# Full Features List - Stella Ops > **Comprehensive catalog of every capability in the Stella Ops platform.** > > For quick capability cards with competitive differentiation, see [`key-features.md`](key-features.md). > For tier-based availability (Free/Community/Enterprise), see [`04_FEATURE_MATRIX.md`](04_FEATURE_MATRIX.md). --- ## How to Read This Document - **Base Features**: Core functionality available to all users - **Enhanced Features**: Advanced capabilities building on base features - **Specialized Features**: Domain-specific or enterprise-grade capabilities - **Control Method**: Indicates how each feature is accessed - `CLI` - Command-line interface - `Config` - YAML/JSON configuration files - `UI` - Web user interface - `API` - REST/gRPC API endpoints --- ## Table of Contents ### Part I: Foundational Capabilities 1. [Container Scanning](#1-container-scanning) 2. [Package Detection](#2-package-detection) 3. [Vulnerability Detection](#3-vulnerability-detection) 4. [Output & Reporting](#4-output--reporting) ### Part II: Enhanced Analysis 5. [SBOM Management](#5-sbom-management) 6. [VEX Processing](#6-vex-processing) 7. [Reachability Analysis](#7-reachability-analysis) 8. [Policy Engine](#8-policy-engine) ### Part III: Specialized Capabilities 9. [Determinism & Reproducibility](#9-determinism--reproducibility) 10. [Attestation & Signing](#10-attestation--signing) 11. [Offline Operations](#11-offline-operations) 12. [Risk Scoring](#12-risk-scoring) ### Part IV: Platform Features 13. [Authentication & Authorization](#13-authentication--authorization) 14. [Deployment & Operations](#14-deployment--operations) 15. [Integrations](#15-integrations) 16. [Observability](#16-observability) ### Appendices - [A. CLI Command Reference](#appendix-a-cli-command-reference) - [B. Configuration Reference](#appendix-b-configuration-reference) - [C. API Reference](#appendix-c-api-reference) --- # Part I: Foundational Capabilities ## 1. Container Scanning Container scanning is the core capability of Stella Ops. All other features build upon this foundation. ### 1.1 Image Scanning (Base) Scan container images for vulnerabilities and generate SBOMs. | Feature | Description | Control | |---------|-------------|---------| | OCI image scanning | Scan OCI-compliant container images | `CLI` `API` | | Docker image scanning | Scan Docker images from local daemon or registry | `CLI` `API` | | Filesystem scanning | Scan extracted rootfs directories | `CLI` | | Archive scanning | Scan .tar.gz container archives | `CLI` | | Digest-based pull | Pull images by content-addressable digest | `CLI` | **CLI Usage:** ```bash stella scan --image stella scan --image stella scan --rootfs /path/to/extracted ``` ### 1.2 Registry Integration (Base) Connect to container registries for scanning. | Feature | Description | Control | |---------|-------------|---------| | Public registry | Scan images from public registries (Docker Hub, GHCR, etc.) | `CLI` | | Private registry | Authenticate to private registries | `CLI` `Config` | | Registry auth | Username/password, token, and keychain authentication | `Config` | | Mirror support | Use registry mirrors for offline environments | `Config` | **Configuration:** ```yaml # etc/scanner.yaml registry: mirrors: docker.io: "mirror.internal:5000" credentials: - registry: "private.registry.io" username: "${REGISTRY_USER}" password: "${REGISTRY_PASSWORD}" ``` ### 1.3 Layer Analysis (Enhanced) Analyze container layers for package changes. | Feature | Description | Control | |---------|-------------|---------| | Per-layer detection | Identify which packages came from which layer | `CLI` | | Base image detection | Automatically identify base image | `CLI` | | Layer change tracking | Track package additions/removals per layer | `CLI` | | Inherited vs added | Distinguish base image packages from application packages | `CLI` | **CLI Usage:** ```bash stella scan --image myapp:latest --show-layers ``` ### 1.4 Scan Performance (Enhanced) Performance optimizations for scanning at scale. | Feature | Description | Control | |---------|-------------|---------| | Delta-SBOM cache | Cache layer SBOMs for sub-second warm scans | `Config` | | Concurrent workers | Run multiple scan workers in parallel | `Config` | | Content-addressed caching | Deduplicate layers by content hash | Automatic | | Incremental analysis | Only analyze changed layers | Automatic | **Performance Tiers:** - **Free**: 1 concurrent scan worker - **Community**: 3 concurrent scan workers - **Enterprise**: Unlimited concurrent workers --- ## 2. Package Detection ### 2.1 OS Packages (Base) Detect operating system packages and their vulnerabilities. | Feature | Description | Control | |---------|-------------|---------| | Alpine APK | Detect Alpine Linux packages | Automatic | | Debian/Ubuntu APT | Detect apt packages from dpkg database | Automatic | | RHEL/CentOS/Fedora RPM | Detect RPM packages | Automatic | | Arch Linux Pacman | Detect Arch packages | Automatic | | SUSE Zypper | Detect SUSE packages | Automatic | ### 2.2 Language Ecosystems (Base) Detect packages from application language ecosystems. | Ecosystem | Package Manager | Manifest Files | Control | |-----------|-----------------|----------------|---------| | **JavaScript/Node.js** | npm, yarn, pnpm | package.json, package-lock.json, yarn.lock | Automatic | | **Python** | pip, poetry, pipenv | requirements.txt, Pipfile.lock, pyproject.toml | Automatic | | **Java** | Maven, Gradle | pom.xml, build.gradle, *.jar | Automatic | | **Go** | Go Modules | go.mod, go.sum | Automatic | | **.NET** | NuGet | *.csproj, packages.config, *.deps.json | Automatic | | **Ruby** | Bundler | Gemfile, Gemfile.lock | Automatic | | **Rust** | Cargo | Cargo.toml, Cargo.lock | Automatic | | **PHP** | Composer | composer.json, composer.lock | Automatic | | **Bun** | Bun | bun.lockb, package.json | Automatic | | **Deno** | Deno | deno.json, import_map.json | Automatic | | **Native/C/C++** | conan, vcpkg | conanfile.txt, vcpkg.json | Automatic | ### 2.3 Advanced Detection (Enhanced) Enhanced package detection capabilities. | Feature | Description | Control | |---------|-------------|---------| | Transitive dependency mapping | Map full dependency tree | Automatic | | License detection | Detect package licenses | `CLI` | | Binary fingerprinting | Identify packages from compiled binaries | `CLI` | | Symbol extraction | Extract symbol tables for reachability | `CLI` | --- ## 3. Vulnerability Detection ### 3.1 Advisory Sources (Base) Vulnerability data sources used for detection. | Source | Description | Update Frequency | Control | |--------|-------------|------------------|---------| | NVD (NIST) | National Vulnerability Database | Hourly | `Config` | | GitHub Security Advisories (GHSA) | GitHub ecosystem advisories | Real-time | `Config` | | OSV | Open Source Vulnerabilities | Real-time | `Config` | | Alpine SecDB | Alpine-specific advisories | Hourly | `Config` | | Debian Tracker | Debian-specific advisories | Hourly | `Config` | | RHEL/CentOS Errata | Red Hat security errata | Daily | `Config` | | Ubuntu USN | Ubuntu Security Notices | Hourly | `Config` | **Configuration:** ```yaml # etc/concelier.yaml concelier: sources: ghsa: apiToken: "${GITHUB_PAT}" pageSize: 50 nvd: enabled: true apiKey: "${NVD_API_KEY}" ``` ### 3.2 Vulnerability Enrichment (Enhanced) Additional metadata added to detected vulnerabilities. | Feature | Description | Control | |---------|-------------|---------| | KEV (Known Exploited) | CISA Known Exploited Vulnerabilities flag | Automatic | | EPSS | Exploit Prediction Scoring System percentile | Automatic | | CVSS v4.0 | CVSS 4.0 scoring with environmental metrics | Automatic | | Exploit maturity | Proof of concept, weaponized, in-the-wild | Automatic | ### 3.3 Backport Detection (Specialized) Detect security patches backported by vendors. | Feature | Description | Control | |---------|-------------|---------| | Binary backport detection | Identify backported patches in binaries | `CLI` | | Changelog evidence | Match changelogs to security fixes | Automatic | | Vendor VEX integration | Apply vendor-provided VEX statements | `Config` | --- ## 4. Output & Reporting ### 4.1 Output Formats (Base) Standard output formats for scan results. | Format | Description | Control | |--------|-------------|---------| | Table (human-readable) | Formatted table output for terminal | `CLI --output table` | | JSON | Machine-readable JSON output | `CLI --output json` | | SARIF | Static Analysis Results Interchange Format | `CLI --output sarif` | | CycloneDX VEX | CycloneDX VEX format | `CLI --output cdx-vex` | | OpenVEX | OpenVEX format | `CLI --output openvex` | **CLI Usage:** ```bash stella scan --image myapp:latest --output json > results.json stella scan --image myapp:latest --output sarif > results.sarif ``` ### 4.2 Filtering & Thresholds (Base) Filter and threshold controls for scan results. | Feature | Description | Control | |---------|-------------|---------| | Severity filter | Filter by CRITICAL, HIGH, MEDIUM, LOW | `CLI --severity` | | Fix available | Show only vulnerabilities with fixes | `CLI --fixable` | | Exit codes | Configurable exit codes for CI/CD | `CLI` | | Ignore file | .stellaignore for suppression | `Config` | **CLI Usage:** ```bash stella scan --image myapp --severity HIGH,CRITICAL --fixable stella scan --image myapp --exit-code-if-vuln 1 ``` ### 4.3 Export Center (Enhanced) Batch export and report generation. | Feature | Description | Control | |---------|-------------|---------| | Scheduled exports | Export scan results on schedule | `Config` `UI` | | Multiple formats | Export to JSON, CSV, PDF, Excel | `API` | | Template-based reports | Customizable report templates | `Config` | | Compliance reports | Pre-built compliance report templates | `UI` | --- # Part II: Enhanced Analysis ## 5. SBOM Management ### 5.1 SBOM Generation (Base) Generate Software Bill of Materials. | Format | Version | Description | Control | |--------|---------|-------------|---------| | CycloneDX | 1.7 | Primary output format | `CLI --sbom-format cyclonedx` | | CycloneDX | 1.6 | Backward compatible | `CLI --sbom-format cyclonedx-1.6` | | SPDX | 3.0.1 | SPDX 3.0.1 format | `CLI --sbom-format spdx` | | SPDX-JSON | 2.3 | SPDX JSON format | `CLI --sbom-format spdx-json` | **CLI Usage:** ```bash stella scan --image myapp --sbom-out sbom.json --sbom-format cyclonedx ``` ### 5.2 SBOM Ingestion (Base) Import existing SBOMs. | Feature | Description | Control | |---------|-------------|---------| | Auto-format detection | Automatically detect SBOM format | Automatic | | BYOS (Bring Your Own SBOM) | Scan using provided SBOM | `CLI --sbom` | | Third-party SBOM | Import SBOMs from external sources | `API` | | Validation | Validate SBOM structure and content | `CLI` | **CLI Usage:** ```bash stella scan --sbom existing-sbom.json ``` ### 5.3 SBOM Diff (Enhanced) Compare SBOMs between versions. | Feature | Description | Control | |---------|-------------|---------| | Package diff | Show added/removed packages | `CLI` | | Version diff | Show version changes | `CLI` | | License diff | Show license changes | `CLI` | | Semantic diff | Understand meaning of changes | `CLI` | **CLI Usage:** ```bash stella compare sbom --a v1.0-sbom.json --b v2.0-sbom.json ``` ### 5.4 SBOM Lineage Ledger (Enterprise) Full version history and lineage tracking. | Feature | Description | Control | |---------|-------------|---------| | Version history | Full SBOM version history | `API` `UI` | | Lineage tracking | Track SBOM across builds | `API` | | Traversal queries | Query SBOM lineage | `API` | | Audit trail | Complete audit trail | `UI` | --- ## 6. VEX Processing ### 6.1 VEX Ingestion (Base) Import VEX statements from multiple sources. | Format | Description | Control | |--------|-------------|---------| | OpenVEX | OpenVEX JSON format | `CLI` `API` | | CycloneDX VEX | CycloneDX VEX format | `CLI` `API` | | CSAF | Common Security Advisory Framework | `CLI` `API` | **CLI Usage:** ```bash stella vex import --file vendor-vex.json ``` ### 6.2 VEX Statuses (Base) Standard VEX status types. | Status | Description | Policy Effect | |--------|-------------|---------------| | `not_affected` | Component not affected by vulnerability | Suppresses finding | | `affected` | Component is affected | Surfaces finding | | `fixed` | Vulnerability has been fixed | Contextual | | `under_investigation` | Investigation in progress | Marks as Unknown | ### 6.3 VEX Consensus Engine (Enhanced) K4 lattice logic for VEX consensus. | Feature | Description | Control | |---------|-------------|---------| | Multi-issuer consensus | Merge VEX from multiple issuers | `Config` | | Trust weighting | Weight VEX by issuer trust level | `Config` | | Conflict detection | Detect conflicting VEX statements | Automatic | | K4 lattice logic | Belnap four-valued logic (Unknown, True, False, Conflict) | Automatic | **K4 Lattice Values:** - `Unknown` - No information available - `True` - Positive assertion (affected) - `False` - Negative assertion (not affected) - `Conflict` - Contradictory assertions ### 6.4 Issuer Directory (Enhanced) Manage trusted VEX issuers. | Feature | Description | Control | |---------|-------------|---------| | Issuer registry | Register trusted VEX issuers | `Config` `UI` | | Trust levels | Assign trust weights to issuers | `Config` | | CSAF publisher discovery | Discover CSAF publishers | `Config` | --- ## 7. Reachability Analysis ### 7.1 Static Reachability (Enhanced) Determine if vulnerable code is reachable. | Feature | Description | Control | |---------|-------------|---------| | Call graph analysis | Build call graph from entrypoint | `CLI` | | Reachable/Unreachable classification | Mark vulnerabilities by reachability | `CLI` | | Path visualization | Show call paths to vulnerable code | `CLI` | **CLI Usage:** ```bash stella scan --image myapp --reachability stella graph show --cve CVE-2024-1234 --artifact sha256:abc... ``` ### 7.2 Three-Layer Proofs (Specialized) Multi-layer reachability validation. | Layer | What It Proves | Confidence | |-------|---------------|------------| | Static | Call graph shows path exists | Likely | | Binary | Compiled binary contains symbol | Higher | | Runtime | eBPF probe confirms execution | Confirmed | **Confidence Tiers:** - **Confirmed** - All three layers agree - **Likely** - Static + binary agree; no runtime - **Present** - Package present; no reachability evidence - **Unreachable** - Static analysis proves no path ### 7.3 Signed Reachability (Specialized) Cryptographic binding for reachability proofs. | Feature | Description | Control | |---------|-------------|---------| | Graph-level DSSE | Sign entire reachability graph | `Config` | | Edge-bundle attestation | Sign individual path edges | `Config` | | Proof export | Export reachability proofs | `CLI` | --- ## 8. Policy Engine ### 8.1 Policy Packs (Base) Pre-built and custom policy configurations. | Feature | Description | Control | |---------|-------------|---------| | Built-in starter pack | Production-ready Day 1 policy | `CLI policy install starter-day1` | | Custom policies | Define custom policy rules | `Config` | | Policy validation | Validate policy YAML syntax | `CLI policy validate` | **CLI Usage:** ```bash stella policy install starter-day1 stella policy validate --path ./my-policy.yaml stella policy list-packs ``` ### 8.2 Policy Rules (Base) Define rules for vulnerability handling. | Rule Type | Description | Example | |-----------|-------------|---------| | Severity block | Block by severity level | Block CRITICAL reachable | | Reachability gate | Gate based on reachability | Allow unreachable HIGH | | VEX bypass | Allow VEX-suppressed findings | Allow with VEX:not_affected | | Unknowns budget | Set unknowns threshold | Fail if unknowns > 5% | **Policy Example:** ```yaml apiVersion: policy.stellaops.io/v1 kind: PolicyPack metadata: name: production-gates spec: rules: - name: block-reachable-critical action: block severity: [CRITICAL] reachability: reachable message: "Reachable critical vulnerabilities must be fixed" - name: allow-unreachable action: allow reachability: unreachable ``` ### 8.3 Policy Simulation (Enhanced) Test policies before deployment. | Feature | Description | Control | |---------|-------------|---------| | Simulate against scan | Test policy against historical scan | `CLI policy simulate` | | Diff policies | Compare two policy outcomes | `CLI policy simulate --diff` | | Dry-run | Preview policy effects | `CLI` | **CLI Usage:** ```bash stella policy simulate --policy ./new-policy.yaml --scan scan-id-123 stella policy simulate --policy ./new-policy.yaml --scan scan-id --diff ./old-policy.yaml ``` ### 8.4 Policy Gates (Specialized) Advanced policy evaluation gates. | Gate | Description | Control | |------|-------------|---------| | Quality Gate | Block deploy based on thresholds | `Config` | | Approval Gate | Require human approval | `Config` `UI` | | Exception Gate | Manage temporary exceptions | `Config` `UI` | | Stability Damping | Prevent gate flickering | `Config` | ### 8.5 Policy Distribution (Enhanced) Distribute policies across environments. | Feature | Description | Control | |---------|-------------|---------| | OCI registry push | Push policies to OCI registry | `CLI policy push` | | OCI registry pull | Pull policies from registry | `CLI policy pull` | | Offline bundle export | Export for air-gapped environments | `CLI policy export-bundle` | | Environment overrides | Apply environment-specific overrides | `Config` | **CLI Usage:** ```bash stella policy push --policy ./policy.yaml --to registry.io/policies/prod:1.0 stella policy pull --from registry.io/policies/prod:1.0 --output ./ stella policy export-bundle --policy ./policy.yaml --output bundle.tar.gz ``` --- # Part III: Specialized Capabilities ## 9. Determinism & Reproducibility ### 9.1 Replay Manifests (Specialized) Capture everything needed to reproduce a scan. | Feature | Description | Control | |---------|-------------|---------| | SRM generation | Generate Scan Replay Manifest | `CLI --srm-out` | | Replay execution | Replay scan from manifest | `CLI replay` | | Determinism verification | Verify replay matches original | `CLI replay verify` | **CLI Usage:** ```bash # Generate replay manifest stella scan --image myapp --srm-out manifest.yaml # Replay later stella replay --manifest manifest.yaml --assert-digest sha256:abc... ``` ### 9.2 Knowledge Snapshots (Specialized) Frozen point-in-time vulnerability knowledge. | Feature | Description | Control | |---------|-------------|---------| | Snapshot export | Export frozen knowledge state | `CLI airgap export` | | Snapshot import | Import knowledge snapshot | `CLI airgap import` | | Snapshot diff | Compare two snapshots | `CLI airgap diff` | | Staleness tracking | Track snapshot age | `CLI airgap status` | **CLI Usage:** ```bash stella airgap export --output knowledge-2024-01.tar.gz --sign stella airgap import knowledge-2024-01.tar.gz --verify-only stella airgap diff --base old.tar.gz --target new.tar.gz stella airgap status ``` ### 9.3 Verdict Replay (Specialized) Replay policy decisions for audit. | Feature | Description | Control | |---------|-------------|---------| | Snapshot replay | Replay using knowledge snapshot | `CLI replay snapshot` | | Verdict comparison | Compare replayed vs original verdict | `CLI` | | Drift detection | Detect verdict drift | `CLI` | **CLI Usage:** ```bash stella replay snapshot --verdict stella replay snapshot --artifact sha256:... --snapshot ``` --- ## 10. Attestation & Signing ### 10.1 DSSE Attestation (Specialized) in-toto DSSE attestations for evidence. | Feature | Description | Control | |---------|-------------|---------| | SBOM attestation | Sign SBOMs with DSSE | `CLI attest` | | Verdict attestation | Sign policy verdicts | `CLI` | | Evidence bundles | Create signed evidence bundles | `CLI` | ### 10.2 Keyless Signing (Specialized) Sigstore-compatible keyless signing. | Feature | Description | Control | |---------|-------------|---------| | Keyless sign | Sign using OIDC identity | `CLI sign keyless` | | Rekor upload | Upload to transparency log | `CLI sign keyless --rekor` | | Verify keyless | Verify keyless signatures | `CLI sign verify-keyless` | | Self-hosted Sigstore | Use self-hosted Fulcio/Rekor | `Config` | **CLI Usage:** ```bash stella sign keyless --input artifact.json --rekor stella sign verify-keyless --input artifact.json --bundle artifact.sigstore ``` ### 10.3 Regional Cryptography (Specialized) Sovereign cryptography profiles. | Profile | Algorithms | Use Case | Control | |---------|------------|----------|---------| | FIPS-140-3 | ECDSA P-256, RSA-PSS | US federal | `Config` | | eIDAS | ETSI TS 119 312 | EU qualified | `Config` | | GOST-2012 | GOST R 34.10-2012 | Russian Federation | `Config` | | SM2 | GM/T 0003.2-2012 | PRC | `Config` | | PQC | Dilithium, Falcon | Post-quantum | `Config` | **Configuration:** ```yaml # etc/appsettings.crypto.yaml cryptography: profile: "fips-140-3" algorithms: signing: "ES256" hashing: "SHA256" ``` --- ## 11. Offline Operations ### 11.1 Offline Update Kits (Specialized) Bundle everything for air-gapped environments. | Feature | Description | Control | |---------|-------------|---------| | Kit export | Export complete offline bundle | `CLI offline export` | | Kit import | Import offline bundle | `CLI offline import` | | Kit verification | Verify bundle integrity | `CLI` | | Staleness policy | Configure max bundle age | `Config` | **Configuration:** ```yaml # etc/airgap.yaml staleness: maxAgeHours: 168 # 7 days warnAgeHours: 72 # 3 days staleAction: block # block or warn import: verifySignature: true verifyMerkleRoot: true enforceMonotonicity: true ``` ### 11.2 Mirror Services (Specialized) Local mirrors for vulnerability feeds. | Feature | Description | Control | |---------|-------------|---------| | Feed mirror | Mirror advisory feeds locally | `Config` | | Registry mirror | Mirror container registry | `Config` | | Transparency mirror | Mirror Rekor transparency log | `Config` | ### 11.3 Egress Control (Specialized) Network access control for sealed mode. | Feature | Description | Control | |---------|-------------|---------| | Allowlist mode | Only allow specified hosts | `Config` | | Denylist mode | Block specified hosts | `Config` | | Localhost only | Fully sealed operation | `Config` | **Configuration:** ```yaml # etc/airgap.yaml egressPolicy: mode: allowlist allowedHosts: [] allowLocalhost: true ``` --- ## 12. Risk Scoring ### 12.1 CVSS Scoring (Enhanced) CVSS-based risk assessment. | Feature | Description | Control | |---------|-------------|---------| | CVSS v4.0 | Full CVSS 4.0 support | Automatic | | Environmental metrics | Apply environmental context | `Config` | | Temporal metrics | Apply temporal context | Automatic | | CVSS receipts | Signed CVSS calculations | `CLI` | **CLI Usage:** ```bash stella cvss score --vuln CVE-2024-1234 --policy cvss-policy.json --vector "CVSS:4.0/..." stella cvss show --receipt ``` ### 12.2 Risk Budgets (Enhanced) Track risk across portfolios. | Feature | Description | Control | |---------|-------------|---------| | Risk budget definition | Define acceptable risk levels | `Config` | | Budget tracking | Track consumption over time | `UI` | | Budget alerts | Alert when budget exceeded | `Config` | ### 12.3 Unknowns Tracking (Specialized) Track and manage unknown components. | Feature | Description | Control | |---------|-------------|---------| | Unknown detection | Detect unidentified components | Automatic | | Unknown classification | Hot/Warm/Cold/Resolved bands | Automatic | | Decay tracking | Track uncertainty over time | Automatic | | Budget enforcement | Fail if unknowns exceed threshold | `Config` | **CLI Usage:** ```bash stella unknowns list stella unknowns show --id ``` --- # Part IV: Platform Features ## 13. Authentication & Authorization ### 13.1 Authentication Methods (Base) User and service authentication. | Method | Description | Control | |--------|-------------|---------| | OAuth 2.0 | Authorization code flow | `Config` | | Client credentials | Service-to-service auth | `Config` | | DPoP | Demonstrating Proof of Possession | `Config` | | mTLS | Mutual TLS authentication | `Config` | **Configuration:** ```yaml # etc/authority.yaml clients: - clientId: "scanner-service" grantTypes: ["client_credentials"] scopes: ["scan:read", "scan:write"] senderConstraint: "dpop" ``` ### 13.2 Role-Based Access (Base) Predefined roles and permissions. | Role | Permissions | |------|-------------| | policy-author | Create and edit policies | | policy-reviewer | Review policy changes | | policy-approver | Approve policy promotion | | export-viewer | View export results | | export-operator | Trigger exports | | airgap-operator | Import/export offline kits | ### 13.3 Service Accounts (Enhanced) Automated service identities. | Feature | Description | Control | |---------|-------------|---------| | Service accounts | Define service identities | `Config` | | Delegated tokens | Issue delegated access tokens | `Config` | | ABAC attributes | Attribute-based access control | `Config` | --- ## 14. Deployment & Operations ### 14.1 Deployment Options (Base) Platform deployment configurations. | Option | Description | |--------|-------------| | Docker Compose | Single-node development/test | | Kubernetes/Helm | Production Kubernetes deployment | | Air-gapped | Fully offline deployment | | Multi-tenant | Isolated tenant deployments | ### 14.2 Storage (Base) Data storage options. | Backend | Use Case | Control | |---------|----------|---------| | PostgreSQL | Primary data store (16+) | `Config` | | Valkey/Redis | Caching and rate limiting | `Config` | **Configuration:** ```yaml # etc/concelier.yaml storage: driver: postgres connectionString: "Host=postgres;Database=stellaops..." maxPoolSize: 100 autoMigrate: false ``` ### 14.3 Scaling (Enterprise) Horizontal scaling options. | Feature | Description | Control | |---------|-------------|---------| | Worker pools | Scale scan workers | `Config` | | Queue sharding | Distribute work across queues | `Config` | | Read replicas | Scale read operations | `Config` | --- ## 15. Integrations ### 15.1 CI/CD Integration (Base) Integrate with CI/CD pipelines. | Feature | Description | Control | |---------|-------------|---------| | Exit codes | Configurable exit codes | `CLI` | | SARIF output | GitHub/GitLab SARIF integration | `CLI --output sarif` | | CI templates | GitHub Actions, GitLab CI templates | `CLI ci generate` | **CLI Usage:** ```bash stella ci generate --platform github > .github/workflows/scan.yml stella ci generate --platform gitlab > .gitlab-ci.yml ``` ### 15.2 Registry Webhooks (Enhanced) React to registry events. | Feature | Description | Control | |---------|-------------|---------| | Push webhook | Trigger scan on image push | `Config` | | Admission control | Block deployment on failure | `Config` | ### 15.3 Notifications (Enhanced) Alert and notification channels. | Channel | Description | Control | |---------|-------------|---------| | Slack | Slack webhook integration | `Config` | | Microsoft Teams | Teams webhook integration | `Config` | | Email | SMTP email notifications | `Config` | | Webhooks | Generic webhook integration | `Config` | | PagerDuty | PagerDuty incident integration | `Config` | --- ## 16. Observability ### 16.1 Telemetry (Base) OpenTelemetry-based observability. | Feature | Description | Control | |---------|-------------|---------| | Structured logging | JSON structured logs | `Config` | | Tracing | Distributed tracing via OTLP | `Config` | | Metrics | Prometheus-compatible metrics | `Config` | **Configuration:** ```yaml # etc/concelier.yaml telemetry: enabled: true enableTracing: true enableMetrics: true otlpEndpoint: "http://otel-collector:4317" serviceName: "stellaops-scanner" ``` ### 16.2 Timeline Indexer (Enhanced) Historical event tracking. | Feature | Description | Control | |---------|-------------|---------| | Event indexing | Index security events | Automatic | | Timeline queries | Query event history | `API` `UI` | | Audit trail | Complete audit log | `UI` | ### 16.3 Evidence Locker (Specialized) Sealed evidence storage. | Feature | Description | Control | |---------|-------------|---------| | Evidence sealing | Create tamper-evident evidence | `API` | | Legal hold | Apply legal holds to evidence | `API` `UI` | | Retention policies | Configure retention periods | `Config` | --- # Appendices ## Appendix A: CLI Command Reference ### Top-Level Commands | Command | Description | |---------|-------------| | `stella scan` | Scan container images for vulnerabilities | | `stella replay` | Replay scans from manifests | | `stella policy` | Policy management commands | | `stella airgap` | Air-gap operations | | `stella sign` | Signing operations | | `stella verify` | Verification operations | | `stella vex` | VEX management | | `stella graph` | Reachability graph operations | | `stella compare` | Comparison operations | | `stella ci` | CI/CD integration | | `stella unknowns` | Unknown component tracking | | `stella cvss` | CVSS scoring operations | ### Scan Command Options ```bash stella scan [options] --image Container image to scan --sbom Use existing SBOM instead of image --rootfs Scan extracted filesystem --output Output format: table, json, sarif, cyclonedx --severity Filter by severity: CRITICAL,HIGH,MEDIUM,LOW --fixable Show only vulnerabilities with fixes --reachability Enable reachability analysis --sbom-out Export SBOM to file --srm-out Export replay manifest --exit-code-if-vuln Exit code when vulnerabilities found ``` ### Policy Command Options ```bash stella policy [options] validate --path Validate policy YAML install Install policy pack list-packs List available policy packs simulate --policy --scan Simulate policy push --policy --to Push to OCI registry pull --from Pull from OCI registry export-bundle --policy --output import-bundle --bundle ``` ### Air-Gap Command Options ```bash stella airgap [options] export --output Export knowledge snapshot --include-advisories Include advisory feeds --include-vex Include VEX statements --include-policies Include policy bundles --sign Sign the manifest import Import knowledge snapshot --verify-only Verify without applying --force Force import despite staleness diff --base --target Compare snapshots status Show staleness status ``` --- ## Appendix B: Configuration Reference ### Configuration Files | File | Purpose | |------|---------| | `etc/concelier.yaml` | Advisory ingestion configuration | | `etc/authority.yaml` | Authentication and authorization | | `etc/airgap.yaml` | Air-gap operations | | `etc/scanner.yaml` | Scanner configuration | | `etc/appsettings.crypto.*.yaml` | Cryptography profiles | ### Environment Variables | Variable | Description | |----------|-------------| | `STELLAOPS_BACKEND_URL` | Backend API URL | | `GITHUB_PAT` | GitHub Personal Access Token for GHSA | | `NVD_API_KEY` | NVD API key for enhanced rate limits | | `STELLAOPS_KMS_PASSPHRASE` | KMS key passphrase | --- ## Appendix C: API Reference ### REST API Endpoints | Endpoint | Method | Description | |----------|--------|-------------| | `/api/v1/scans` | POST | Trigger new scan | | `/api/v1/scans/{id}` | GET | Get scan results | | `/api/v1/sboms` | POST | Import SBOM | | `/api/v1/sboms/{id}` | GET | Get SBOM | | `/api/v1/vex` | POST | Import VEX statement | | `/api/v1/policies` | POST | Create policy | | `/api/v1/policies/{id}/evaluate` | POST | Evaluate policy | | `/api/v1/evidence` | POST | Create evidence bundle | ### API Authentication All API requests require authentication via: - Bearer token (OAuth 2.0 access token) - DPoP proof header for high-security operations - mTLS client certificate for service-to-service --- ## Version Information | Component | Version | |-----------|---------| | Document Version | 2.0.0 | | Last Updated | 2026-01-04 | | Platform Version | 2026.01 | --- *For the latest information, see the online documentation at https://docs.stella-ops.org*