# Feature Matrix — Stella Ops Suite
*(rev 5.1 · 16 Jan 2026)*
> **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail.
---
## Product Evolution
**Stella Ops Suite** is now a centralized, auditable release control plane for non-Kubernetes container estates. The platform combines release orchestration with security decisioning as a gate.
- **Release orchestration** — UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks
- **Security decisioning as a gate** — Scan on build, evaluate on release, re-evaluate on CVE updates
- **OCI-digest-first releases** — Immutable digest-based release identity
- **Evidence packets** — Every release decision is cryptographically signed and stored
---
## Competitive Moat Features
*These differentiators are available across all plans.*
| Capability | Notes |
|------------|-------|
| Signed Replayable Risk Verdicts | Core differentiator |
| Decision Capsules | Audit-grade evidence bundles |
| VEX Decisioning Engine | Trust lattice + conflict resolution |
| Reachability with Portable Proofs | Three-layer analysis |
| Smart-Diff (Semantic Risk Delta) | Material change detection |
| Unknowns as First-Class State | Uncertainty budgets |
| Deterministic Replay | `stella replay srm.yaml` |
| Non-Kubernetes First-Class | Docker/Compose/ECS/Nomad targets |
| Digest-First Release Identity | Immutable releases |
---
## Release Orchestration (Planned)
*Release orchestration capabilities are planned for implementation.*
| Capability | Notes |
| **Environment Management** | |
| Environment CRUD | ⏳ Dev/Stage/Prod definitions |
| Freeze Windows | ⏳ Calendar-based blocking |
| Approval Policies | ⏳ Per-environment rules |
| **Release Management** | |
| Component Registry | ⏳ Service → repository mapping |
| Release Bundles | ⏳ Component → digest bundles |
| Semantic Versioning | ⏳ SemVer release versions |
| Tag → Digest Resolution | ⏳ Immutable digest pinning |
| **Promotion & Gates** | |
| Promotion Workflows | ⏳ Environment transitions |
| Security Gate | ⏳ Scan verdict evaluation |
| Approval Gate | ⏳ Human sign-off |
| Freeze Window Gate | ⏳ Calendar enforcement |
| Policy Gate (OPA/Rego) | ⏳ Custom rules |
| Decision Records | ⏳ Evidence-linked decisions |
| **Deployment Execution** | |
| Docker Host Agent | ⏳ Direct container deployment |
| Compose Host Agent | ⏳ Docker Compose deployment |
| SSH Agentless | ⏳ Linux remote execution |
| WinRM Agentless | ⏳ Windows remote execution |
| ECS Agent | ⏳ AWS ECS deployment |
| Nomad Agent | ⏳ HashiCorp Nomad deployment |
| Rollback | ⏳ Previous version restore |
| **Progressive Delivery** | |
| A/B Releases | ⏳ Traffic splitting |
| Canary Deployments | ⏳ Gradual rollout |
| Blue-Green | ⏳ Zero-downtime switch |
| Traffic Routing Plugins | ⏳ Nginx/HAProxy/Traefik/ALB |
| **Workflow Engine** | |
| DAG Workflow Execution | ⏳ Directed acyclic graphs |
| Step Registry | ⏳ Built-in + custom steps |
| Workflow Templates | ⏳ Reusable workflows |
| Script Steps (Bash/C#) | ⏳ Custom automation |
| **Evidence & Audit** | |
| Evidence Packets | ⏳ Sealed decision bundles |
| Version Stickers | ⏳ On-target deployment records |
| Audit Export | ⏳ Compliance reporting |
| **Integrations** | |
| GitHub Integration | ⏳ SCM + webhooks |
| GitLab Integration | ⏳ SCM + webhooks |
| Harbor Integration | ⏳ Registry + scanning |
| HashiCorp Vault | ⏳ Secrets management |
| AWS Secrets Manager | ⏳ Secrets management |
| **Plugin System** | |
| Plugin Manifest | ⏳ Static declarations |
| Connector Runtime | ⏳ Dynamic execution |
| Step Providers | ⏳ Custom workflow steps |
| Agent Types | ⏳ Custom deployment targets |
---
## Plan Limits
| Limit | Free | Pro | Enterprise |
|-------|:----:|:---:|:----------:|
| **Environments** | 3 | 33 | Unlimited |
| **New Digests/Day** | 333 | 3,333 | Unlimited |
---
## SBOM & Ingestion
| Capability | Notes |
|------------|-------|
| Trivy-JSON Ingestion | |
| SPDX-JSON 3.0.1 Ingestion | |
| CycloneDX 1.7 Ingestion (1.6 backward compatible) | |
| Auto-format Detection | |
| Delta-SBOM Cache | Warm scans <1s |
| SBOM Generation (all formats) | |
| Semantic SBOM Diff | |
| BYOS (Bring-Your-Own-SBOM) | |
| SBOM Lineage Ledger | Full versioned history |
| SBOM Lineage API | Traversal queries |
---
## Scanning & Detection
| Capability | Notes |
|------------|-------|
| CVE Lookup via Local DB | |
| Licence-Risk Detection | ⏳ Q4-2025 |
| **Automatic Detection (Class A)** | Runs implicitly during scan |
| — Secrets Detection | API keys, tokens, passwords; results in findings (see [docs/modules/ui/components/findings-list.md](docs/modules/ui/components/findings-list.md)) |
| — OS Package Analyzers | apk, apt, yum, dnf, rpm, pacman; results in SBOM (see [docs/modules/cli/guides/commands/sbom.md](docs/modules/cli/guides/commands/sbom.md)) |
| **Language Analyzers (All 11)** | |
| — .NET/C#, Java, Go, Python | |
| — Node.js, Ruby, Bun, Deno | |
| — PHP, Rust, Native binaries | |
| **Progressive Fidelity Modes** | |
| — Quick Mode | |
| — Standard Mode | |
| — Deep Mode | Full analysis |
| Base Image Detection | |
| Layer-Aware Analysis | |
| **Concurrent Scan Workers** | Configurable |
---
## Reachability Analysis
| Capability | Notes |
|------------|-------|
| Static Call Graph | |
| Entrypoint Detection | 9+ framework types |
| BFS Reachability | |
| Reachability Drift Detection | |
| Binary Loader Resolution | ELF/PE/Mach-O |
| Feature Flag/Config Gating | Layer 3 analysis |
| Runtime Signal Correlation | Zastava integration |
| Gate Detection (auth/admin) | Enterprise policies |
| Path Witness Generation | Audit evidence |
| Reachability Mini-Map API | UI visualization |
| Runtime Timeline API | Temporal analysis |
---
## Binary Analysis (BinaryIndex)
*Binary analysis capabilities are CLI-first (Class B). UI integration is minimal until user demand validates.*
| Capability | Notes |
|------------|-------|
| Binary Identity Extraction | Build-ID, hashes |
| Build-ID Vulnerability Lookup | |
| Debian/Ubuntu Corpus | |
| RPM/RHEL Corpus | |
| Patch-Aware Backport Detection | |
| PE/Mach-O/ELF Parsers | |
| Binary Fingerprint Generation | CLI: `stella binary fingerprint export` |
| Fingerprint Matching Engine | Similarity search |
| Binary Diff | CLI: `stella binary diff ` |
| DWARF/Symbol Analysis | Debug symbols |
**CLI Commands (Class B):**
- `stella binary fingerprint export ` — Export fingerprint data (function hashes, section hashes, symbol table)
- `stella binary diff ` — Compare binaries with function/symbol-level diff
- Output formats: `--format json|yaml|table`
- Usage and examples: [docs/modules/cli/guides/commands/binary.md](docs/modules/cli/guides/commands/binary.md)
---
## Advisory Sources (Concelier)
*Concelier provides 33+ vulnerability feed connectors with automatic sync, health monitoring, and conflict detection.*
| Connector | Notes |
|-----------|-------|
| **National CVE Databases** | |
| — NVD (NIST) | Primary CVE source |
| — CVE (MITRE) | CVE Record format 5.0 |
| **OSS Ecosystems** | |
| — OSV | Multi-ecosystem |
| — GHSA | GitHub Security Advisories |
| **Linux Distributions** | |
| — Alpine SecDB | |
| — Debian Security Tracker | |
| — Ubuntu USN | |
| — RHEL/CentOS OVAL | |
| — SUSE OVAL | |
| — Astra Linux | Russian distro |
| **CERTs / National CSIRTs** | |
| — CISA KEV | Known Exploited Vulns |
| — CISA ICS-CERT | Industrial control systems |
| — CERT-CC | Carnegie Mellon |
| — CERT-FR | France |
| — CERT-Bund (BSI) | Germany |
| — CERT-In | India |
| — ACSC | Australia |
| — CCCS | Canada |
| — KISA | South Korea |
| — JVN | Japan |
| **Russian Federation Sources** | |
| — FSTEC BDU | Russian vuln database |
| — NKCKI | Critical infrastructure |
| **Vendor PSIRTs** | |
| — Microsoft MSRC | |
| — Cisco PSIRT | |
| — Oracle CPU | |
| — VMware | |
| — Adobe PSIRT | |
| — Apple Security | |
| — Chromium | |
| **ICS/SCADA** | |
| — Kaspersky ICS-CERT | Industrial security |
| **Risk Scoring** | |
| — EPSS v4 | Exploit prediction |
| **Additional Features** | |
| Custom Advisory Connectors | Private feeds |
| Advisory Merge Engine | Conflict resolution |
| Connector Health CLI | `stella db connectors status` |
**Connector Operations Matrix (Status/Auth/Runbooks):**
| Connector | Status | Auth | Ops Runbook |
| --- | --- | --- | --- |
| NVD (NIST) | stable | api-key | [docs/modules/concelier/operations/connectors/nvd.md](docs/modules/concelier/operations/connectors/nvd.md) |
| CVE (MITRE) | stable | none | [docs/modules/concelier/operations/connectors/cve.md](docs/modules/concelier/operations/connectors/cve.md) |
| OSV | stable | none | [docs/modules/concelier/operations/connectors/osv.md](docs/modules/concelier/operations/connectors/osv.md) |
| GHSA | stable | api-token | [docs/modules/concelier/operations/connectors/ghsa.md](docs/modules/concelier/operations/connectors/ghsa.md) |
| Alpine SecDB | stable | none | [docs/modules/concelier/operations/connectors/alpine.md](docs/modules/concelier/operations/connectors/alpine.md) |
| Debian Security Tracker | stable | none | [docs/modules/concelier/operations/connectors/debian.md](docs/modules/concelier/operations/connectors/debian.md) |
| Ubuntu USN | stable | none | [docs/modules/concelier/operations/connectors/ubuntu.md](docs/modules/concelier/operations/connectors/ubuntu.md) |
| Red Hat OVAL/CSAF | stable | none | [docs/modules/concelier/operations/connectors/redhat.md](docs/modules/concelier/operations/connectors/redhat.md) |
| SUSE OVAL/CSAF | stable | none | [docs/modules/concelier/operations/connectors/suse.md](docs/modules/concelier/operations/connectors/suse.md) |
| Astra Linux | beta | none | [docs/modules/concelier/operations/connectors/astra.md](docs/modules/concelier/operations/connectors/astra.md) |
| CISA KEV | stable | none | [docs/modules/concelier/operations/connectors/cve-kev.md](docs/modules/concelier/operations/connectors/cve-kev.md) |
| CISA ICS-CERT | stable | none | [docs/modules/concelier/operations/connectors/ics-cisa.md](docs/modules/concelier/operations/connectors/ics-cisa.md) |
| CERT-CC | stable | none | [docs/modules/concelier/operations/connectors/cert-cc.md](docs/modules/concelier/operations/connectors/cert-cc.md) |
| CERT-FR | stable | none | [docs/modules/concelier/operations/connectors/cert-fr.md](docs/modules/concelier/operations/connectors/cert-fr.md) |
| CERT-Bund | stable | none | [docs/modules/concelier/operations/connectors/certbund.md](docs/modules/concelier/operations/connectors/certbund.md) |
| CERT-In | stable | none | [docs/modules/concelier/operations/connectors/cert-in.md](docs/modules/concelier/operations/connectors/cert-in.md) |
| ACSC | stable | none | [docs/modules/concelier/operations/connectors/acsc.md](docs/modules/concelier/operations/connectors/acsc.md) |
| CCCS | stable | none | [docs/modules/concelier/operations/connectors/cccs.md](docs/modules/concelier/operations/connectors/cccs.md) |
| KISA | stable | none | [docs/modules/concelier/operations/connectors/kisa.md](docs/modules/concelier/operations/connectors/kisa.md) |
| JVN | stable | none | [docs/modules/concelier/operations/connectors/jvn.md](docs/modules/concelier/operations/connectors/jvn.md) |
| FSTEC BDU | beta | none | [docs/modules/concelier/operations/connectors/fstec-bdu.md](docs/modules/concelier/operations/connectors/fstec-bdu.md) |
| NKCKI | beta | none | [docs/modules/concelier/operations/connectors/nkcki.md](docs/modules/concelier/operations/connectors/nkcki.md) |
| Microsoft MSRC | stable | none | [docs/modules/concelier/operations/connectors/msrc.md](docs/modules/concelier/operations/connectors/msrc.md) |
| Cisco PSIRT | stable | oauth | [docs/modules/concelier/operations/connectors/cisco.md](docs/modules/concelier/operations/connectors/cisco.md) |
| Oracle CPU | stable | none | [docs/modules/concelier/operations/connectors/oracle.md](docs/modules/concelier/operations/connectors/oracle.md) |
| VMware | stable | none | [docs/modules/concelier/operations/connectors/vmware.md](docs/modules/concelier/operations/connectors/vmware.md) |
| Adobe PSIRT | stable | none | [docs/modules/concelier/operations/connectors/adobe.md](docs/modules/concelier/operations/connectors/adobe.md) |
| Apple Security | stable | none | [docs/modules/concelier/operations/connectors/apple.md](docs/modules/concelier/operations/connectors/apple.md) |
| Chromium | stable | none | [docs/modules/concelier/operations/connectors/chromium.md](docs/modules/concelier/operations/connectors/chromium.md) |
| Kaspersky ICS-CERT | beta | none | [docs/modules/concelier/operations/connectors/kaspersky-ics.md](docs/modules/concelier/operations/connectors/kaspersky-ics.md) |
| EPSS v4 | stable | none | [docs/modules/concelier/operations/connectors/epss.md](docs/modules/concelier/operations/connectors/epss.md) |
---
## VEX Processing (Excititor/VexLens)
*VEX processing provides a full consensus engine with 5-state lattice, 9 trust factors, and conflict detection.*
| Capability | Notes |
|------------|-------|
| OpenVEX Ingestion | |
| CycloneDX VEX Ingestion | |
| CSAF VEX Ingestion | |
| **VEX Consensus Engine (5-state)** | Lattice-based resolution |
| Trust Vector Scoring (P/C/R) | |
| **Trust Weight Scoring (9 factors)** | Issuer, age, specificity, etc. |
| Claim Strength Multipliers | |
| Freshness Decay | 14-day half-life |
| Conflict Detection & Penalty | K4 lattice logic |
| VEX Conflict Studio UI | Visual resolution |
| VEX Hub (Distribution) | Internal VEX network |
| VEX Webhook Distribution | Pub/sub notifications |
| CSAF Provider Connectors (7) | RedHat, Ubuntu, Oracle, MSRC, Cisco, SUSE, VMware |
| Issuer Trust Registry | Key lifecycle, trust overrides |
| VEX from Drift Generation | `stella vex gen --from-drift` |
| Trust Calibration Service | Org-specific tuning |
| Consensus Rationale Export | Audit-grade explainability |
**CLI Commands:**
- `stella vex verify ` — Verify VEX statement signature and content
- `stella vex consensus ` — Show consensus status for digest
- `stella vex evidence export` — Export VEX evidence for audit
- `stella vex webhooks list/add/remove` — Manage VEX distribution
- `stella issuer keys list/create/rotate/revoke` — Issuer key management
---
## Policy Engine
*Policy engine implements Belnap K4 four-valued logic with 10+ gate types and 6 risk providers.*
| Capability | Notes |
|------------|-------|
| YAML Policy Rules | Basic rules |
| **Belnap K4 Four-Valued Logic** | True/False/Both/Neither |
| Security Atoms (6 types) | |
| Disposition Selection (ECMA-424) | |
| Minimum Confidence Gate | |
| **10+ Policy Gate Types** | Severity, reachability, age, etc. |
| **6 Risk Score Providers** | CVSS, KEV, EPSS, FixChain, etc. |
| Unknowns Budget Gate | |
| Determinization System | Signal weights, decay, uncertainty |
| Policy Simulation | `stella policy simulate` |
| Source Quota Gate | 60% cap enforcement |
| Reachability Requirement Gate | For criticals |
| OPA/Rego Integration | Custom policies |
| Exception Objects & Workflow | Approval chains |
| Score Policy YAML | Full customization |
| Configurable Scoring Profiles | Simple/Advanced |
| Policy Version History | Audit trail |
| Verdict Attestations | DSSE/Rekor signed verdicts |
**CLI Commands:**
- `stella policy list/show/create/update/delete` — Policy CRUD
- `stella policy simulate ` — Simulate policy evaluation
- `stella policy validate ` — Validate policy YAML
- `stella policy decisions list/show` — View policy decisions
- `stella policy gates list` — List available gate types
---
## Attestation & Signing
*Attestation supports 25+ predicate types with keyless signing, key rotation, and attestation chains.*
| Capability | Notes |
|------------|-------|
| DSSE Envelope Signing | |
| in-toto Statement Structure | |
| **25+ Predicate Types** | SBOM, VEX, verdict, etc. |
| SBOM Predicate | |
| VEX Predicate | |
| Reachability Predicate | |
| Policy Decision Predicate | |
| Verdict Manifest (signed) | |
| Verdict Replay Verification | |
| Keyless Signing (Sigstore) | Fulcio-based OIDC |
| Delta Attestations (4 types) | VEX/SBOM/Verdict/Reachability |
| Attestation Chains | Linked attestation graphs |
| Human Approval Predicate | Workflow attestation |
| Boundary Predicate | Network exposure |
| Key Rotation Service | Automated key lifecycle |
| Trust Anchor Management | Root CA management |
| SLSA Provenance v1.0 | Supply chain |
| Rekor Transparency Log | Public attestation |
| Cosign Integration | Sigstore ecosystem |
**CLI Commands:**
- `stella attest sign ` — Sign attestation
- `stella attest verify ` — Verify attestation signature
- `stella attest predicates list` — List supported predicate types
- `stella attest export ` — Export attestations for digest
- `stella keys list/create/rotate/revoke` — Key management
---
## Regional Crypto (Sovereign Profiles)
*Sovereign crypto is core to the open-source promise - no vendor lock-in on compliance. 8 signature profiles supported.*
| Capability | Notes |
|------------|-------|
| Default Crypto (Ed25519) | |
| FIPS 140-2/3 Mode | US Federal |
| eIDAS Signatures | EU Compliance |
| GOST/CryptoPro | Russia |
| SM National Standard | China |
| Post-Quantum (Dilithium) | Future-proof |
| Crypto Plugin Architecture | Custom HSM |
| Multi-Profile Signing | Sign with multiple algorithms |
| SM Remote Service | Chinese market HSM integration |
| HSM/PKCS#11 Integration | Hardware security modules |
**CLI Commands:**
- `stella crypto profiles list` — List available crypto profiles
- `stella crypto verify --profile ` — Verify with specific profile
- `stella crypto plugins list/status` — Manage crypto plugins
---
## Determinism & Reproducibility
| Capability | Notes |
|------------|-------|
| Canonical JSON Serialization | |
| Content-Addressed IDs | SHA-256 |
| Replay Manifest (SRM) | |
| `stella replay` CLI | |
| Score Explanation Arrays | |
| Evidence Freshness Multipliers | |
| Proof Coverage Metrics | |
| Fidelity Metrics (BF/SF/PF) | Audit dashboards |
| FN-Drift Rate Tracking | Quality monitoring |
| Determinism Gate CI | Automated checks |
---
## Scoring & Risk Assessment
| Capability | Notes |
|------------|-------|
| CVSS v4.0 Display | |
| EPSS v4 Probability | |
| Priority Band Classification | |
| EPSS-at-Scan Immutability | |
| Unified Confidence Model | 5-factor |
| Entropy-Based Scoring | Advanced |
| Gate Multipliers | Reachability-aware |
| Unknowns Pressure Factor | Risk budgets |
| Custom Scoring Profiles | Org-specific |
---
## Evidence & Findings
| Capability | Notes |
|------------|-------|
| Findings List | |
| Evidence Graph View | Basic |
| Decision Capsules | |
| Findings Ledger (Immutable) | Audit trail |
| Evidence Locker (Sealed) | Export/import |
| Evidence TTL Policies | Retention rules |
| Evidence Size Budgets | Storage governance |
| Retention Tiers | Hot/Warm/Cold |
| Privacy Controls | Redaction |
| Audit Pack Export | Compliance bundles |
---
## CLI Capabilities
| Capability | Notes |
|------------|-------|
| Scanner Commands | |
| SBOM Inspect & Diff | |
| Deterministic Replay | |
| Attestation Verify | |
| Unknowns Budget Check | |
| Evidence Export | |
| Audit Pack Operations | Full workflow |
| Binary Match Inspection | Advanced |
| Crypto Plugin Commands | Regional crypto |
| Admin Utilities | Ops tooling |
---
## Web UI Capabilities
| Capability | Notes |
|------------|-------|
| Dark/Light Mode | |
| Findings Row Component | |
| Evidence Drawer | |
| Proof Tab | |
| Confidence Meter | |
| Locale Support | Cyrillic, etc. |
| Reproduce Verdict Button | |
| Audit Trail UI | Full history |
| Trust Algebra Panel | P/C/R visualization |
| Claim Comparison Table | Conflict view |
| Policy Chips Display | Gate status |
| Reachability Mini-Map | Path visualization |
| Runtime Timeline | Temporal view |
| Operator/Auditor Toggle | Role separation |
| Knowledge Snapshot UI | Air-gap prep |
| Keyboard Shortcuts | Power users |
---
## Quota & Operations
| Plan | Scans per Day |
|------|:-------------:|
| **Free** | **333** |
| **Pro** | **3,333** |
| **Enterprise** | **Unlimited** |
**All other operational capabilities are available across all plans:**
- Usage API (`/quota`)
- Client-JWT authentication
- Rate Limiting & 429 Backpressure
- Retry-After Headers
- Priority Queue
- Burst Allowance (configurable)
- Custom Quotas (configurable)
---
## Offline & Air-Gap
| Capability | Notes |
|------------|-------|
| Offline Update Kits (OUK) | Available |
| Offline Signature Verify | |
| One-Command Replay | |
| Sealed Knowledge Snapshots | Full feed export |
| Air-Gap Bundle Manifest | Transfer packages |
| No-Egress Enforcement | Strict isolation |
| Offline JWT | Extended tokens |
---
## Deployment
| Capability | Notes |
|------------|-------|
| Docker Compose | Single-node |
| Helm Chart (K8s) | |
| PostgreSQL 16+ | |
| Valkey 8.0+ | |
| RustFS (S3) | |
| High-Availability | Multi-replica |
| Horizontal Scaling | Auto-scale |
| Dedicated Capacity | Reserved resources |
---
## Access Control & Identity (Authority)
*Authority provides OAuth 2.1/OIDC with 75+ authorization scopes, DPoP, and device authorization.*
| Capability | Notes |
|------------|-------|
| Basic Auth | |
| API Keys | With scopes and expiration |
| SSO/SAML Integration | Okta, Azure AD |
| OIDC Support | |
| Basic RBAC | User/Admin |
| 75+ Authorization Scopes | Fine-grained permissions |
| DPoP (Sender Constraints) | Token binding |
| mTLS Client Certificates | Certificate auth |
| Device Authorization Flow | CLI/IoT devices |
| PAR Support | Pushed Authorization Requests |
| User Federation (LDAP/SAML) | Directory integration |
| Multi-Factor Authentication | TOTP/WebAuthn |
| Advanced RBAC | Team-based scopes |
| Multi-Tenant Management | Org hierarchy |
| Audit Log Export | SIEM integration |
**CLI Commands:**
- `stella auth clients list/create/delete` — OAuth client management
- `stella auth roles list/show/assign` — Role management
- `stella auth scopes list` — List available scopes
- `stella auth token introspect ` — Token introspection
- `stella auth api-keys list/create/revoke` — API key management
---
## Notifications & Integrations
*10 notification channel types with template engine, routing rules, and escalation.*
| Capability | Notes |
|------------|-------|
| In-App Notifications | |
| Email Notifications | |
| EPSS Change Alerts | |
| Slack Integration | |
| Teams Integration | |
| Discord Integration | Webhook-based |
| PagerDuty Integration | Incident management |
| OpsGenie Integration | Alert routing |
| Zastava Registry Hooks | Auto-scan on push |
| Zastava K8s Admission | Validating/Mutating webhooks |
| Template Engine | Customizable templates |
| Channel Routing Rules | Severity/team routing |
| Escalation Policies | Time-based escalation |
| Notification Studio UI | Visual rule builder |
| Custom Webhooks | Any endpoint |
| CI/CD Gates | GitLab/GitHub/Jenkins |
| SCM Integrations | PR comments, status checks |
| Issue Tracker Integration | Jira, GitHub Issues |
| Enterprise Connectors | Grid/Premium APIs |
**CLI Commands:**
- `stella notify channels list/test` — Channel management
- `stella notify rules list/create` — Routing rules
- `stella zastava install/configure/status` — K8s webhook management
---
## Scheduling & Automation
| Capability | Notes |
|------------|-------|
| Manual Scans | |
| Scheduled Scans | Cron-based |
| Task Pack Orchestration | Declarative workflows |
| EPSS Daily Refresh | Auto-update |
| Event-Driven Scanning | On registry push |
---
## Observability & Telemetry
| Capability | Notes |
|------------|-------|
| Basic Metrics | |
| Opt-In Telemetry | |
| OpenTelemetry Traces | Full tracing |
| Prometheus Export | Custom dashboards |
| Quality KPIs Dashboard | Triage metrics |
| SLA Monitoring | Uptime tracking |
---
## Support & Services
| Capability | Notes |
|------------|-------|
| Documentation | |
| Community Forums | |
| GitHub Issues | |
| Email Support | Business hours |
| Priority Support | 4hr response |
| 24/7 Critical Support | Add-on |
| Dedicated CSM | Named contact |
| Professional Services | Implementation |
| Training & Certification | Team enablement |
| SLA Guarantee | 99.9% uptime |
---
## Version Comparison
| Capability | Notes |
|------------|-------|
| RPM (NEVRA) | |
| Debian (EVR) | |
| Alpine (APK) | |
| SemVer | |
| PURL Resolution | |
---
> **Legend:** ⏳ = Planned
---
*Last updated: 17 Jan 2026 (rev 6.0 - All features available across all tiers)*