stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

save progress

Browse Source
This commit is contained in:
StellaOps Bot
2026-01-03 12:41:57 +02:00
parent 83c37243e0
commit d486d41a48
48 changed files with 7174 additions and 1086 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
docs/moat.md
View File

@@ -1,14 +1,40 @@
# StellaOps Moat Track — Spec Outline v0.4
# StellaOps Moat Track — Spec Outline v0.5
> Stella Ops isn't just another scanner—it's a different product category: **deterministic, evidence-linked vulnerability decisions** that survive auditors, regulators, and supply-chain propagation.
> **Core Thesis:** Stella Ops isn't a scanner that outputs findings. It's a platform that outputs **attestable decisions that can be replayed**. That difference survives auditors, regulators, and supply-chain propagation.
<!-- TODO: Review for separate approval - updated moat introduction -->
**Four capabilities no competitor offers together:**
---
1. **Signed Reachability** Every reachability graph is sealed with DSSE; optional edge-bundle attestations for runtime/init/contested paths. Both static call-graph edges and runtime-derived edges can be attested—true hybrid reachability.
2. **Deterministic Replay** Scans run bit-for-bit identical from frozen feeds and analyzer manifests. Decision Capsules seal all evidence for audit-grade reproducibility.
3. **Explainable Policy (Lattice VEX)** The lattice engine merges SBOM data, advisories, VEX statements, and waivers into a single verdict with human-readable justifications. Evidence-linked VEX decisions with explicit "Unknown" state handling.
4. **Sovereign + Offline Operation** FIPS, eIDAS, GOST, SM, or PQC profiles are first-class toggles. Offline Kits and regional crypto profiles keep every decision inside your perimeter.
## The Category Difference
Traditional scanners output findings: "CVE-2024-1234 exists in package X."
Stella Ops outputs decisions: "CVE-2024-1234 is reachable via this call path, vendor VEX says not_affected but runtime disagrees (creating a conflict the policy must resolve), and here's the signed proof chain."
This isn't a feature gap—it's a category difference.
---
## Why Competitors Can't Easily Catch Up
| Origin | Representatives | What They Optimized For | Architectural Constraint |
|--------|----------------|------------------------|--------------------------|
| **Package Scanners** | Trivy, Syft/Grype | Fast CLI, broad coverage | No forensic reproducibility; VEX is boolean; no DSSE for reachability |
| **Developer UX** | Snyk | IDE integration, fix PRs | SaaS-only; no attestation infrastructure; offline impossible |
| **Policy/Compliance** | Prisma, Aqua | Runtime protection, CNAPP | No deterministic replay; no cryptographic provenance |
| **SBOM Operations** | Anchore | SBOM storage, lifecycle | No lattice VEX; no signed reachability; no regional crypto |
Retrofitting our capabilities requires fundamental rearchitecture—not just features.
---
## Four Capabilities No Competitor Offers Together
| # | Capability | What It Is | Why It's Hard to Copy |
|---|-----------|-----------|----------------------|
| 1 | **Signed Reachability** | Every reachability graph sealed with DSSE; optional edge-bundle attestations for runtime/init/contested paths. Hybrid static + runtime. | Requires three-layer instrumentation + cryptographic binding to call paths |
| 2 | **Deterministic Replay** | Scans run bit-for-bit identical from frozen feeds and analyzer manifests. Decision Capsules seal all evidence. | Requires content-addressed evidence model + feed snapshotting + deterministic ordering |
| 3 | **Explainable Policy (K4 Lattice VEX)** | Belnap K4 logic (Unknown/True/False/Conflict) merges SBOM, advisories, VEX, waivers into single verdict with proof links. | Requires rethinking VEX from suppression to logical claims |
| 4 | **Sovereign + Offline Operation** | FIPS/eIDAS/GOST/SM/PQC profiles as config toggles. Sealed knowledge snapshots for air-gap parity. | Requires pluggable crypto + offline trust roots + regional compliance |
**Scope of this doc:**
(1) Decision Capsules, (2) Deterministic Replayable Scans (SRM), (3) Policy Engine & Lattice UI, (4) Sovereign Readiness (CryptoProfile + RootPack), (5) Attestation Observability Graph (AOG), (6) ProcurementGrade Trust Statement, (7) ThirdParty Proof Channel, (8) Zastava differential SBOM + AI scheduler.
@@ -443,48 +469,70 @@ stella zastava schedule --query 'env=prod' --interval 6h
---
## Competitive Landscape (Dec 2025)
## Competitive Landscape (Jan 2026)
Based on analysis of Trivy, Syft/Grype, Snyk, Prisma, Aqua, and Anchore:
Based on source-code audit of Trivy v0.55, Grype v0.80, Snyk CLI v1.1292, plus documentation review of Prisma, Aqua, and Anchore.
### Structural Gaps We Exploit
### The Nine Structural Gaps We Exploit
| Capability | Industry Status | Stella Ops Advantage |
|------------|-----------------|---------------------|
| **SBOM Fidelity** | Static artifact, no lineage | Stateful ledger with build provenance |
| **VEX Handling** | Annotation/suppression | Formal lattice reasoning with conflict resolution |
| **Explainability** | UI hints, remediation text | Proof-linked evidence with falsification conditions |
| **Smart-Diff** | File-level/hash comparison | Semantic security meaning diff |
| **Reachability** | "Runtime context" (coarse) | Three-layer call-path proofs |
| **Scoring** | CVSS + proprietary heuristics | Deterministic, attestable, reproducible |
| **Unknowns** | Hidden/suppressed | First-class state with risk implications |
| **Offline** | Operational capability | Epistemic completeness (bound knowledge state) |
| # | Capability | Industry Status | Stella Ops Advantage | Module(s) |
|---|-----------|-----------------|---------------------|-----------|
| 1 | **SBOM Fidelity** | Static artifact, order-dependent, varies per run | Deterministic per-layer digests + Build-ID mapping; binary crosswalk | `Scanner`, `SbomService`, `BinaryIndex` |
| 2 | **VEX Handling** | Boolean suppression or absent | K4 lattice (Unknown/True/False/Conflict) with trust weighting | `VexLens`, `TrustLatticeEngine`, `Excititor` |
| 3 | **Reachability** | "Runtime context" badge (coarse) | Three-layer call-path proofs (static + binary + runtime) with DSSE | `ReachGraph`, `PathWitnessBuilder` |
| 4 | **Backport Detection** | Version string checks | Four-tier: distro feeds changelog patches binary fingerprints | `Feedser`, `SourceIntel`, `BinaryIndex` |
| 5 | **Smart-Diff** | File-level/hash comparison | Semantic risk deltas ("exploitability dropped 41%") | `MaterialRiskChangeDetector` |
| 6 | **Triage UX** | Loud lists, duplicated root causes | Quiet queue + one finding per root cause + evidence panel | UI + canonical finding keys |
| 7 | **Unknowns** | Hidden/suppressed | First-class state with bands, decay, policy budgets | `UnknownStateLedger`, `Policy` |
| 8 | **Attestations** | Cosign-only or absent | in-toto/DSSE chain for scans, VEX, reachability, fixes | `Attestor`, `Signer` |
| 9 | **Offline** | Partial cache, degraded signals | Full parity with sealed snapshots + regional crypto | `AirGap.Controller`, `CryptoProfile` |
### Why Competitors Plateau
### Why Competitors Plateau (Architectural)
1. **Trivy/Syft** grew from package scanners no forensic reproducibility design
2. **Snyk** grew from developer UX no attestation/proof infrastructure
3. **Prisma/Aqua** grew from policy/compliance no deterministic replay
| Competitor Class | Origin | Why They Can't Easily Catch Up |
|-----------------|--------|-------------------------------|
| **Trivy/Syft/Grype** | Package scanners | No forensic reproducibility in architecture; evidence model is row-based, not content-addressed; VEX is filter, not logic |
| **Snyk** | Developer UX | SaaS-only means offline impossible; no attestation infrastructure; reachability is language-limited |
| **Prisma/Aqua** | Policy/compliance | No deterministic replay; no cryptographic provenance; verdicts aren't portable |
| **Anchore** | SBOM operations | No lattice VEX; no signed reachability graphs; no regional crypto profiles |
None were designed around **forensic reproducibility or trust algebra**.
### Capability Gap Matrix
### Where We're Stronger
| Capability | Trivy | Grype | Snyk | Prisma | Aqua | Anchore | **Stella** |
|-----------|-------|-------|------|--------|------|---------|------------|
| Deterministic replay | No | No | No | No | No | No | **Yes** |
| VEX lattice (K4) | Boolean | Boolean | None | None | Limited | Limited | **Full** |
| Signed reachability | No | No | No | No | No | No | **DSSE** |
| Binary backport detection | No | No | No | No | No | No | **Tier 1-4** |
| Semantic risk diff | No | No | No | No | No | No | **Yes** |
| Unknowns as state | Hidden | Hidden | Hidden | Hidden | Hidden | Hidden | **First-class** |
| Regional crypto | No | No | No | No | No | No | **Yes** |
| Offline parity | Medium | Medium | No | Strong | Medium | Good | **Full** |
- Deterministic replayable scans
- Formal VEX reasoning
- Reachability-backed exploitability
- Semantic smart-diff
- Evidence-first explainability
- Unknowns modeling
- Jurisdiction-ready offline trust
### Where We're Ahead (Unique)
### Where Competitors Remain Ahead (for now)
1. **Deterministic replay** Bit-for-bit reproducibility with `stella replay`
2. **K4 lattice VEX** Conflict detection, not suppression
3. **Signed reachability** DSSE graphs + edge bundles
4. **Smart-Diff** Semantic risk deltas
5. **Unknowns modeling** Bands, decay, policy budgets
6. **Regional crypto** FIPS/eIDAS/GOST/SM/PQC as config
- Mass-market UX polish
- SaaS onboarding friction
- Marketplace integrations
### Where Competitors Lead (For Now)
See `docs/benchmarks/competitive-implementation-milestones.md` for implementation roadmap.
| Area | Leader | Our Response |
|------|--------|--------------|
| Mass-market UX | Snyk | Focus on power users who need proofs |
| SaaS onboarding | Snyk, Prisma | Offer both SaaS and self-hosted |
| Ecosystem breadth | Trivy | Depth over breadth; evidence quality over coverage |
| Marketplace integrations | All | Prioritize based on customer demand |
### References
- **Competitive Landscape**: `docs/market/competitive-landscape.md`
- **Claims Index**: `docs/market/claims-citation-index.md`
- **Moat Strategy**: `docs/market/moat-strategy-summary.md`
- **Proof Architecture**: `docs/modules/platform/proof-driven-moats-architecture.md`
---