stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

docs re-org, audit fixes, build fixes

Browse Source
This commit is contained in:
StellaOps Bot
2026-01-05 09:35:33 +02:00
parent eca4e964d3
commit dfab8a29c3
173 changed files with 1276 additions and 560 deletions
Download Patch File Download Diff File Expand all files Collapse all files

471
docs/FEATURE_MATRIX.md Executable file
View File

@@ -0,0 +1,471 @@
# 4 · Feature Matrix — **Stella Ops**
*(rev 4.0 · 24 Dec 2025)*
> **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail.
---
## Pricing Tiers Overview
| Tier | Scans/Day | Registration | Token Refresh | Target User | Price |
|------|-----------|--------------|---------------|-------------|-------|
| **Free** | 33 | None | 12h auto | Individual developer | $0 |
| **Community** | 333 | Required | 30d manual | Startups, small teams (<25) | $0 |
| **Enterprise** | 2,000+ | SSO/Contract | Annual | Organizations (25+), regulated | Contact Sales |
**Key Differences:**
- **Free Community**: 10× quota, deep analysis, Helm/K8s, email alerts, requires registration
- **Community Enterprise**: Scale (HA), multi-team (RBAC scopes), automation (CI/CD), support (SLA)
---
## Competitive Moat Features
*These differentiators are available across all tiers to build brand and adoption.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Signed Replayable Risk Verdicts | | | | Core differentiator |
| Decision Capsules | | | | Audit-grade evidence bundles |
| VEX Decisioning Engine | | | | Trust lattice + conflict resolution |
| Reachability with Portable Proofs | | | | Three-layer analysis |
| Smart-Diff (Semantic Risk Delta) | | | | Material change detection |
| Unknowns as First-Class State | | | | Uncertainty budgets |
| Deterministic Replay | | | | `stella replay srm.yaml` |
---
## SBOM & Ingestion
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Trivy-JSON Ingestion | | | | |
| SPDX-JSON 3.0.1 Ingestion | | | | |
| CycloneDX 1.7 Ingestion (1.6 backward compatible) | | | | |
| Auto-format Detection | | | | |
| Delta-SBOM Cache | | | | Warm scans <1s |
| SBOM Generation (all formats) | | | | |
| Semantic SBOM Diff | | | | |
| BYOS (Bring-Your-Own-SBOM) | | | | |
| **SBOM Lineage Ledger** | | | | Full versioned history |
| **SBOM Lineage API** | | | | Traversal queries |
---
## Scanning & Detection
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVE Lookup via Local DB | | | | |
| Licence-Risk Detection | | | | Q4-2025 |
| **Language Analyzers (All 11)** | | | | |
| .NET/C#, Java, Go, Python | | | | |
| Node.js, Ruby, Bun, Deno | | | | |
| PHP, Rust, Native binaries | | | | |
| **Progressive Fidelity Modes** | | | | |
| Quick Mode | | | | |
| Standard Mode | | | | |
| Deep Mode | | | | Full analysis |
| Base Image Detection | | | | |
| Layer-Aware Analysis | | | | |
| **Concurrent Scan Workers** | 1 | 3 | Unlimited | |
---
## Reachability Analysis
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Static Call Graph | | | | |
| Entrypoint Detection | | | | 9+ framework types |
| BFS Reachability | | | | |
| Reachability Drift Detection | | | | |
| Binary Loader Resolution | | | | ELF/PE/Mach-O |
| Feature Flag/Config Gating | | | | Layer 3 analysis |
| Runtime Signal Correlation | | | | Zastava integration |
| Gate Detection (auth/admin) | | | | Enterprise policies |
| Path Witness Generation | | | | Audit evidence |
| Reachability Mini-Map API | | | | UI visualization |
| Runtime Timeline API | | | | Temporal analysis |
---
## Binary Analysis (BinaryIndex)
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Binary Identity Extraction | | | | Build-ID, hashes |
| Build-ID Vulnerability Lookup | | | | |
| Debian/Ubuntu Corpus | | | | |
| RPM/RHEL Corpus | | | | |
| Patch-Aware Backport Detection | | | | |
| PE/Mach-O/ELF Parsers | | | | |
| **Binary Fingerprint Generation** | | | | Advanced detection |
| **Fingerprint Matching Engine** | | | | Similarity search |
| **DWARF/Symbol Analysis** | | | | Debug symbols |
---
## Advisory Sources (Concelier)
| Source | Free | Community | Enterprise | Notes |
|--------|:----:|:---------:|:----------:|-------|
| NVD | | | | |
| GHSA | | | | |
| OSV | | | | |
| Alpine SecDB | | | | |
| Debian Security Tracker | | | | |
| Ubuntu USN | | | | |
| RHEL/CentOS OVAL | | | | |
| KEV (Exploited Vulns) | | | | |
| EPSS v4 | | | | |
| **Custom Advisory Connectors** | | | | Private feeds |
| **Advisory Merge Engine** | | | | Conflict resolution |
---
## VEX Processing (Excititor)
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| OpenVEX Ingestion | | | | |
| CycloneDX VEX Ingestion | | | | |
| CSAF VEX Ingestion | | | | |
| VEX Consensus Resolver | | | | |
| Trust Vector Scoring (P/C/R) | | | | |
| Claim Strength Multipliers | | | | |
| Freshness Decay | | | | |
| Conflict Detection & Penalty | | | | K4 lattice logic |
| VEX Conflict Studio UI | | | | Visual resolution |
| VEX Hub (Distribution) | | | | Internal VEX network |
| **Trust Calibration Service** | | | | Org-specific tuning |
---
## Policy Engine
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| YAML Policy Rules | | | | Basic rules |
| Belnap K4 Four-Valued Logic | | | | |
| Security Atoms (6 types) | | | | |
| Disposition Selection (ECMA-424) | | | | |
| Minimum Confidence Gate | | | | |
| Unknowns Budget Gate | | | | |
| Source Quota Gate | | | | 60% cap enforcement |
| Reachability Requirement Gate | | | | For criticals |
| **OPA/Rego Integration** | | | | Custom policies |
| **Exception Objects & Workflow** | | | | Approval chains |
| **Score Policy YAML** | | | | Full customization |
| **Configurable Scoring Profiles** | | | | Simple/Advanced |
| **Policy Version History** | | | | Audit trail |
---
## Attestation & Signing
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| DSSE Envelope Signing | | | | |
| in-toto Statement Structure | | | | |
| SBOM Predicate | | | | |
| VEX Predicate | | | | |
| Reachability Predicate | | | | |
| Policy Decision Predicate | | | | |
| Verdict Manifest (signed) | | | | |
| Verdict Replay Verification | | | | |
| **Human Approval Predicate** | | | | Workflow attestation |
| **Boundary Predicate** | | | | Network exposure |
| **Key Rotation Management** | | | | Enterprise key ops |
| **SLSA Provenance v1.0** | | | | Supply chain |
| **Rekor Transparency Log** | | | | Public attestation |
| **Cosign Integration** | | | | Sigstore ecosystem |
---
## Regional Crypto (Sovereign Profiles)
*Sovereign crypto is core to the AGPL promise - no vendor lock-in on compliance.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Default Crypto (Ed25519) | | | | |
| FIPS 140-2/3 Mode | | | | US Federal |
| eIDAS Signatures | | | | EU Compliance |
| GOST/CryptoPro | | | | Russia |
| SM National Standard | | | | China |
| Post-Quantum (Dilithium) | | | | Future-proof |
| Crypto Plugin Architecture | | | | Custom HSM |
---
## Determinism & Reproducibility
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Canonical JSON Serialization | | | | |
| Content-Addressed IDs | | | | SHA-256 |
| Replay Manifest (SRM) | | | | |
| `stella replay` CLI | | | | |
| Score Explanation Arrays | | | | |
| Evidence Freshness Multipliers | | | | |
| Proof Coverage Metrics | | | | |
| **Fidelity Metrics (BF/SF/PF)** | | | | Audit dashboards |
| **FN-Drift Rate Tracking** | | | | Quality monitoring |
| **Determinism Gate CI** | | | | Automated checks |
---
## Scoring & Risk Assessment
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVSS v4.0 Display | | | | |
| EPSS v4 Probability | | | | |
| Priority Band Classification | | | | |
| EPSS-at-Scan Immutability | | | | |
| Unified Confidence Model | | | | 5-factor |
| **Entropy-Based Scoring** | | | | Advanced |
| **Gate Multipliers** | | | | Reachability-aware |
| **Unknowns Pressure Factor** | | | | Risk budgets |
| **Custom Scoring Profiles** | | | | Org-specific |
---
## Evidence & Findings
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Findings List | | | | |
| Evidence Graph View | | | | Basic |
| Decision Capsules | | | | |
| **Findings Ledger (Immutable)** | | | | Audit trail |
| **Evidence Locker (Sealed)** | | | | Export/import |
| **Evidence TTL Policies** | | | | Retention rules |
| **Evidence Size Budgets** | | | | Storage governance |
| **Retention Tiers** | | | | Hot/Warm/Cold |
| **Privacy Controls** | | | | Redaction |
| **Audit Pack Export** | | | | Compliance bundles |
---
## CLI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Scanner Commands | | | | |
| SBOM Inspect & Diff | | | | |
| Deterministic Replay | | | | |
| Attestation Verify | | | | |
| Unknowns Budget Check | | | | |
| Evidence Export | | | | |
| **Audit Pack Operations** | | | | Full workflow |
| **Binary Match Inspection** | | | | Advanced |
| **Crypto Plugin Commands** | | | | Regional crypto |
| **Admin Utilities** | | | | Ops tooling |
---
## Web UI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Dark/Light Mode | | | | |
| Findings Row Component | | | | |
| Evidence Drawer | | | | |
| Proof Tab | | | | |
| Confidence Meter | | | | |
| Locale Support | | | | Cyrillic, etc. |
| Reproduce Verdict Button | | | | |
| **Audit Trail UI** | | | | Full history |
| **Trust Algebra Panel** | | | | P/C/R visualization |
| **Claim Comparison Table** | | | | Conflict view |
| **Policy Chips Display** | | | | Gate status |
| **Reachability Mini-Map** | | | | Path visualization |
| **Runtime Timeline** | | | | Temporal view |
| **Operator/Auditor Toggle** | | | | Role separation |
| **Knowledge Snapshot UI** | | | | Air-gap prep |
| **Keyboard Shortcuts** | | | | Power users |
---
## Quota & Operations
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| **Scans per Day** | **33** | **333** | **2,000+** | Soft limit |
| Usage API (`/quota`) | | | | |
| Client-JWT (Online) | 12h | 30d | Annual | Token duration |
| Rate Limiting | | | | |
| 429 Backpressure | | | | |
| Retry-After Headers | | | | |
| **Priority Queue** | | | | Guaranteed capacity |
| **Burst Allowance** | | | | 3× daily for 1hr |
| **Custom Quotas** | | | | Per contract |
---
## Offline & Air-Gap
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Offline Update Kits (OUK) | | Monthly | Weekly | Feed freshness |
| Offline Signature Verify | | | | |
| One-Command Replay | | | | |
| **Sealed Knowledge Snapshots** | | | | Full feed export |
| **Air-Gap Bundle Manifest** | | | | Transfer packages |
| **No-Egress Enforcement** | | | | Strict isolation |
| **Offline JWT (90d)** | | | | Extended tokens |
---
## Deployment
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Docker Compose | | | | Single-node |
| Helm Chart (K8s) | | | | |
| PostgreSQL 16+ | | | | |
| Valkey 8.0+ | | | | |
| RustFS (S3) | | | | |
| **High-Availability** | | | | Multi-replica |
| **Horizontal Scaling** | | | | Auto-scale |
| **Dedicated Capacity** | | | | Reserved resources |
---
## Access Control & Identity
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Auth | | | | |
| API Keys | | | | |
| SSO/SAML Integration | | | | Okta, Azure AD |
| OIDC Support | | | | |
| Basic RBAC | | | | User/Admin |
| **Advanced RBAC** | | | | Team-based scopes |
| **Multi-Tenant Management** | | | | Org hierarchy |
| **Audit Log Export** | | | | SIEM integration |
---
## Notifications & Integrations
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Email Notifications | | | | |
| In-App Notifications | | | | |
| EPSS Change Alerts | | | | |
| Slack Integration | | | | Basic |
| Teams Integration | | | | Basic |
| Zastava Registry Hooks | | | | Auto-scan on push |
| **Custom Webhooks** | | | | Any endpoint |
| **CI/CD Gates** | | | | GitLab/GitHub/Jenkins |
| **Enterprise Connectors** | | | | Grid/Premium APIs |
---
## Scheduling & Automation
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Manual Scans | | | | |
| **Scheduled Scans** | | | | Cron-based |
| **Task Pack Orchestration** | | | | Declarative workflows |
| **EPSS Daily Refresh** | | | | Auto-update |
| **Event-Driven Scanning** | | | | On registry push |
---
## Observability & Telemetry
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Metrics | | | | |
| Opt-In Telemetry | | | | |
| **OpenTelemetry Traces** | | | | Full tracing |
| **Prometheus Export** | | | | Custom dashboards |
| **Quality KPIs Dashboard** | | | | Triage metrics |
| **SLA Monitoring** | | | | Uptime tracking |
---
## Support & Services
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Documentation | | | | |
| Community Forums | | | | |
| GitHub Issues | | | | |
| **Email Support** | | | | Business hours |
| **Priority Support** | | | | 4hr response |
| **24/7 Critical Support** | | | | Add-on |
| **Dedicated CSM** | | | | Named contact |
| **Professional Services** | | | | Implementation |
| **Training & Certification** | | | | Team enablement |
| **SLA Guarantee** | | | | 99.9% uptime |
---
## Version Comparison
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| RPM (NEVRA) | | | | |
| Debian (EVR) | | | | |
| Alpine (APK) | | | | |
| SemVer | | | | |
| PURL Resolution | | | | |
---
## Summary by Tier
### Free Tier (33 scans/day)
**Target:** Individual developers, OSS contributors, evaluation
- All language analyzers (11 languages)
- All regional crypto (FIPS/eIDAS/GOST/SM/PQ)
- Full VEX processing + VEX Hub + Conflict Studio
- SSO/SAML/OIDC authentication
- Zastava registry webhooks
- Slack/Teams notifications
- Core determinism + replay
- Docker Compose deployment
- Community support
### Community Tier (333 scans/day)
**Target:** Startups, small teams (<25), active open source projects
Everything in Free, plus:
- 10× scan quota
- Deep analysis mode
- Binary analysis (backport detection)
- Advanced attestation predicates
- Helm/K8s deployment
- Email notifications + EPSS alerts
- Monthly Offline Update Kit access
**Registration required, 30-day token renewal**
### Enterprise Tier (2,000+ scans/day)
**Target:** Organizations 25+, compliance-driven, multi-team
Everything in Community, plus:
- **Scale**: HA, horizontal scaling, priority queue, burst allowance
- **Multi-Team**: Advanced RBAC (scopes), multi-tenant, org hierarchy
- **Advanced Detection**: Binary fingerprints, trust calibration
- **Compliance**: SLSA provenance, Rekor transparency, audit pack export
- **Air-Gap**: Sealed snapshots, 90-day offline tokens, no-egress mode
- **Automation**: CI/CD gates, custom webhooks, scheduled scans
- **Observability**: OpenTelemetry, Prometheus, KPI dashboards
- **Support**: SLA (99.9%), priority support (4hr), dedicated CSM
---
---
> **Legend:** ✅ = Included | — = Not available | ⏳ = Planned
---
*Last updated: 24 Dec 2025 (rev 4.0 - Tiered Commercial Model)*