git.stella-ops.org/docs/product-advisories/26-Dec-2026 - Diff‑Aware Releases and Auditable Exceptions.md

Here’s a tight, practical pattern you can lift for Stella Ops: make exceptions first‑class, auditable objects and gate releases on risk deltas (diff‑aware checks)—mirroring what top scanners do, but with stronger evidence and auto‑revalidation.

1) Exceptions as auditable objects

Competitor cues

• Snyk lets users ignore issues with a required reason and optional expiry (UI/CLI; .snyk policy). Ignored items can auto‑resurface when a fix exists. (Snyk User Docs)
• Anchore models policy allowlists (named sets of exceptions) applied during evaluation/mapping. (Anchore Documentation)
• Prisma Cloud supports vulnerability rules/CVE exceptions to soften or block findings. (Prisma Cloud)

What to ship (Stella Ops)

• Exception entity: {scope, subject(CVE/pkg/path), reason(text), evidenceRefs[], createdBy, createdAt, expiresAt?, policyBinding, signature}
• Signed rationale + evidence: require a justification plus linked proofs (attestation IDs, VEX note, reachability subgraph slice). Store as an OCI‑attached attestation to the SBOM/VEX artifact.
• Auto‑expiry & revalidation gates: scheduler re‑tests on expiry or when feeds mark “fix available / EPSS ↑ / reachability ↑”; on failure, flip gate to “needs re‑review” and notify.
• Audit view: timeline of exception lifecycle; show who/why, evidence, and re‑checks; exportable as an “audit pack.”
• Policy hooks: “allow only if: reason ∧ evidence present ∧ max TTL ≤ X ∧ owner = team‑Y.”
• Inheritance: repo→image→env scoping with explicit shadowing (surface conflicts).

2) Diff‑aware release gates (“delta verdicts”)

Competitor cues

• Snyk PR Checks scan changes and gate merges with a severity threshold; results show issue diffs per PR. (Snyk User Docs)

What to ship (Stella Ops)

• Graph deltas: on each commit/image, compute Δ(SBOM graph, reachability graph, VEX claims).

• Delta verdict (signed, replayable): PASS | WARN | FAIL + proof links to:

  • attestation bundle (in‑toto/DSSE),
  • reachability subgraph showing new execution paths to vulnerable symbols,
  • policy evaluation trace.

• Side‑by‑side UI: “before vs after” risks; highlight newly reachable vulns and fixed/mitigated ones; one‑click Create Exception (enforces reason+evidence+TTL).

• Enforcement knobs: per‑branch/env risk budgets; fail if unknowns > N or if any exception lacks evidence/TTL.

• Supply chain scope: run the same gate on base‑image bumps and dependency updates.

Minimal data model (sketch)

• Exception: id, scope, subject, reason, evidenceRefs[], ttl, status, sig.
• DeltaVerdict: id, baseRef, headRef, changes[], policyOutcome, proofs[], sig.
• Proof: type(attestation|reachability|vex|log), uri, hash.

CLI / API ergonomics (examples)

• stella exception create --cve CVE-2025-1234 --scope image:repo/app:tag --reason "Feature disabled" --evidence att:sha256:… --ttl 30d
• stella verify delta --from abc123 --to def456 --policy prod.json --print-proofs

Guardrails out of the box

• No silent ignores: exceptions are visible in results (action changes, not deletion)—same spirit as Anchore. (Anchore Documentation)
• Resurface on fix: if a fix exists, force re‑review (parity with Snyk behavior). (Snyk User Docs)
• Rule‑based blocking: allow “hard/soft fail” like Prisma enforcement. (Prisma Cloud)

If you want, I can turn this into a short product spec (API + UI wireframe + policy snippets) tailored to your Stella Ops modules (Policy Engine, Vexer, Attestor).