# Stella Ops - Complete Features Catalog > **Comprehensive table of every capability in the platform.** > > For competitive differentiation highlights, see [`key-features.md`](key-features.md). > For tier-based pricing details, see [`FEATURE_MATRIX.md`](FEATURE_MATRIX.md). --- ## Legend | Symbol | Meaning | |--------|---------| | Y | Available | | - | Not available | | Limited | Partial functionality | | Coming | Planned feature | **Tiers:** Free (F), Community (C), Enterprise (E) --- ## Table of Contents 1. [Container & Image Scanning](#1-container--image-scanning) 2. [Package Detection - Operating Systems](#2-package-detection---operating-systems) 3. [Package Detection - Language Ecosystems](#3-package-detection---language-ecosystems) 4. [Vulnerability Data Sources](#4-vulnerability-data-sources) 5. [Vulnerability Enrichment](#5-vulnerability-enrichment) 6. [SBOM Capabilities](#6-sbom-capabilities) 7. [Output Formats](#7-output-formats) 8. [Filtering & Thresholds](#8-filtering--thresholds) 9. [VEX Processing](#9-vex-processing) 10. [Reachability Analysis](#10-reachability-analysis) 11. [Secrets Detection](#11-secrets-detection) 12. [Policy Engine](#12-policy-engine) 13. [Policy Gates](#13-policy-gates) 14. [Risk Scoring](#14-risk-scoring) 15. [Comparison & Diff](#15-comparison--diff) 16. [Deterministic Replay](#16-deterministic-replay) 17. [Attestation & Signing](#17-attestation--signing) 18. [Cryptography Profiles](#18-cryptography-profiles) 19. [Offline & Air-Gap](#19-offline--air-gap) 20. [Verification](#20-verification) 21. [Authentication](#21-authentication) 22. [Authorization & Access Control](#22-authorization--access-control) 23. [Evidence Management](#23-evidence-management) 24. [Observability](#24-observability) 25. [Notifications](#25-notifications) 26. [CI/CD Integration](#26-cicd-integration) 27. [Registry Integration](#27-registry-integration) 28. [Deployment Options](#28-deployment-options) 29. [Storage & Infrastructure](#29-storage--infrastructure) 30. [Web UI Features](#30-web-ui-features) --- ## 1. Container & Image Scanning | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Scan image by tag | Scan container image using registry tag | `stella scan --image registry/app:tag` | Y | Y | Y | | Scan image by digest | Scan container image using content-addressable digest | `stella scan --image registry/app@sha256:...` | Y | Y | Y | | Scan local Docker image | Scan image from local Docker daemon | `stella scan --image myapp:local` | Y | Y | Y | | Scan filesystem | Scan extracted container rootfs directory | `stella scan --rootfs /path/to/rootfs` | Y | Y | Y | | Scan tar archive | Scan container image from .tar.gz archive | `stella scan --archive image.tar.gz` | Y | Y | Y | | Layer-by-layer analysis | Analyze each container layer separately | Automatic during scan | Y | Y | Y | | Base image detection | Identify the base image used | Automatic during scan | Y | Y | Y | | Base image separation | Separate base image vulns from app vulns | `--show-layers` flag | Y | Y | Y | | Delta-SBOM caching | Cache layer SBOMs for faster warm scans | Configure in `scanner.yaml` | - | Y | Y | | Sub-second warm scans | Achieve <1s scan times for cached images | Automatic with caching | - | Y | Y | | Concurrent scan workers | Run multiple scans in parallel | Configure `scanner.workers` | 1 | 3 | Unlimited | | Scan queue management | Queue and prioritize scan jobs | Configure in `scheduler.yaml` | - | Y | Y | | Scan timeout control | Set maximum scan duration | `--timeout 300` | Y | Y | Y | | Scan retry on failure | Automatically retry failed scans | Configure in `scanner.yaml` | - | Y | Y | --- ## 2. Package Detection - Operating Systems | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Alpine APK packages | Detect packages from Alpine Linux | Automatic | Y | Y | Y | | Debian dpkg packages | Detect packages from Debian/Ubuntu | Automatic | Y | Y | Y | | Ubuntu packages | Detect packages from Ubuntu | Automatic | Y | Y | Y | | RHEL RPM packages | Detect packages from Red Hat Enterprise Linux | Automatic | Y | Y | Y | | CentOS RPM packages | Detect packages from CentOS | Automatic | Y | Y | Y | | Fedora RPM packages | Detect packages from Fedora | Automatic | Y | Y | Y | | Rocky Linux packages | Detect packages from Rocky Linux | Automatic | Y | Y | Y | | AlmaLinux packages | Detect packages from AlmaLinux | Automatic | Y | Y | Y | | Oracle Linux packages | Detect packages from Oracle Linux | Automatic | Y | Y | Y | | Amazon Linux packages | Detect packages from Amazon Linux | Automatic | Y | Y | Y | | SUSE zypper packages | Detect packages from SUSE/openSUSE | Automatic | Y | Y | Y | | Arch Linux pacman | Detect packages from Arch Linux | Automatic | Y | Y | Y | | Photon OS packages | Detect packages from VMware Photon OS | Automatic | Y | Y | Y | | CBL-Mariner packages | Detect packages from Microsoft CBL-Mariner | Automatic | Y | Y | Y | | Wolfi packages | Detect packages from Wolfi | Automatic | Y | Y | Y | | Chainguard packages | Detect packages from Chainguard images | Automatic | Y | Y | Y | --- ## 3. Package Detection - Language Ecosystems | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | npm packages | Detect Node.js npm packages | Automatic from package-lock.json | Y | Y | Y | | yarn packages | Detect Node.js yarn packages | Automatic from yarn.lock | Y | Y | Y | | pnpm packages | Detect Node.js pnpm packages | Automatic from pnpm-lock.yaml | Y | Y | Y | | Python pip packages | Detect pip packages | Automatic from requirements.txt | Y | Y | Y | | Python poetry packages | Detect poetry packages | Automatic from poetry.lock | Y | Y | Y | | Python pipenv packages | Detect pipenv packages | Automatic from Pipfile.lock | Y | Y | Y | | Python conda packages | Detect conda packages | Automatic from conda-lock.yml | Y | Y | Y | | Java Maven dependencies | Detect Maven dependencies | Automatic from pom.xml | Y | Y | Y | | Java Gradle dependencies | Detect Gradle dependencies | Automatic from build.gradle | Y | Y | Y | | Java JAR analysis | Analyze embedded JARs for dependencies | Automatic | Y | Y | Y | | Java WAR/EAR analysis | Analyze web archives for dependencies | Automatic | Y | Y | Y | | Go modules | Detect Go module dependencies | Automatic from go.mod, go.sum | Y | Y | Y | | .NET NuGet packages | Detect NuGet packages | Automatic from *.csproj, packages.config | Y | Y | Y | | .NET deps.json analysis | Analyze .NET deps.json files | Automatic | Y | Y | Y | | Ruby Bundler gems | Detect Ruby gems | Automatic from Gemfile.lock | Y | Y | Y | | Rust Cargo crates | Detect Rust crates | Automatic from Cargo.lock | Y | Y | Y | | PHP Composer packages | Detect Composer packages | Automatic from composer.lock | Y | Y | Y | | Bun packages | Detect Bun packages | Automatic from bun.lockb | Y | Y | Y | | Deno imports | Detect Deno imports | Automatic from deno.json, import_map.json | Y | Y | Y | | Swift packages | Detect Swift Package Manager packages | Automatic from Package.resolved | Y | Y | Y | | Conan packages | Detect C/C++ Conan packages | Automatic from conanfile.txt | Y | Y | Y | | vcpkg packages | Detect C/C++ vcpkg packages | Automatic from vcpkg.json | Y | Y | Y | | Hex packages | Detect Elixir Hex packages | Automatic from mix.lock | Y | Y | Y | | Pub packages | Detect Dart/Flutter packages | Automatic from pubspec.lock | Y | Y | Y | | Transitive dependencies | Map complete dependency tree | Automatic | Y | Y | Y | | Dependency path tracking | Show how each dependency was introduced | In scan output | Y | Y | Y | | License detection | Identify package licenses | Automatic, show with `--licenses` | Y | Y | Y | | Binary fingerprinting | Identify packages from compiled binaries | `--binary-analysis` | - | Y | Y | | Symbol extraction | Extract symbol tables from binaries | Automatic with binary analysis | - | Y | Y | --- ## 4. Vulnerability Data Sources | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | NVD (NIST) | National Vulnerability Database | Configure in `concelier.yaml` | Y | Y | Y | | GitHub Security Advisories | GHSA ecosystem advisories | Configure with `GITHUB_PAT` | Y | Y | Y | | OSV database | Open Source Vulnerabilities | Automatic | Y | Y | Y | | Alpine SecDB | Alpine Linux security database | Automatic | Y | Y | Y | | Debian Security Tracker | Debian vulnerability tracker | Automatic | Y | Y | Y | | Ubuntu USN | Ubuntu Security Notices | Automatic | Y | Y | Y | | Red Hat OVAL | Red Hat security data | Automatic | Y | Y | Y | | Red Hat Security Errata | RHEL security errata | Automatic | Y | Y | Y | | SUSE OVAL | SUSE security data | Automatic | Y | Y | Y | | Amazon Linux Security | Amazon Linux advisories | Automatic | Y | Y | Y | | Oracle Linux OVAL | Oracle Linux security data | Automatic | Y | Y | Y | | Photon Security Advisories | VMware Photon advisories | Automatic | Y | Y | Y | | Wolfi Security Advisories | Wolfi security data | Automatic | Y | Y | Y | | CISA KEV | Known Exploited Vulnerabilities catalog | Automatic | Y | Y | Y | | Custom advisory feeds | Import custom advisory sources | Configure in `concelier.yaml` | - | Y | Y | | Advisory feed scheduling | Configure update frequency | Configure in `concelier.yaml` | - | Y | Y | | Advisory feed mirroring | Mirror feeds locally | Configure Mirror service | - | - | Y | --- ## 5. Vulnerability Enrichment | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | CVSS v2.0 scores | Include CVSS 2.0 base scores | Automatic | Y | Y | Y | | CVSS v3.0 scores | Include CVSS 3.0 base scores | Automatic | Y | Y | Y | | CVSS v3.1 scores | Include CVSS 3.1 base scores | Automatic | Y | Y | Y | | CVSS v4.0 scores | Include CVSS 4.0 base scores | Automatic | Y | Y | Y | | CVSS environmental metrics | Apply environmental context | Configure CVSS policy | - | Y | Y | | CVSS temporal metrics | Apply temporal context | Automatic from feed data | Y | Y | Y | | KEV flagging | Flag Known Exploited Vulnerabilities | Automatic | Y | Y | Y | | EPSS scores | Exploit Prediction Scoring System | Automatic | Y | Y | Y | | EPSS percentile | Show EPSS percentile ranking | Automatic | Y | Y | Y | | Exploit maturity | Show exploit availability status | Automatic | Y | Y | Y | | Proof of concept available | Flag when PoC exists | Automatic | Y | Y | Y | | Weaponized exploit | Flag weaponized exploits | Automatic | Y | Y | Y | | In-the-wild exploitation | Flag active exploitation | Automatic from KEV + feeds | Y | Y | Y | | Fix available | Show if fix version exists | Automatic | Y | Y | Y | | Fix version | Show the version that fixes the vuln | Automatic | Y | Y | Y | | Vendor advisory links | Link to vendor advisories | Automatic | Y | Y | Y | | CWE mapping | Map to CWE weakness types | Automatic | Y | Y | Y | | CAPEC mapping | Map to CAPEC attack patterns | Automatic | - | Y | Y | --- ## 6. SBOM Capabilities | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | CycloneDX 1.7 generation | Generate CycloneDX 1.7 SBOMs | `--sbom-out sbom.json --sbom-format cyclonedx` | Y | Y | Y | | CycloneDX 1.6 generation | Generate CycloneDX 1.6 SBOMs | `--sbom-format cyclonedx-1.6` | Y | Y | Y | | CycloneDX 1.5 generation | Generate CycloneDX 1.5 SBOMs | `--sbom-format cyclonedx-1.5` | Y | Y | Y | | SPDX 3.0.1 generation | Generate SPDX 3.0.1 SBOMs | `--sbom-format spdx` | Y | Y | Y | | SPDX 2.3 generation | Generate SPDX 2.3 SBOMs | `--sbom-format spdx-2.3` | Y | Y | Y | | SPDX-JSON generation | Generate SPDX JSON format | `--sbom-format spdx-json` | Y | Y | Y | | SBOM auto-format detection | Detect format of imported SBOMs | Automatic | Y | Y | Y | | SBOM import (CycloneDX) | Import CycloneDX SBOMs | `stella scan --sbom file.json` | Y | Y | Y | | SBOM import (SPDX) | Import SPDX SBOMs | `stella scan --sbom file.spdx` | Y | Y | Y | | SBOM import (Trivy JSON) | Import Trivy JSON format | `stella scan --sbom trivy.json` | Y | Y | Y | | SBOM validation | Validate SBOM structure | Automatic on import | Y | Y | Y | | SBOM normalization | Normalize imported SBOMs | Automatic | Y | Y | Y | | SBOM deduplication | Deduplicate SBOM components | Automatic | Y | Y | Y | | SBOM storage | Store SBOMs in central repository | Automatic via SbomService | - | Y | Y | | SBOM versioning | Track SBOM versions over time | Via SbomService API | - | Y | Y | | SBOM lineage tracking | Track SBOM lineage across builds | Via Lineage API | - | - | Y | | SBOM traversal queries | Query SBOM history and relationships | Via Lineage API | - | - | Y | | SBOM retention policies | Configure SBOM retention periods | Configure in `sbom-service.yaml` | - | Y | Y | --- ## 7. Output Formats | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Table output | Human-readable table format | `--output table` (default) | Y | Y | Y | | JSON output | Machine-readable JSON | `--output json` | Y | Y | Y | | SARIF output | Static Analysis Results Format | `--output sarif` | Y | Y | Y | | CycloneDX VEX output | CycloneDX VEX format | `--output cdx-vex` | Y | Y | Y | | OpenVEX output | OpenVEX format | `--output openvex` | Y | Y | Y | | CSV output | Comma-separated values | `--output csv` | Y | Y | Y | | Markdown output | Markdown formatted report | `--output markdown` | Y | Y | Y | | HTML output | HTML formatted report | `--output html` | - | Y | Y | | PDF output | PDF formatted report | Via Export Center | - | - | Y | | Excel output | Excel spreadsheet format | Via Export Center | - | - | Y | | Template-based output | Custom output templates | Configure templates | - | - | Y | | Output to file | Write output to file | `--output-file results.json` | Y | Y | Y | | Output to stdout | Write output to stdout | Default behavior | Y | Y | Y | | Quiet mode | Suppress non-essential output | `--quiet` | Y | Y | Y | | Verbose mode | Show detailed output | `--verbose` | Y | Y | Y | --- ## 8. Filtering & Thresholds | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Filter by severity | Show only specific severity levels | `--severity CRITICAL,HIGH` | Y | Y | Y | | Minimum severity | Set minimum severity threshold | `--min-severity HIGH` | Y | Y | Y | | Fixable only | Show only vulns with available fixes | `--fixable` | Y | Y | Y | | Unfixed only | Show only vulns without fixes | `--unfixed` | Y | Y | Y | | Filter by package | Filter by package name pattern | `--package "log4j*"` | Y | Y | Y | | Filter by CVE | Filter by CVE ID pattern | `--cve "CVE-2024-*"` | Y | Y | Y | | Filter by CWE | Filter by CWE category | `--cwe CWE-79` | Y | Y | Y | | Filter by ecosystem | Filter by package ecosystem | `--ecosystem npm,maven` | Y | Y | Y | | Ignore file support | Suppress findings via .stellaignore | Create `.stellaignore` file | Y | Y | Y | | Ignore by CVE | Ignore specific CVEs | Add to `.stellaignore` | Y | Y | Y | | Ignore by package | Ignore specific packages | Add to `.stellaignore` | Y | Y | Y | | Ignore with expiration | Time-limited ignores | Add expiry in `.stellaignore` | - | Y | Y | | Ignore with justification | Document ignore reasons | Add reason in `.stellaignore` | Y | Y | Y | | Exit code on vulns | Return non-zero exit code | `--exit-code-if-vuln 1` | Y | Y | Y | | Exit code thresholds | Exit code based on severity count | `--exit-code-if-critical 2` | Y | Y | Y | | Fail on unknowns | Fail when unknowns exceed threshold | `--fail-on-unknowns 5%` | - | Y | Y | --- ## 9. VEX Processing | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | OpenVEX ingestion | Import OpenVEX documents | `stella vex import --file vex.json` | Y | Y | Y | | CycloneDX VEX ingestion | Import CycloneDX VEX documents | `stella vex import --file cdx-vex.json` | Y | Y | Y | | CSAF ingestion | Import CSAF advisories | `stella vex import --file csaf.json` | Y | Y | Y | | VEX auto-detection | Detect VEX format automatically | Automatic on import | Y | Y | Y | | VEX validation | Validate VEX document structure | Automatic on import | Y | Y | Y | | VEX status: not_affected | Apply not_affected status | Suppresses finding | Y | Y | Y | | VEX status: affected | Apply affected status | Surfaces finding | Y | Y | Y | | VEX status: fixed | Apply fixed status | Adds fix context | Y | Y | Y | | VEX status: under_investigation | Apply investigation status | Marks as Unknown | Y | Y | Y | | VEX justification tracking | Track VEX justifications | Automatic | Y | Y | Y | | VEX impact statement | Include impact statements | Automatic | Y | Y | Y | | VEX action statement | Include action statements | Automatic | Y | Y | Y | | Multi-issuer VEX | Ingest VEX from multiple issuers | Multiple imports | - | Y | Y | | VEX issuer trust levels | Assign trust weights to issuers | Configure Issuer Directory | - | Y | Y | | VEX consensus engine | Compute consensus from multiple VEX | Automatic via VexLens | - | - | Y | | K4 lattice logic | Use four-valued logic for consensus | Automatic | - | - | Y | | VEX conflict detection | Detect conflicting VEX statements | Automatic | - | - | Y | | VEX conflict surfacing | Surface conflicts in output | Automatic | - | - | Y | | Issuer Directory | Manage trusted VEX issuers | Configure in `issuer-directory.yaml` | - | Y | Y | | CSAF publisher discovery | Discover CSAF publishers | Configure discovery | - | - | Y | | VEX export | Export VEX from scan results | `stella vex export --scan ` | Y | Y | Y | | VEX generation | Generate VEX for findings | `stella vex generate` | - | Y | Y | --- ## 10. Reachability Analysis | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Static reachability | Determine code reachability via static analysis | `stella scan --reachability` | - | Y | Y | | Call graph building | Build call graph from entry points | Automatic with reachability | - | Y | Y | | Entry point detection | Detect application entry points | Automatic | - | Y | Y | | Reachable classification | Mark vulns as REACHABLE | In scan output | - | Y | Y | | Unreachable classification | Mark vulns as UNREACHABLE | In scan output | - | Y | Y | | Unknown reachability | Mark vulns with unknown reachability | In scan output | - | Y | Y | | Call path visualization | View call paths to vulnerable code | `stella graph show --cve ` | - | Y | Y | | Call path export | Export call paths | `stella graph export` | - | Y | Y | | Binary layer analysis | Analyze compiled binaries for symbols | Automatic | - | - | Y | | Symbol presence verification | Verify vulnerable symbols exist | Automatic | - | - | Y | | Runtime layer analysis | Confirm execution via eBPF probes | Configure runtime signals | - | - | Y | | Three-layer proofs | Combine static + binary + runtime | Automatic when all available | - | - | Y | | Confidence tier: Confirmed | All three layers agree | Automatic | - | - | Y | | Confidence tier: Likely | Static + binary agree | Automatic | - | - | Y | | Confidence tier: Present | Package present, no path evidence | Automatic | - | Y | Y | | Signed reachability graphs | Sign reachability graphs with DSSE | Configure in `attestor.yaml` | - | - | Y | | Edge-bundle attestation | Sign individual path edges | Configure in `attestor.yaml` | - | - | Y | | Reachability proof export | Export reachability proofs | `stella graph export --proof` | - | - | Y | --- ## 11. Secrets Detection | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Credential leak detection | Scan for accidentally committed secrets | `stella scan --secrets` | Coming | Coming | Coming | | AWS access key detection | Detect AWS access keys | Automatic with secrets scan | Coming | Coming | Coming | | AWS secret key detection | Detect AWS secret access keys | Automatic | Coming | Coming | Coming | | GitHub token detection | Detect GitHub personal access tokens | Automatic | Coming | Coming | Coming | | GitLab token detection | Detect GitLab tokens | Automatic | Coming | Coming | Coming | | Private key detection | Detect private keys (RSA, EC, etc.) | Automatic | Coming | Coming | Coming | | Database credential detection | Detect database connection strings | Automatic | Coming | Coming | Coming | | API key detection | Detect common API keys | Automatic | Coming | Coming | Coming | | JWT secret detection | Detect JWT signing secrets | Automatic | Coming | Coming | Coming | | Generic high-entropy strings | Detect high-entropy secrets | Automatic | Coming | Coming | Coming | | Rule bundle management | Manage detection rule bundles | `stella secrets bundle` | Coming | Coming | Coming | | Built-in rule bundles | Use shipped rule bundles | Automatic | Coming | Coming | Coming | | Custom rule bundles | Create custom rule bundles | `stella secrets bundle create` | Coming | - | Coming | | Rule bundle signing | Sign rule bundles | `stella secrets bundle create --sign` | Coming | - | Coming | | Rule bundle verification | Verify rule bundle integrity | `stella secrets bundle verify` | Coming | Coming | Coming | | Masked output | Mask detected secrets in output | Automatic | Coming | Coming | Coming | | Secret location reporting | Report file and line of secrets | In scan output | Coming | Coming | Coming | | Secrets in policy | Use secrets findings in policy rules | `secret.hasFinding()` predicate | Coming | - | Coming | | Secrets severity levels | Assign severity to secret types | In rule definitions | Coming | Coming | Coming | | Secrets confidence levels | Assign confidence to detections | In rule definitions | Coming | Coming | Coming | --- ## 12. Policy Engine | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Policy pack support | Define policies as reusable packs | Create policy YAML files | Y | Y | Y | | Starter-day1 pack | Production-ready starter policy | `stella policy install starter-day1` | Y | Y | Y | | Custom policy creation | Create custom policy packs | Write policy YAML | Y | Y | Y | | Policy validation | Validate policy syntax | `stella policy validate --path policy.yaml` | Y | Y | Y | | Severity-based rules | Block/warn based on severity | Define severity rules | Y | Y | Y | | Reachability-based rules | Block/warn based on reachability | Define reachability rules | - | Y | Y | | VEX-based rules | Allow VEX-suppressed findings | Define VEX bypass rules | Y | Y | Y | | CVSS-based rules | Rules based on CVSS scores | Define CVSS threshold rules | Y | Y | Y | | EPSS-based rules | Rules based on EPSS scores | Define EPSS threshold rules | - | Y | Y | | KEV-based rules | Block KEV vulnerabilities | Define KEV rules | Y | Y | Y | | Package-based rules | Rules for specific packages | Define package rules | Y | Y | Y | | Ecosystem-based rules | Rules for specific ecosystems | Define ecosystem rules | Y | Y | Y | | Age-based rules | Rules based on CVE age | Define age threshold rules | - | Y | Y | | Fix-available rules | Rules requiring fixes to exist | Define fix-required rules | Y | Y | Y | | Unknowns budget | Fail when unknowns exceed threshold | `unknownsBudget: 5%` | - | Y | Y | | Policy simulation | Test policy against historical scans | `stella policy simulate` | - | Y | Y | | Policy diff | Compare two policy outcomes | `stella policy simulate --diff` | - | Y | Y | | Policy dry-run | Preview policy effects | `--dry-run` flag | - | Y | Y | | Policy push to OCI | Push policies to OCI registry | `stella policy push --to registry/policy:v1` | - | Y | Y | | Policy pull from OCI | Pull policies from OCI registry | `stella policy pull --from registry/policy:v1` | - | Y | Y | | Policy list packs | List available policy packs | `stella policy list-packs` | Y | Y | Y | | Policy export bundle | Export policy for offline use | `stella policy export-bundle` | - | - | Y | | Policy import bundle | Import offline policy bundle | `stella policy import-bundle` | - | - | Y | | Policy inheritance | Inherit from base policies | Define `extends` in policy | - | Y | Y | | Policy overrides | Override inherited rules | Define overrides | - | Y | Y | | Environment-specific policies | Different policies per environment | Define env-specific rules | - | Y | Y | --- ## 13. Policy Gates | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Quality gate | Block/warn based on thresholds | Configure quality gate rules | Y | Y | Y | | Approval gate | Require human approval | Configure approval workflows | - | - | Y | | Exception gate | Manage temporary exceptions | Request exceptions via UI/API | - | - | Y | | Exception expiration | Auto-expire exceptions | Set expiration in exception | - | - | Y | | Exception justification | Require justification for exceptions | Mandatory field | - | - | Y | | Exception approval routing | Route to appropriate approvers | Configure routing templates | - | - | Y | | Stability damping | Prevent gate flickering | Configure `StabilityDampingGate` | - | - | Y | | Progressive rollout | Gradual policy enforcement | Configure rollout percentage | - | - | Y | | Gate bypass for emergencies | Emergency bypass mechanism | Requires elevated permissions | - | - | Y | | Gate audit trail | Log all gate decisions | Automatic | - | Y | Y | --- ## 14. Risk Scoring | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | CVSS 4.0 base scoring | Calculate CVSS 4.0 base scores | Automatic | Y | Y | Y | | CVSS environmental scoring | Apply environmental metrics | Configure CVSS policy | - | Y | Y | | Custom risk scoring | Define custom scoring formulas | Configure in policy | - | - | Y | | Risk budget definition | Define acceptable risk levels | Configure risk budgets | - | - | Y | | Risk budget tracking | Track budget consumption | View in UI/API | - | - | Y | | Risk budget alerts | Alert on budget thresholds | Configure alert thresholds | - | - | Y | | Unknowns tracking | Track unidentified components | `stella unknowns list` | - | Y | Y | | Unknowns classification | Classify as Hot/Warm/Cold/Resolved | Automatic | - | - | Y | | Unknowns decay tracking | Track uncertainty over time | Automatic | - | - | Y | | Unknowns blast radius | Estimate impact of unknowns | In analysis output | - | - | Y | | Portfolio risk view | Aggregate risk across images | Via UI dashboard | - | - | Y | | Risk trends | View risk trends over time | Via UI dashboard | - | - | Y | --- ## 15. Comparison & Diff | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | SBOM comparison | Compare two SBOMs | `stella compare sbom --a v1.json --b v2.json` | Y | Y | Y | | Package diff | Show added/removed packages | In comparison output | Y | Y | Y | | Version diff | Show version changes | In comparison output | Y | Y | Y | | License diff | Show license changes | In comparison output | Y | Y | Y | | Vulnerability diff | Show vuln changes between scans | `stella compare scan --a --b ` | Y | Y | Y | | New vulnerabilities | Show newly introduced vulns | In comparison output | Y | Y | Y | | Fixed vulnerabilities | Show fixed/removed vulns | In comparison output | Y | Y | Y | | Semantic risk delta | Compare security meaning, not counts | `stella compare risk` | - | - | Y | | Reachability drift | Detect reachability changes | `stella drift reachability` | - | - | Y | | Policy outcome diff | Compare policy decisions | `stella policy simulate --diff` | - | Y | Y | | Smart-Diff summary | "Exploitability dropped 40%" style | In comparison output | - | - | Y | --- ## 16. Deterministic Replay | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Scan Replay Manifest (SRM) | Generate manifest for replay | `stella scan --srm-out manifest.yaml` | - | - | Y | | Replay scan from manifest | Replay using SRM | `stella replay --manifest manifest.yaml` | - | - | Y | | Replay digest assertion | Verify replay matches original | `stella replay --assert-digest sha256:...` | - | - | Y | | Knowledge snapshot export | Export frozen knowledge state | `stella airgap export --output snapshot.tar.gz` | - | - | Y | | Knowledge snapshot import | Import knowledge snapshot | `stella airgap import snapshot.tar.gz` | - | - | Y | | Knowledge snapshot diff | Compare two snapshots | `stella airgap diff --base a.tar.gz --target b.tar.gz` | - | - | Y | | Staleness tracking | Track snapshot age | `stella airgap status` | - | - | Y | | Staleness warnings | Warn when snapshot is aging | Automatic | - | - | Y | | Staleness blocking | Block when snapshot too old | Configure `staleAction: block` | - | - | Y | | Verdict replay | Replay policy decisions | `stella replay snapshot --verdict ` | - | - | Y | | Replay verification | Verify replay produces same result | Automatic with assertion | - | - | Y | | Feed snapshot inclusion | Include feed snapshots in replay | Automatic | - | - | Y | | Analyzer version pinning | Pin analyzer versions for replay | In SRM | - | - | Y | | Policy version pinning | Pin policy version for replay | In SRM | - | - | Y | --- ## 17. Attestation & Signing | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | DSSE attestation format | Use DSSE envelope format | Automatic | - | Y | Y | | in-toto attestation | Generate in-toto attestations | Configure Attestor | - | Y | Y | | SBOM attestation | Sign SBOMs with attestation | `stella attest sbom` | - | Y | Y | | Scan result attestation | Sign scan results | `stella attest scan` | - | Y | Y | | Verdict attestation | Sign policy verdicts | `stella attest verdict` | - | - | Y | | Evidence bundle creation | Create signed evidence bundles | `stella evidence bundle` | - | - | Y | | Keyless signing | Sign using OIDC identity (Sigstore) | `stella sign keyless --input file` | - | Y | Y | | Rekor transparency log | Upload to Rekor | `stella sign keyless --rekor` | - | Y | Y | | Keyless verification | Verify keyless signatures | `stella sign verify-keyless` | - | Y | Y | | Self-hosted Fulcio | Use self-hosted Fulcio | Configure `--fulcio-url` | - | - | Y | | Self-hosted Rekor | Use self-hosted Rekor | Configure `--rekor-url` | - | - | Y | | Traditional key signing | Sign with managed keys | `stella sign --key-id ` | - | Y | Y | | Key rotation support | Rotate signing keys | Via key management | - | - | Y | | Multi-signature support | Sign with multiple keys | Configure multiple signers | - | - | Y | | Signature verification | Verify signatures | `stella verify signature` | - | Y | Y | | Attestation verification | Verify attestations | `stella verify attestation` | - | Y | Y | --- ## 18. Cryptography Profiles | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Default crypto profile | Standard cryptographic algorithms | Default | Y | Y | Y | | FIPS-140-3 profile | US federal crypto requirements | Configure `profile: fips-140-3` | - | - | Y | | eIDAS profile | EU qualified signatures | Configure `profile: eidas` | - | - | Y | | GOST-2012 profile | Russian Federation requirements | Configure `profile: gost-2012` | - | - | Y | | SM2 profile | PRC cryptographic requirements | Configure `profile: sm2` | - | - | Y | | Post-quantum profile | Dilithium, Falcon algorithms | Configure `profile: pqc` | - | - | Y | | Algorithm selection | Choose specific algorithms | Configure `algorithms` section | - | - | Y | | Multi-profile signing | Sign with multiple profiles | Configure multiple profiles | - | - | Y | | Profile validation | Validate crypto configuration | Automatic on startup | - | - | Y | | Hardware security module | HSM integration | Configure HSM provider | - | - | Y | --- ## 19. Offline & Air-Gap | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Offline Update Kit export | Export complete offline bundle | `stella airgap export --output kit.tar.gz` | - | - | Y | | Offline Update Kit import | Import offline bundle | `stella airgap import kit.tar.gz` | - | - | Y | | Kit signature verification | Verify kit signatures on import | Automatic or `--verify-only` | - | - | Y | | Kit Merkle root verification | Verify kit integrity via Merkle root | Automatic | - | - | Y | | Advisory feed inclusion | Include advisory feeds in kit | `--include-advisories` | - | - | Y | | VEX document inclusion | Include VEX statements in kit | `--include-vex` | - | - | Y | | Policy bundle inclusion | Include policy bundles in kit | `--include-policies` | - | - | Y | | Trust root inclusion | Include trust roots in kit | Automatic | - | - | Y | | Staleness policy configuration | Configure max bundle age | Configure in `airgap.yaml` | - | - | Y | | Staleness warning threshold | Warn when bundle ages | Configure `warnAgeHours` | - | - | Y | | Staleness block threshold | Block when bundle too old | Configure `maxAgeHours` | - | - | Y | | Version monotonicity | Prevent rollback attacks | `enforceMonotonicity: true` | - | - | Y | | Feed mirror service | Mirror advisory feeds locally | Deploy Mirror service | - | - | Y | | Registry mirror support | Use registry mirrors | Configure mirrors in `scanner.yaml` | - | Y | Y | | Transparency log mirror | Mirror Rekor transparency log | Deploy Rekor mirror | - | - | Y | | Egress allowlist mode | Only allow specified hosts | Configure `egressPolicy.mode: allowlist` | - | - | Y | | Egress denylist mode | Block specified hosts | Configure `egressPolicy.mode: denylist` | - | - | Y | | Sealed mode | Block all network access | Configure sealed mode | - | - | Y | | Localhost-only mode | Allow only localhost traffic | Configure `allowLocalhost: true` | - | - | Y | | Time anchor (Roughtime) | Secure time from Roughtime servers | Configure Roughtime servers | - | - | Y | | Time anchor (RFC 3161) | Secure time from TSA servers | Configure TSA servers | - | - | Y | --- ## 20. Verification | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Offline evidence verification | Verify evidence without network | `stella verify offline --evidence-dir ./evidence` | - | - | Y | | Image attestation verification | Verify image has required attestations | `stella verify image registry/app@sha256:...` | - | Y | Y | | Require SBOM attestation | Require SBOM attestation | `--require sbom` | - | Y | Y | | Require VEX attestation | Require VEX attestation | `--require vex` | - | Y | Y | | Require decision attestation | Require policy decision attestation | `--require decision` | - | - | Y | | Require approval attestation | Require approval attestation | `--require approval` | - | - | Y | | Strict mode | Fail if any attestation missing | `--strict` | - | Y | Y | | Evidence bundle verification | Verify complete evidence bundle | `stella verify bundle --bundle ./bundle` | - | - | Y | | Skip replay verification | Verify only input hashes | `--skip-replay` | - | - | Y | | Trust policy application | Apply trust policy during verification | `--trust-policy policy.yaml` | - | - | Y | | Certificate verification | Verify signing certificates | Automatic | - | Y | Y | | Certificate chain validation | Validate full certificate chain | Automatic | - | Y | Y | | OCSP checking | Check certificate revocation | Automatic when online | - | Y | Y | | CRL checking | Check certificate revocation lists | Automatic | - | Y | Y | | Offline revocation checking | Check revocation without network | Using embedded CRLs | - | - | Y | --- ## 21. Authentication | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | OAuth 2.0 authorization code | Authorization code flow for users | Configure Authority | - | Y | Y | | OAuth 2.0 client credentials | Client credentials for services | Configure Authority | - | Y | Y | | OAuth 2.0 refresh tokens | Refresh token support | Configure Authority | - | Y | Y | | OpenID Connect | OIDC authentication | Configure Authority | - | Y | Y | | DPoP (Proof of Possession) | Bind tokens to client keys | Configure `senderConstraint: dpop` | - | - | Y | | mTLS authentication | Mutual TLS for service auth | Configure mTLS | - | - | Y | | API key authentication | Simple API key auth | Configure API keys | Y | Y | Y | | Token lifetime configuration | Configure token expiration | Configure in `authority.yaml` | - | Y | Y | | Token refresh configuration | Configure refresh token lifetime | Configure in `authority.yaml` | - | Y | Y | | LDAP integration | Authenticate via LDAP | Deploy LDAP plugin | - | - | Y | | SAML integration | Authenticate via SAML | Deploy SAML plugin | - | - | Y | | External IdP integration | Use external identity provider | Configure OIDC provider | - | Y | Y | | MFA requirement | Require multi-factor auth | Configure in Authority | - | - | Y | | Session management | Manage user sessions | Via Authority | - | Y | Y | | Token revocation | Revoke access tokens | Via Authority API | - | Y | Y | --- ## 22. Authorization & Access Control | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Role-based access control | Assign roles to users | Configure in Authority | - | Y | Y | | policy-author role | Create and edit policies | Assign role | - | Y | Y | | policy-reviewer role | Review policy changes | Assign role | - | Y | Y | | policy-approver role | Approve policies for production | Assign role | - | - | Y | | policy-operator role | Run and activate policies | Assign role | - | Y | Y | | policy-auditor role | Audit policy decisions | Assign role | - | - | Y | | airgap-viewer role | View offline kit status | Assign role | - | - | Y | | airgap-operator role | Import/export offline kits | Assign role | - | - | Y | | airgap-admin role | Full air-gap administration | Assign role | - | - | Y | | vuln-viewer role | View vulnerability findings | Assign role | - | Y | Y | | vuln-investigator role | Investigate and triage findings | Assign role | - | Y | Y | | vuln-operator role | Take action on findings | Assign role | - | Y | Y | | vuln-auditor role | Audit vulnerability decisions | Assign role | - | - | Y | | export-viewer role | View export results | Assign role | - | Y | Y | | export-operator role | Trigger exports | Assign role | - | Y | Y | | export-admin role | Manage export configuration | Assign role | - | - | Y | | notify-viewer role | View notifications | Assign role | - | Y | Y | | notify-operator role | Manage notifications | Assign role | - | Y | Y | | notify-admin role | Full notification admin | Assign role | - | - | Y | | Custom roles | Define custom roles | Configure in Authority | - | - | Y | | Attribute-based access | Fine-grained ABAC | Configure attributes | - | - | Y | | Environment restrictions | Restrict access by environment | Configure env attributes | - | - | Y | | Business tier restrictions | Restrict by business tier | Configure tier attributes | - | - | Y | | Service accounts | Create service identities | Configure in Authority | - | Y | Y | | Delegated tokens | Issue delegated access tokens | Via Authority API | - | - | Y | | Scope-based permissions | Permission scopes on tokens | Configure scopes | - | Y | Y | --- ## 23. Evidence Management | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Evidence Locker | Store tamper-evident evidence | Via EvidenceLocker API | - | - | Y | | Evidence sealing | Seal evidence with hashes | Automatic | - | - | Y | | Evidence retrieval | Retrieve stored evidence | Via EvidenceLocker API | - | - | Y | | Legal hold | Apply legal hold to evidence | Via UI/API | - | - | Y | | Legal hold override | Prevent deletion during hold | Automatic | - | - | Y | | Retention policies | Configure retention periods | Configure policies | - | - | Y | | Per-type retention | Different retention by type | Configure policies | - | - | Y | | Evidence export | Export evidence bundles | Via ExportCenter | - | - | Y | | Evidence chain verification | Verify evidence chain integrity | Via verification APIs | - | - | Y | --- ## 24. Observability | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Structured JSON logging | JSON formatted log output | Configure logging | Y | Y | Y | | Log level configuration | Set minimum log level | Configure `minimumLogLevel` | Y | Y | Y | | Console log output | Log to console | `exportConsole: true` | Y | Y | Y | | OpenTelemetry tracing | Distributed tracing | Configure `enableTracing: true` | - | Y | Y | | OpenTelemetry metrics | Prometheus-compatible metrics | Configure `enableMetrics: true` | - | Y | Y | | OTLP export | Export to OTLP collector | Configure `otlpEndpoint` | - | Y | Y | | Custom resource attributes | Add custom trace attributes | Configure `resourceAttributes` | - | Y | Y | | Service name configuration | Set service name for traces | Configure `serviceName` | - | Y | Y | | Timeline event indexing | Index security events | Automatic via TimelineIndexer | - | - | Y | | Timeline queries | Query event history | Via Timeline API | - | - | Y | | Audit trail | Complete action audit log | Automatic | - | Y | Y | | Audit log export | Export audit logs | Via API | - | - | Y | | Incident bridge | Bridge to incident management | Configure Incident Bridge | - | - | Y | | Health checks | Service health endpoints | `/health` endpoint | Y | Y | Y | | Readiness probes | Kubernetes readiness | `/ready` endpoint | Y | Y | Y | | Liveness probes | Kubernetes liveness | `/live` endpoint | Y | Y | Y | --- ## 25. Notifications | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Slack notifications | Send to Slack webhooks | Configure Slack webhook | - | Y | Y | | Microsoft Teams notifications | Send to Teams webhooks | Configure Teams webhook | - | Y | Y | | Email notifications | Send via SMTP | Configure SMTP settings | - | Y | Y | | PagerDuty integration | Create PagerDuty incidents | Configure PagerDuty | - | - | Y | | Generic webhooks | Send to custom webhooks | Configure webhook URL | - | Y | Y | | Notification templates | Customize notification content | Configure templates | - | Y | Y | | Severity-based routing | Route by severity level | Configure routing rules | - | Y | Y | | Notification escalation | Escalate unacknowledged alerts | Configure escalation | - | - | Y | | Notification acknowledgment | Acknowledge notifications | Via Notify API | - | Y | Y | | Notification muting | Temporarily mute notifications | Configure mute windows | - | Y | Y | | Notification rate limiting | Limit notification frequency | Configure rate limits | - | Y | Y | --- ## 26. CI/CD Integration | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Exit code control | Return codes for CI/CD | `--exit-code-if-vuln 1` | Y | Y | Y | | GitHub Actions template | Generate GitHub Actions workflow | `stella ci generate --platform github` | Y | Y | Y | | GitLab CI template | Generate GitLab CI pipeline | `stella ci generate --platform gitlab` | Y | Y | Y | | Azure Pipelines template | Generate Azure Pipelines | `stella ci generate --platform azure` | Y | Y | Y | | Jenkins template | Generate Jenkinsfile | `stella ci generate --platform jenkins` | Y | Y | Y | | SARIF for GitHub | Upload SARIF to GitHub Security | `--output sarif` | Y | Y | Y | | SARIF for GitLab | Upload SARIF to GitLab Security | `--output sarif` | Y | Y | Y | | PR comments | Comment scan results on PRs | Configure CI integration | - | Y | Y | | Status checks | Update PR status checks | Configure CI integration | - | Y | Y | | Merge blocking | Block merge on policy failure | Configure CI integration | - | Y | Y | --- ## 27. Registry Integration | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Docker Hub | Pull from Docker Hub | Default | Y | Y | Y | | GitHub Container Registry | Pull from GHCR | Authenticate with token | Y | Y | Y | | AWS ECR | Pull from Amazon ECR | Configure ECR credentials | Y | Y | Y | | Google GCR | Pull from Google Container Registry | Configure GCP credentials | Y | Y | Y | | Azure ACR | Pull from Azure Container Registry | Configure Azure credentials | Y | Y | Y | | Harbor | Pull from Harbor registry | Configure credentials | Y | Y | Y | | JFrog Artifactory | Pull from Artifactory | Configure credentials | Y | Y | Y | | Quay.io | Pull from Quay | Configure credentials | Y | Y | Y | | Private registries | Pull from any private registry | Configure credentials | Y | Y | Y | | Registry webhook (push) | Scan on image push | Configure Zastava webhook | - | Y | Y | | Admission controller | Block deployment on failure | Deploy admission webhook | - | - | Y | | Image signing verification | Verify image signatures | Configure signature policy | - | - | Y | --- ## 28. Deployment Options | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Docker Compose | Single-node deployment | `docker compose up` | Y | Y | Y | | Kubernetes deployment | Deploy on Kubernetes | Use Helm charts | - | Y | Y | | Helm charts | Helm-based deployment | `helm install stellaops` | - | Y | Y | | Air-gapped deployment | Fully offline deployment | Use Offline Kit | - | - | Y | | Multi-tenant deployment | Isolated tenants | Configure multi-tenancy | - | - | Y | | High availability | HA deployment patterns | Configure replication | - | - | Y | | Horizontal scaling | Scale workers horizontally | Configure replicas | - | - | Y | | Auto-scaling | Kubernetes HPA integration | Configure HPA | - | - | Y | --- ## 29. Storage & Infrastructure | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | PostgreSQL 16+ | Primary data storage | Configure connection string | Y | Y | Y | | PostgreSQL connection pooling | Connection pool management | Configure pool settings | Y | Y | Y | | PostgreSQL read replicas | Scale read operations | Configure replicas | - | - | Y | | Valkey/Redis caching | Cache layer | Configure Valkey/Redis | - | Y | Y | | Rate limiting | API rate limiting | Configure rate limits | - | Y | Y | | Queue management | Job queue management | Via Scheduler | - | Y | Y | | Queue sharding | Distribute queue load | Configure sharding | - | - | Y | | Blob storage | Store large artifacts | Configure blob storage | - | Y | Y | | S3-compatible storage | Use S3-compatible storage | Configure S3 endpoint | - | Y | Y | --- ## 30. Web UI Features | Feature | Description | How to Use | F | C | E | |---------|-------------|------------|:-:|:-:|:-:| | Dashboard | Overview dashboard | Access via browser | - | Y | Y | | Scan results view | View scan findings | Navigate to scans | - | Y | Y | | Vulnerability details | Detailed vuln information | Click on vulnerability | - | Y | Y | | SBOM viewer | View SBOM contents | Navigate to SBOMs | - | Y | Y | | Policy editor | Edit policies in UI | Navigate to policies | - | Y | Y | | Policy simulation UI | Simulate policies in UI | Use simulation panel | - | Y | Y | | Exception management UI | Manage exceptions | Navigate to exceptions | - | - | Y | | Approval workflows UI | Approve in UI | Navigate to approvals | - | - | Y | | Timeline view | View event timeline | Navigate to timeline | - | - | Y | | Triage canvas | Visual triage interface | Navigate to triage | - | - | Y | | Noise gating UI | Manage noise gating | Navigate to noise gating | - | - | Y | | Risk dashboard | Portfolio risk view | Navigate to risk | - | - | Y | | Export center UI | Configure exports | Navigate to exports | - | Y | Y | | Notification settings | Configure notifications | Navigate to settings | - | Y | Y | | User management | Manage users | Navigate to admin | - | - | Y | | Tenant management | Manage tenants | Navigate to admin | - | - | Y | | Audit log viewer | View audit logs | Navigate to audit | - | - | Y | --- ## Feature Count Summary | Category | Total Features | Free | Community | Enterprise | |----------|----------------|------|-----------|------------| | Container Scanning | 14 | 10 | 13 | 14 | | OS Package Detection | 16 | 16 | 16 | 16 | | Language Ecosystems | 29 | 27 | 29 | 29 | | Vulnerability Sources | 17 | 14 | 16 | 17 | | Vulnerability Enrichment | 18 | 15 | 17 | 18 | | SBOM Capabilities | 17 | 12 | 15 | 17 | | Output Formats | 16 | 12 | 14 | 16 | | Filtering | 16 | 14 | 16 | 16 | | VEX Processing | 22 | 12 | 17 | 22 | | Reachability | 17 | 0 | 9 | 17 | | Secrets Detection | 20 | 0 | 0 | 20 (Coming) | | Policy Engine | 23 | 11 | 19 | 23 | | Policy Gates | 10 | 2 | 3 | 10 | | Risk Scoring | 12 | 2 | 5 | 12 | | Comparison & Diff | 11 | 6 | 8 | 11 | | Deterministic Replay | 14 | 0 | 0 | 14 | | Attestation & Signing | 17 | 0 | 10 | 17 | | Cryptography Profiles | 10 | 1 | 1 | 10 | | Offline & Air-Gap | 20 | 0 | 2 | 20 | | Verification | 15 | 0 | 8 | 15 | | Authentication | 15 | 2 | 10 | 15 | | Authorization | 26 | 0 | 13 | 26 | | Evidence Management | 9 | 0 | 0 | 9 | | Observability | 16 | 6 | 12 | 16 | | Notifications | 11 | 0 | 8 | 11 | | CI/CD Integration | 10 | 8 | 10 | 10 | | Registry Integration | 12 | 10 | 11 | 12 | | Deployment | 8 | 2 | 4 | 8 | | Storage & Infrastructure | 9 | 3 | 6 | 9 | | Web UI | 17 | 0 | 10 | 17 | | **TOTAL** | **483** | **181** | **292** | **483** | --- *Last updated: 2026-01-04*