# Supply Chain Security Tool Matrix (evidence from public docs)

**Advisory date:** 2026-02-19
**Archived:** 2026-02-19
**Disposition:** Archived -- claims verified against codebase; two caveats noted below.

---

## SBOM support

* **Stella Ops:** *YES* -- internal canonical CycloneDX JCS and SBOM ingest contracts (internal spec).
* **Trivy:** *YES* -- generates and consumes CycloneDX/SPDX SBOM formats.
* **Grype:** *YES* -- scans container images and SBOMs, accepts SBOM input.
* **Snyk:** *YES* -- SBOM security checks and scanning/analysis.
* **JFrog Xray:** *YES* -- scans artifacts and imports/analyses SBOMs (enterprise).
* **Docker Scout:** *YES* -- generates/consumes SBOM attestations; Docker SBOM tooling exists.

## VEX ingestion (OpenVEX / VEX docs)

* **Stella Ops:** *YES* -- design includes deterministic VEX ingest (internal).
* **Trivy:** *YES/PARTIAL* -- Rekor SBOM attestation scan supports VEX attestation via experimental plugins.
* **Grype:** *YES/PARTIAL* -- supports OpenVEX ingestion for filtering/enrichment.
* **Snyk:** *UNKNOWN* -- primary docs do not explicitly surface OpenVEX ingestion.
* **JFrog Xray:** *YES/PARTIAL* -- evidence collection and enriched vulnerability annotations.
* **Docker Scout:** *YES* -- Docker's VEX concepts documented for integration.

## In-toto / DSSE / attestation ingestion

* **Stella Ops:** *YES* -- DSSE/in-toto + articulated provenance anchors (internal).
* **Trivy:** *PARTIAL* -- has experimental attestation retrieval via Rekor/Cosign.
* **Grype:** *PARTIAL* -- linked tooling uses Cosign attestations via Syft workflows (public examples).
* **Snyk:** *UNKNOWN/PARTIAL* -- primary docs focus on SBOM/scan; attestation ingestion not prominent.
* **JFrog Xray:** *YES/PARTIAL* -- enterprise attestation/evidence documented.
* **Docker Scout:** *YES* -- Docker Docs show attestation commands and retrieval.

## Explainability depth (beyond package level)

* **Stella Ops:** *DEEP (function-level shipped; line-level CFG partial)* -- function-level call-path witnesses with file/line/column context shipped; dedicated line-level CFG export not yet a shipped feature. **[CAVEAT: advisory originally said "function->line"; qualified to "function-level with line context".]**
* **Trivy:** *PARTIAL/NO* -- reports package/component level; no public deep binary CFG explainability.
* **Grype:** *PARTIAL* -- deep vulnerability metadata but not low-level CFG.
* **Snyk:** *PARTIAL* -- contextual dev-focused explainability; no binary CFG.
* **JFrog Xray:** *PARTIAL* -- rich reports but not per-frame CFG.
* **Docker Scout:** *PARTIAL* -- good image composition context; no granular call-path explainability.

## Smart diffing (semantic/structured)

* **Stella Ops:** *YES* -- signed semantic diff predicates (internal).
* **Trivy:** *PARTIAL* -- experimental compare features.
* **Grype:** *PARTIAL* -- package diff workflows exist; not signed diff predicates.
* **Snyk:** *PARTIAL* -- snapshot & delta tooling (e.g., snyk-delta).
* **JFrog Xray:** *PARTIAL* -- enriched scan comparisons possible but not canonical diff predicates.
* **Docker Scout:** *PARTIAL* -- `docker scout compare` CLI; not structured diff predicates.

## Binary provenance

* **Stella Ops:** *YES* -- symbol bundle + pinned build ID mappings.
* **Trivy:** *PARTIAL/UNKNOWN* -- Rekor/SBOM attestations hint at provenance but not symbol bundle marketplace.
* **Grype:** *PARTIAL/UNKNOWN* -- attestation via Syft/Cosign workflows but no signed symbol pack docs.
* **Snyk:** *UNKNOWN* -- no primary proof of signed symbol handling.
* **JFrog Xray:** *PARTIAL* -- evidence collection; no explicit signed symbol bundle.
* **Docker Scout:** *PARTIAL* -- Docker Hardened Images provenance; not general marketplace.

## Call-stack/micro-witness replay

* **Stella Ops:** *YES* -- micro-witness replay design (internal).
* **Others:** *NO/UNKNOWN* -- public docs do not show deterministic replayable micro-witness stack artifacts.

## Deterministic signed scoring

* **Stella Ops:** *YES* -- deterministic signed scores anchored to Rekor (internal).
* **Competitors:** *NO/UNKNOWN* -- focus on heuristic scores; no published deterministic signed envelopes.

## Explicit UNKNOWN-state handling

* **Stella Ops:** *YES* -- canonical unknown state predicates.
* **Competitors:** *PARTIAL/UNKNOWN* -- systems have 'not applicable' or suppressed states but no signed unknown predicate standard documents.

## Reachability analysis (binary)

* **Stella Ops:** *YES* -- integrated analysis by design.
* **Competitors:** *NO/UNKNOWN* -- not visible in primary docs.

## UI/UX evidence surfacing

* **Stella Ops:** *YES* -- evidence ribbons & signed pointers (internal).
* **Trivy:** *PARTIAL* -- CLI focus; some partner UIs exist.
* **Grype:** *PARTIAL* -- CLI and partner UI capabilities.
* **Snyk:** *YES/PARTIAL* -- strong developer UI; no DSSE/Rekor badges documented.
* **JFrog Xray:** *YES/PARTIAL* -- enterprise UI for enriched evidence.
* **Docker Scout:** *YES* -- CLI/UI attest list and VEX visibility.

## CI/test parity

* **Stella Ops:** *YES (gate engine shipped; CI automation integration in progress)* -- PolicyGateEvaluator with staged gates shipped; GitOps loop wiring under active development. **[CAVEAT: advisory originally said "two-tier gating (fast signed + deep)"; qualified to note CI automation integration is in progress.]**
* **Trivy:** *YES/PARTIAL* -- CI integrations documented.
* **Grype:** *YES/PARTIAL* -- CI workflows via Syft/Grype.
* **Snyk:** *YES* -- solid CI/PR checks.
* **JFrog Xray:** *PARTIAL* -- CI/CD integrations exist.
* **Docker Scout:** *PARTIAL* -- CI CLI commands; no signed-score parity.

---

## Archive review notes

**Reviewed:** 2026-02-19 by Product Manager role.

**Outcome:** All Stella Ops claims verified against codebase. No new sprint tasks required. Two qualification caveats applied inline (marked with **[CAVEAT]**):

1. **Explainability depth** -- function-level call-path witnesses shipped; line-level CFG export is architecturally supported but not a shipped feature. Softened from "function->line" to "function-level with line context."
2. **CI/test parity** -- gate engine (`PolicyGateEvaluator`) and CVE-aware gates shipped; CI/CD automation integration loop under active development. Qualified accordingly.

**Competitive claims:** Sourced from public vendor documentation. Not independently re-verified (web-tool policy). Cited sources appear credible.