifact moving forward[8]. Therefore, the system must support viewing an artifact (say version 1.2.3 of a service) and seeing its chain of custody: built by Pipeline #123 from Commit ABC, signed and stored in registry, deployed to Staging, awaiting promotion to Prod. It should also highlight if an artifact is approved (all checks passed) or if it carries any waivers/exceptions.
Implementation Plan: Integrate with artifact repositories and registries. For example, if using Docker images, connect to a container registry (AWS ECR, Docker Hub, etc.) via API or CLI to list image tags and digests. For JARs or packages, integrate with a binary repository (Artifactory, Nexus, etc.). Store metadata in a database linking artifact IDs (e.g. digest or version) to pipeline run and test results. The implementation could include a dedicated microservice to handle artifact metadata: when a pipeline produces a new artifact, record its details (checksum, storage URL, SBOM, test summary, security scan outcome). Implement the artifact view UI to display a table or list of artifact versions, each expandable to show details like: build timestamp, commit ID, link to pipeline run, list of environments where its deployed, and compliance status (e.g. “Signed ✅, Security scan ✅, Tests ✅”). Provide actions like promoting an artifact to an environment (which could trigger a deployment pipeline or Argo CD sync behind the scenes). Include promotion workflows with approvals e.g. a button to “Promote to Production” that will enforce an approval if required by policy[8]. Ensure the artifact view can filter or search by component/service name and version. Behind the scenes, implement retention policies for artifacts (possibly configurable) and mark artifacts that are no longer deployed so they can be archived or cleaned up[8]. Use signing tools (like Cosign for container images) and display signature verification status in the UI to ensure integrity[8]. This likely means storing signature info and verification results in our metadata DB and updating on artifact fetch.
DevOps-facing Outcome: Users gain a single source of truth for artifacts. Instead of manually cross-referencing CI runs and Docker registries, they can go to “Artifact X version Y” page and get a comprehensive picture: “Built 2 days ago from commit abc123 by pipeline #56[8]. Passed all tests and security checks. Currently in UAT and Prod.” They will see if the artifact was signed and by whom, and they can trust that what went through QA is exactly whats in production (no surprise re-builds). If an artifact has a known vulnerability, they can quickly find everywhere its running. Conversely, if a deployment is failing, they can confirm the artifacts provenance (maybe the issue is that it wasnt the artifact they expected). This view also streamlines promotions: a DevOps engineer can promote a vetted artifact to the next environment with one click, knowing the platform will handle the deployment and update the status. Overall, the artifact-centric view reduces release errors by emphasizing immutability and traceability of builds, and it gives teams confidence that only approved artifacts progress through environments[8].
Environment/Cluster-Centric View
Development Direction: Provide an environment or cluster-centric dashboard focusing on the state of each deployment environment (Dev, QA, Prod, or specific Kubernetes clusters). DevOps need to see what is running where and the health/status of those environments. This view should show each environments active versions of services, configuration, last deployment time, and any pending changes or issues. Essentially, when selecting an environment (or a cluster), the user should see all relevant information: which artifacts/versions are deployed, whether there are any out-of-policy conditions, recent deployment history for that environment, and live metrics or alerts for it. Its about answering “Is everything OK in environment X right now? Whats deployed there?” at a glance. The environment view should also integrate any Infrastructure-as-Code context e.g. show if the environments infrastructure (Terraform, Kubernetes resources) is in sync or drifted from the desired state.
Implementation Plan: Represent environments as entities in the system with attributes and links to resources. For a Kubernetes cluster environment, integrate with the K8s API or Argo CD to fetch the list of deployed applications and their versions. For VM or cloud environments, integrate with deployment scripts or Terraform state: e.g. tag deployments with an environment ID so the system knows whats deployed. Implement an environment overview page showing a grid or list of services in that environment and their current version (pull this from a deployment registry or continuous delivery tool). Include environment-specific status checks: e.g. call Kubernetes for pod statuses or use health check endpoints of services. If using Terraform or another IaC, query its state or run a drift detection (using Terraform plan or Terraform Cloud APIs) to identify differences between desired and actual infrastructure; highlight those if any. Additionally, integrate recent deployment logs: e.g. “Deployed version 1.2.3 of ServiceA 2 hours ago by pipeline #45 (passed ✅)” so that context is visible[7]. Enable quick access to logs or monitoring: e.g. links to Kibana for logs or Prometheus/Grafana for metrics specific to that environment. For environment config, provide a way to manage environment-specific variables or secrets (possibly by integrating with a vault or config management). This view might also expose controls like pausing deployments (maintenance mode) or manually triggering a rollback in that environment. If the organization uses approval gates on environments, show whether the environment is open for deployment or awaiting approvals. Use role-based access control to ensure users only see and act on environments theyre allowed to. In terms of tech, you might integrate with Kubernetes via the Kubernetes API (client libraries) for cluster state, and with cloud providers (AWS, etc.) for resource statuses. If multiple clusters, aggregate them or allow selecting each.
DevOps-facing Outcome: When a DevOps engineer opens the environment view (say for “Production”), they get a comprehensive snapshot of Prod. For example, they see that Service A version 2.3 is running (with a green check indicating all health checks pass), Service B version 1.8 is running but has a warning (perhaps a policy violation or a pod restarting). They can see that the last deployment was yesterday, and maybe an approval is pending for a new version (clearly indicated). They also notice any environment-level alerts (e.g. “Disk space low” or “Compliance drift detected: one config changed outside of pipeline”). This reduces the need to jump between different monitoring and deployment tools key information is aggregated. They can directly access logs or metrics if something looks off. For example, if an incident occurs in production, the on-call can open this view to quickly find what changed recently and on which nodes. The environment-centric view thus bridges operations and release info: its not just what versions are deployed, but also their run-state and any issues. As a result, DevOps teams can more effectively manage environments, verify deployments, and ensure consistency. This high-level visibility aligns with best practices where environments are monitored and audited continuously[9] the UI will show deployment history and status in one place, simplifying compliance and troubleshooting.
4. Evidence & Proof Presentation
Development Direction: The platform must automatically collect and present evidence of compliance and quality for each release, making audits and reviews straightforward. This means every pipeline and deployment should leave an “evidence trail” test results, security scan reports, configuration snapshots, audit logs that is organized and accessible. DevOps users (and auditors or security teams) need a dedicated view or report that proves all required checks were done (for example, that an artifact has an SBOM, passed vulnerability scanning, was signed, and met policy criteria). Essentially, treat evidence as a first-class artifact of the process, not an afterthought[1]. The UX should include dashboards or evidence pages where one can inspect and download these proofs, whether for an individual release or an environments compliance status.
Implementation Plan: Automate evidence generation and storage in the CI/CD pipeline. Incorporate steps in pipelines to generate artifacts like test reports (e.g. JUnit XML, coverage reports), security scan outputs (SAST/DAST results, SBOMs), and policy compliance logs. Use a secure storage (artifact repository or object storage bucket) for these evidence artifacts. For example, after a pipeline run, store the JUnit report and link it to that run record. Implement an “Evidence” section in the UI for each pipeline run or release: this could list the artifacts with download links or visual summaries (like a list of passed tests vs failed tests, vulnerability counts, etc.). Leverage “audit as code” practices encode compliance checks as code so their output can be captured as evidence[10]. For instance, if using Policy as Code (OPA, HashiCorp Sentinel, etc.), have the pipeline produce a policy evaluation report and save it. Use version-controlled snapshots: for a deployment, take a snapshot of environment configuration (container image digests, config values) and store that as a JSON/YAML file as evidence of “what was deployed”. Utilize tagging and retention: mark these evidence files with the build or release ID and keep them immutably (perhaps using an object store with write-once settings[1]). Integrate a compliance dashboard that aggregates evidence status e.g. “100% of builds have test reports, 95% have no critical vulns” etc., for a quick view of compliance posture[10]. We may implement a database of compliance statuses (each control check per pipeline run) to quickly query and display summaries. Also, provide an export or report generation feature: allow users to download an “attestation bundle” (ZIP of SBOMs, test results, etc.) for a release to provide to auditors[1]. Security-wise, ensure this evidence store is append-only to prevent tampering (using object locks or checksums). In terms of tech, tools like SLSA attestations can be integrated to sign and verify evidence (for supply chain security). The UI can show verification status of attestation signatures to prove integrity.
DevOps-facing Outcome: DevOps teams and compliance officers will see a clear, accessible trail of proof for each deployment. For example, when viewing a particular release, they might see: Tests: 120/120 passed (link to detailed results), Security: 0 critical vulns (link to scanner report), Config Audit: 1 minor deviation (waiver granted, link to waiver details). They can click any of those to dive deeper e.g. open the actual security scan report artifact or view the SBOM file. Instead of scrambling to gather evidence from multiple tools at audit time, the platform surfaces it continuously[10][1]. An auditor or DevOps lead could open a compliance dashboard and see in real-time that all production releases have the required documentation and checks attached, and even download a bundle for an audit. This builds trust with stakeholders: when someone asks “How do we know this release is secure and compliant?”, the answer is a few clicks away in the evidence tab, not a week-long hunt. It also helps engineers themselves if a question arises about “Did we run performance tests before this release?”, the evidence view will show if that artifact is present. By making evidence visible and automatic, it encourages teams to incorporate compliance into daily work (no more hidden spreadsheets or missing screenshots), ultimately making audits “boringly” smooth[1].
5. Exception & Waiver UX
Example of an exemption request form (Harness.io) where a user selects scope (pipeline, target, project), duration, and reason for a waiver. Our implementation will provide a similar interface to manage policy exceptions.
Development Direction: Implement a controlled workflow for exceptions/waivers that allows DevOps to override certain failures (policy violations, test failures) only with proper approval and tracking. In real-world pipelines, there are cases where a security vulnerability or policy may be temporarily excepted (waived) to unblock a deployment but this must be done transparently and with accountability. The UX should make it easy to request an exception when needed (with justification) and to see the status of that request, but also make the presence of any waivers very visible to everyone (so theyre not forgotten). Key requirements: ability to request a waiver with specific scope (e.g. just for this pipeline run or environment, vs broader), mandatory reason and expiration for each waiver, an approval step by authorized roles, and an “exception register” in the UI that lists all active waivers and their expiry[11]. Essentially, treat waivers as temporary, auditable objects in the system.
Implementation Plan: Build a feature where pipeline policy checks or scan results that would fail the pipeline can be turned into an exception request. For example, if a pipeline finds a critical vulnerability, provide a “Request Waiver” button next to the failure message in the UI. This triggers a form (like the image example) to capture details: scope of waiver (this specific deployment, this application, or whole project)[12], duration (e.g. 14 days or until a certain date), and a required reason category and description (like “Acceptable risk low impact, fix in next release” or “False positive”[13]). Once submitted, store the request in a database with status “Pending” and notify the appropriate approvers (could integrate with email/Slack or just within the app). Implement an approval interface where a security lead or product owner can review the request and either approve (possibly adjusting scope or duration)[14] or reject it. Use role-based permissions to ensure only certain roles (e.g. Security Officer) can approve. If approved, the pipeline or policy engine should automatically apply that exception: e.g. mark that particular check as waived for the specified scope. This could be implemented by updating a policy store (for instance, adding an entry that “vuln XYZ is waived for app A in staging until date D”). The pipeline then reads these waivers on the next run so it doesnt fail for a known, waived issue. Ensure the waiver is time-bound: perhaps schedule a job to auto-expire it (or the pipeline will treat it as fail after expiration). In the UI, implement an “Active Waivers” dashboard[11] listing all current exceptions, with details: what was waived, why, who approved, and countdown to expiration. Possibly show this on the environment and artifact views too (e.g. a banner “Running with 1 waiver: CVE-1234 in ServiceA (expires in 5 days)”). Also log all waiver actions in the audit trail. Technically, this could integrate with a policy engine like OPA e.g. OPA could have a data map of exceptions which the policies check. Or simpler, our apps database serves as the source of truth and our pipeline code consults it. Finally, enforce in code that any exception must have an owner and expiry set (no indefinite waivers) e.g. do not allow submission without an expiry date, and prevent using expired waivers (pipeline should fail if an expired waiver is encountered). This follows the best practice of “time-boxed exceptions with owners”[11].
DevOps-facing Outcome: Instead of ad-hoc Slack approvals or lingering risk acceptances, DevOps users get a transparent, self-service mechanism to handle necessary exceptions. For example, if a pipeline is blocking a deployment due to a vulnerability that is a false positive, the engineer can click “Request Waiver”, fill in the justification (selecting “False positive” and adding notes) and submit. They will see the request in a pending state and, if authorized, an approver will get notified. Once approved, the pipeline might automatically continue or allow a rerun to succeed. In the UI, a clear label might mark that deployment as “Waiver applied” so its never hidden[15]. The team and auditors can always consult the Waivers dashboard to see, for instance, that “CVE-1234 in ServiceA was waived for 7 days by Jane Doe on Oct 10, reason: Acceptable risk[15].” As waivers near expiration, perhaps the system alerts the team to fix the underlying issue. This prevents “forever exceptions” its obvious if something is continuously waived. By integrating this UX, we maintain velocity without sacrificing governance: teams arent stuck when a known low-risk issue pops up, but any deviation from standards is documented and tracked. Over time, the exception log can even drive improvement (e.g. seeing which policies frequently get waived might indicate they need adjustment). In summary, DevOps engineers experience a workflow where getting an exception is streamlined yet responsible, and they always know which releases are carrying exceptions (no surprises to be caught in audits or incidents)[11].
6. CLI and Automation UX
Development Direction: Offer a powerful CLI tool that mirrors the capabilities of the UI, enabling automation and scripting of all DevOps workflows. DevOps engineers often prefer or need command-line access for integration into CI scripts, Infrastructure as Code pipelines, or simply for speed. The CLI experience should be considered part of the products UX it must be intuitive, consistent with the UI concepts, and provide useful output (including machine-readable formats). Essentially, anything you can do in the web console (view pipeline status, approve a waiver, deploy an artifact, fetch evidence) should be doable via the CLI or API. This empowers advanced users and facilitates integration with other automation (shell scripts, CI jobs, Git hooks, etc.). A good CLI follows standard conventions and provides help, clear errors, and supports environment configuration for non-interactive use.
Implementation Plan: Develop the CLI as a first-class client to the platforms REST/GraphQL API. Likely implement it in a language suited for cross-platform command-line tools (Go is a common choice for CLIs due to easy binary distribution, or Python for rapid development with an installer). Use an existing CLI framework (for Go, something like Cobra or Click for Python) to structure commands and flags. Ensure the commands map closely to the domain: e.g. stella pipeline list, stella pipeline logs <id>, stella artifact promote <artifact> --env prod, stella evidence download --release <id>, stella waiver request ... etc. Follow common UNIX CLI design principles: support --help for every command, use short (-f) and long (--force) flags appropriately, and return proper exit codes (so scripts can detect success/failure). Include output format switches, e.g. --output json for commands to get machine-parseable output (allowing integration with other tools). Integrate authentication in a user-friendly way: perhaps stella auth login to do an OAuth device code flow or accept a token, and store it (maybe in ~/.stella/config). The CLI should respect environment variables for non-interactive use (e.g. STELLA_API_TOKEN, STELLA_TENANT) for easy CI integration[16]. Provide auto-completion scripts for common shells to improve usability. Tie the CLI version to the server API version, and provide a clear upgrade path (maybe stella upgrade to get the latest version). As part of development, create comprehensive docs and examples for the CLI, and possibly a testing harness to ensure it works on all platforms. Consider also that the CLI might be used in pipelines: ensure its efficient (no unnecessary output when not needed, perhaps a quiet mode). For implementing heavy tasks (like streaming logs), use web socket or long polling under the hood to show live logs in the terminal, similar to how kubectl logs -f works. If the CLI will handle potentially sensitive operations (like approvals or secret management), ensure it can prompt for confirmation or use flags to force through in scripts. Also, align CLI error messages and terminology with the UI for consistency.
DevOps-facing Outcome: For DevOps engineers, the CLI becomes a productivity booster and a Swiss army knife in automation. They can script repetitive tasks: for instance, a release engineer might run a script that uses stella artifact list --env staging to verify what's in staging, then stella artifact promote to push to production followed by stella pipeline monitor --wait to watch the rollout complete. All of this can be done without leaving their terminal or clicking in a browser. The CLI output is designed to be readable but also parseable: e.g. stella pipeline status 123 might output a concise summary in human-readable form, or with --json give a JSON that a script can parse to decide next steps. In on-call situations, an engineer could quickly fetch evidence or status: e.g. stella evidence summary --release 2025.10.05 to see if all checks passed for a particular release, right from the terminal. This complements the UI by enabling automation integration the CLI can be used in CI pipelines (maybe even in other systems, e.g. a Jenkins job could call stella ... to trigger something in Stella). Because the CLI uses the same language as the UI, users dont have to learn a completely different syntax or mental model. And by providing robust help and logical command names, even newcomers find it accessible (for example, typing stella --help lists subcommands in a clear way, similar to kubectl or git CLIs they know). Overall, the DevOps-facing outcome is that the tool meets engineers where they are whether they love GUIs or CLIs and supports automation at scale, which is a core DevOps principle.
7. Alerting & Incident Integration
Development Direction: The platform should seamlessly integrate with alerting and incident management workflows so that issues in pipelines or environments automatically notify the right people, and ongoing incidents are visible in the deployment context. DevOps teams rely on fast feedback for failures or abnormal conditions whether a pipeline fails, a deployment causes a service outage, or a security scan finds a critical issue, the system needs to push alerts to the channels where engineers are already looking (chat, email, incident tools). Additionally, when viewing the DevOps dashboards, users should see indicators of active incidents or alerts related to recent changes. This tight integration helps bridge the gap between CI/CD and operations: deployments and incidents should not be separate silos. The UX should support configuring alert rules and connecting to tools like PagerDuty, Opsgenie, Slack/MS Teams, or even Jira for incident tickets, with minimal setup.
Implementation Plan: Introduce an alerting configuration module where certain events trigger notifications. Key events to consider: pipeline failures, pipeline successes (optional), deployment to production, policy violations, security vulnerabilities found, and performance regressions in metrics. Allow users to configure where these go e.g. a Slack webhook, an email list, or an incident management systems API. For pipeline failures or critical security findings, integration with PagerDuty/On-call rotation can create an incident automatically. Use webhooks and APIs: for Slack or Teams, send a formatted message (e.g. “:red_circle: Deployment Failed Pipeline #123 failed at step 'Integration Tests'. Click here to view details.” with a link to the UI). For PagerDuty, use their Events API to trigger an incident with details including the pipeline or service impacted. On the incoming side, integrate with monitoring tools to reflect incidents: e.g. use status from an incident management system or monitoring alerts to display in the platform. If the organization uses something like ServiceNow or Jira for incidents, consider a plugin or link: for instance, tag deployments with change IDs and then auto-update those tickets if a deployment triggers an alert. In the environment view, include a widget that shows current alerts for that environment (by pulling from Prometheus Alertmanager or cloud monitoring alerts relevant to that cluster). Implement ChatOps commands as well: possibly allow acknowledging or redeploying via Slack bot commands. This can be achieved by having a small service listening to chat commands (Slack slash commands or similar) that call the same internal APIs (for example, a “/deploy rollback serviceA” command in Slack triggers the rollback pipeline). For UI implementation, ensure that when an alert is active, its clearly indicated: e.g. a red badge on the environment or pipeline view, and maybe a top-level “Incidents” section that lists all unresolved incidents (with links to their external system if applicable). Use the information radiators approach maybe a large screen mode or summary panel showing system health and any ongoing incidents[7]. Technically, setting up these integrations means building outbound webhook capabilities and possibly small integration plugins for each target (Slack, PagerDuty, etc.). Also include the ability to throttle or filter alerts (to avoid spamming on every minor issue). Logging and auditing: record what alerts were sent and when (so one can later review incident timelines).
DevOps-facing Outcome: DevOps engineers will be immediately aware of problems without having to constantly watch the dashboards. For example, if a nightly build fails or a critical vulnerability is found in a new build, the on-call engineer might get a PagerDuty alert or a Slack message in the team channel within seconds. The message will contain enough context (pipeline name, failure reason snippet, a link to view details) so they can quickly respond. During a live incident, when they open the Stella environment view, they might see an incident banner or an “Active Alerts” list indicating which services are affected, aligning with what their monitoring is showing. This context speeds up remediation: if a production incident is ongoing, the team can see which recent deployment might have caused it (since the platform correlates deployment events with incident alerts). Conversely, when doing a deployment, if an alert fires (e.g. error rate spiked), the system could even pause further stages and notify the team. By integrating ChatOps, some users might even resolve things without leaving their chat: e.g. the Slack bot reports “Deployment failed” and the engineer types a command to rollback right in Slack, which the platform executes[17]. Overall, the outcome is a highly responsive DevOps process: issues are caught and communicated in real-time, and the platform becomes part of the incident handling loop, not isolated. Management can also see in retrospective reports that alerts were linked to changes (useful for blameless postmortems, since you can trace alert -> deployment). The tight coupling of alerting with the DevOps UX ensures nothing falls through the cracks, and teams can react swiftly, embodying the DevOps ideal of continuous feedback[7].
8. Metrics That Matter
Development Direction: Define and display the key metrics that truly measure DevOps success and software delivery performance, rather than vanity metrics. This likely includes industry-standard DORA metrics (Deployment Frequency, Lead Time for Changes, Change Failure Rate, Time to Restore) to gauge velocity and stability[18], as well as any domain-specific metrics (like compliance metrics or efficiency metrics relevant to the team). The UX should provide a metrics dashboard that is easy to interpret with trends over time, targets or benchmarks, and the ability to drill down into whats influencing those metrics. By focusing on “metrics that matter,” the platform steers teams toward continuous improvement on important outcomes (like faster deployments with high reliability) and avoids information overload. Each metric should be backed by data collected from the pipelines, incidents, and other parts of the system.
Implementation Plan: Instrument the CI/CD pipeline and operations data to collect these metrics automatically. For example, every successful deployment should log an event with a timestamp and environment, which can feed Deployment Frequency calculations (e.g. how many deploys to prod per day/week)[19]. Track lead time by measuring time from code commit (or merge) to deployment completion this might involve integrating with the version control system to get commit timestamps and comparing to deployment events[20]. Change Failure Rate can be inferred by flagging deployments that resulted in a failure or rollback integrate with incident tracking or post-deployment health checks to mark a deployment as “failed” if it had to be reverted or caused an alert. Time to Restore is measured from incident start to resolution integrate with incident management timestamps or pipeline rollback completion times. Additionally, incorporate compliance/quality metrics highlighted earlier: e.g. “% of builds with all tests passing”, “average time to remediate critical vulnerabilities” many of these can be derived from the evidence and waiver data we track[21]. Use a time-series database (Prometheus, InfluxDB) or even just a relational DB with time-series tables to store metric data points. Implement a Metrics Dashboard UI with charts for each key metric, ideally with the ability to view by different scopes (maybe per service or team or environment). For instance, a line chart for Deployment Frequency (deploys per week) with annotations when big changes happened, or a bar chart for Change Failure Rate per month. Provide comparison to industry benchmarks if available (e.g. highlighting if the team is elite per DORA benchmarks). Also, crucially, implement drill-down links: if a metric spike or drop is observed, the user should be able to click it and see underlying data e.g. clicking a high Change Failure Rate in April shows which deployments failed in April and links to those pipeline runs[22]. Use color-coding to flag concerning trends (like increasing failure rate). Allow export of metrics for reporting purposes. Possibly integrate with existing analytics (if using Datadog or other BI, allow data export or API access to metrics). Ensure that metrics are updated in near real-time (maybe after each pipeline run or incident closure, recalc relevant metrics) so the dashboard is always current. We should also secure the metrics view (maybe management only for some, but ideally DevOps leads have it openly to promote transparency). In development, validate that these metrics indeed correlate with what teams care about (work with users to refine).
DevOps-facing Outcome: The team gets a focused insight into how they are performing and where to improve. On the metrics dashboard, they might see for example: Deployment Frequency 20 deploys/week (trending upward), Lead Time 1 day median, Change Failure Rate 5%, Time to Restore 1 hour median. These will be shown perhaps as simple cards or charts. They can quickly glean, say, “Were deploying more often, but our change failure rate spiked last month,” prompting investigation. By clicking that spike, they see a list of incidents or failed deployments that contributed, allowing them to identify common causes and address them[22]. The dashboard might also show compliance metrics if relevant: e.g. “100% of builds had SBOMs attached this quarter” (the team could celebrate this boring but important win)[23], or “Median time to patch critical vulns: 2 days” these could be in a separate section for security/compliance. Importantly, all metrics shown are ones that drive behavior the organization cares about no pointless graphs that dont lead to action. This ensures that when leadership asks “How are we doing in DevOps?”, the answer is readily available with evidence[18]. It also gamifies improvement: teams can see the needle move when they streamline a pipeline or improve testing. For example, after investing in parallel tests, Lead Time drops the dashboard confirms such improvements. Furthermore, the presence of drill-down and context means metrics are trusted by engineers: if someone questions a number, they can click in and see the raw data behind it (making it hard to ignore or dispute the findings)[22]. Overall, this focus on meaningful metrics helps align everyone (Dev, Ops, and management) on common goals and provides continuous feedback at a high level on the effectiveness of DevOps practices. Its not just data for managers its a working tool for teams to guide decisions (like where to invest automation efforts next). By keeping the metrics visible and up-to-date, we encourage a culture of data-driven improvement in the DevOps process, as opposed to anecdotal or vanity measures[21].
________________________________________
[1] [11] [21] [22] [23] Bake Ruthless Compliance Into CI/CD Without Slowing Releases - DevOps Oasis
https://devopsoasis.blog/bake-ruthless-compliance-into-cicd-without-slowing-releases/
[2] [3] [4] [5] [6] 7 UX principles everyone needs to understand to adopt better tools that improve developer experience (DevEx)
https://www.opslevel.com/resources/devex-series-part-2-how-tooling-affects-developer-experience-devex
[7] [8] [10] [17] DevOps for Classified Environments
https://www.getambush.com/article/devops-for-classified-environments/
[9] Understanding Azure DevOps Pipelines: Environment and variables | BrowserStack
https://www.browserstack.com/guide/azure-devops-environment
[12] [13] [14] [15] Request Issue Exemption | Harness Developer Hub
https://developer.harness.io/docs/security-testing-orchestration/exemptions/exemption-workflows/
[16] git.stella-ops.org/11_AUTHORITY.md at 48702191bed7d66b8e29929a8fad4ecdb40b9490 - git.stella-ops.org - Gitea: Git with a cup of tea
https://git.stella-ops.org/stella-ops.org/git.stella-ops.org/src/commit/48702191bed7d66b8e29929a8fad4ecdb40b9490/docs/11_AUTHORITY.md
[18] [19] [20] DevOps Research and Assessment (DORA) metrics | GitLab Docs
https://docs.gitlab.com/user/analytics/dora_metrics/