stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
3098e84de41e10cfdc116b3ab8facdf73d04c9c0
git.stella-ops.org/docs/full-features-list.md
StellaOps Bot 3098e84de4 save progress
2026-01-04 14:54:52 +02:00

40 KiB
Raw Blame History

Full Features List - Stella Ops

Comprehensive catalog of every capability in the Stella Ops platform.

For quick capability cards with competitive differentiation, see key-features.md. For tier-based availability (Free/Community/Enterprise), see 04_FEATURE_MATRIX.md.

Table of Contents

  1. Core Platform Differentiators
  2. Container Image Scanning
  3. SBOM Capabilities
  4. Language Analyzers
  5. Vulnerability Detection
  6. Advisory Sources
  7. VEX Processing
  8. Reachability Analysis
  9. Binary Analysis
  10. Policy Engine
  11. Attestation & Signing
  12. Regional Cryptography
  13. Risk Scoring & Assessment
  14. Evidence Management
  15. Determinism & Reproducibility
  16. CLI Features
  17. Web UI Features
  18. Offline & Air-Gap Operations
  19. Deployment Options
  20. Authentication & Authorization
  21. Integrations & Notifications
  22. Observability & Telemetry
  23. Scheduling & Automation
  24. Version Comparison
  25. Database & Storage
  26. API Capabilities
  27. Support & Services

1. Core Platform Differentiators

These are the fundamental capabilities that distinguish Stella Ops from other vulnerability scanners.

1.1 Decision Capsules

  • Audit-grade evidence bundles containing everything needed to reproduce and verify vulnerability decisions
  • Content-addressed bundles with exact SBOM, frozen feed snapshots (with Merkle roots), policy version, lattice rules
  • Evidence includes reachability proofs (static + runtime), VEX statements, binary fingerprints
  • Outputs include verdicts, risk scores, remediation paths
  • DSSE signatures over all components
  • Six-month-later replay: stella replay srm.yaml --assert-digest <sha> produces identical results

1.2 Deterministic Replay

  • Bit-for-bit reproducible scans from frozen feeds and analyzer manifests
  • Replay Manifest (SRM) captures exact analyzer inputs/outputs per layer
  • Feed snapshots (NVD, KEV, EPSS, distro advisories) with content hashes
  • Frozen analyzer versions and configurations
  • Frozen policy rules and lattice state
  • Random seeds for deterministic ordering

1.3 VEX-First Decisioning (K4 Lattice Logic)

  • Belnap K4 four-valued logic (Unknown, True, False, Conflict)
  • VEX as logical claims with trust weighting, not suppression files
  • Conflicts are explicit state, not hidden
  • Vendor + runtime + reachability merged with conflicts surfaced
  • Unknown treated as first-class state with risk implications

1.4 Signed Reachability Proofs

  • Three-layer validation with cryptographic binding
  • Every reachability graph sealed with DSSE
  • Optional edge-bundle attestations for contested paths
  • Proves exploitability with exact call paths from entrypoint to vulnerable function

1.5 Sovereign Offline Operation

  • Full functionality without network
  • Air-gapped environments get identical results to connected
  • Offline Update Kits bundle everything needed
  • Epistemic parity (sealed, reproducible knowledge state)

1.6 Smart-Diff (Semantic Risk Delta)

  • Diff security meaning, not CVE counts
  • Compare reachability graphs, policy outcomes, and trust weights between releases
  • Output like "Exploitability DECREASED by 67% despite +2 CVEs"
  • Material change detection for informed decision-making

1.7 Unknowns as First-Class State

  • Explicit modeling of uncertainty
  • Hot/Warm/Cold/Resolved bands for uncertainty tracking
  • Decay algorithms for uncertainty resolution
  • Blast-radius containment
  • Policy budgets ("fail if unknowns > N")

2. Container Image Scanning

2.1 Image Formats

  • OCI container images
  • Docker images
  • Container filesystem archives
  • Rootfs directories
  • Layer-by-layer analysis

2.2 Scanning Modes

  • Quick Mode: Fast scan for basic vulnerabilities
  • Standard Mode: Balanced scan with full vulnerability detection
  • Deep Mode: Comprehensive analysis with reachability and binary analysis

2.3 Base Image Detection

  • Automatic base image identification
  • Base image layer separation
  • Inherited vs. application-added package differentiation

2.4 Layer-Aware Analysis

  • Per-layer package detection
  • Layer change tracking
  • Delta analysis between layers
  • Content-addressed layer caching

2.5 Registry Integration

  • Pull images by digest (content-addressed)
  • Registry authentication support
  • Private registry support
  • Registry mirror support for offline operation

2.6 Scan Performance

  • Delta-SBOM cache for warm scans < 1 second
  • Concurrent scan workers (1/3/unlimited by tier)
  • Content-addressed layer caching
  • Incremental analysis for unchanged layers

3. SBOM Capabilities

3.1 SBOM Formats Supported

  • CycloneDX 1.7 (primary output format)
  • CycloneDX 1.6 (backward compatible ingest)
  • SPDX 3.0.1 (full support)
  • SPDX-JSON (ingest)
  • Trivy-JSON (ingest)

3.2 SBOM Generation

  • Automatic SBOM generation from container images
  • Package extraction from all supported ecosystems
  • Dependency relationship mapping
  • Component metadata extraction
  • License detection

3.3 SBOM Ingestion

  • Auto-format detection
  • Bring-Your-Own-SBOM (BYOS) support
  • Third-party SBOM import
  • Validation and normalization

3.4 Delta-SBOM Engine

  • Content-addressed catalog
  • Layer-aware ingestion
  • Rescans only fetch new layers
  • Warm scans < 1 second

3.5 SBOM Diff

  • Semantic SBOM comparison
  • Package addition/removal detection
  • Version change tracking
  • License change detection

3.6 SBOM Lineage Ledger (Enterprise)

  • Full versioned SBOM history
  • Lineage tracking across builds
  • Traversal queries via Lineage API
  • Audit trail for SBOM changes

3.7 SBOM Service

  • Central SBOM storage and versioning
  • Content-addressed storage
  • SBOM deduplication
  • Retention policies

4. Language Analyzers

4.1 .NET/C# Analyzer

  • NuGet package detection
  • packages.config parsing
  • .csproj/Directory.Build.props parsing
  • .NET SDK version detection
  • Framework dependency mapping
  • Assembly metadata extraction

4.2 Java Analyzer

  • Maven dependency resolution (pom.xml)
  • Gradle build file parsing (build.gradle, build.gradle.kts)
  • JAR/WAR/EAR analysis
  • MANIFEST.MF parsing
  • Java version detection
  • Spring Boot dependency detection

4.3 Go Analyzer

  • go.mod/go.sum parsing
  • Go module dependency resolution
  • Go version detection
  • Vendor directory analysis
  • Binary build info extraction

4.4 Python Analyzer

  • requirements.txt parsing
  • Pipfile/Pipfile.lock parsing
  • pyproject.toml parsing
  • setup.py analysis
  • Poetry lockfile support
  • Conda environment parsing
  • pip freeze output parsing

4.5 Node.js Analyzer

  • package.json/package-lock.json parsing
  • yarn.lock parsing
  • pnpm-lock.yaml parsing
  • npm shrinkwrap support
  • Node.js version detection
  • Workspace/monorepo support

4.6 Ruby Analyzer

  • Gemfile/Gemfile.lock parsing
  • Ruby version detection
  • Bundler version detection
  • Gem specification parsing

4.7 Bun Analyzer

  • bun.lockb parsing
  • package.json processing
  • Bun-specific dependency resolution

4.8 Deno Analyzer

  • deno.json parsing
  • Import map resolution
  • URL-based dependency tracking
  • deno.lock parsing

4.9 PHP Analyzer

  • composer.json/composer.lock parsing
  • PHP version detection
  • Packagist dependency resolution

4.10 Rust Analyzer

  • Cargo.toml/Cargo.lock parsing
  • Rust edition detection
  • Crates.io dependency resolution
  • Build target analysis

4.11 Native Binary Analyzer

  • ELF binary analysis (Linux)
  • PE binary analysis (Windows)
  • Mach-O binary analysis (macOS)
  • Build-ID extraction
  • Symbol table parsing
  • Dynamic library dependency detection

5. Vulnerability Detection

5.1 CVE Matching

  • CVE lookup via local database
  • Package-to-CVE mapping
  • Version range matching
  • PURL-based matching

5.2 Vulnerability Scoring

  • CVSS v4.0 display
  • CVSS v3.1 support
  • CVSS v2.0 legacy support
  • EPSS v4 probability scoring
  • Priority band classification

5.3 Exploitability Assessment

  • KEV (Known Exploited Vulnerabilities) flagging
  • EPSS probability integration
  • Reachability-aware prioritization
  • VEX status consideration

5.4 License Risk Detection (Planned)

  • License identification
  • License compatibility analysis
  • License risk scoring
  • Copyleft detection

6. Advisory Sources

6.1 Primary Sources

  • NVD (National Vulnerability Database)
  • GHSA (GitHub Security Advisories)
  • OSV (Open Source Vulnerabilities)
  • KEV (Known Exploited Vulnerabilities)
  • EPSS v4 (Exploit Prediction Scoring System)

6.2 Distribution-Specific Sources

  • Alpine SecDB
  • Debian Security Tracker
  • Ubuntu USN (Ubuntu Security Notices)
  • RHEL/CentOS OVAL (Community/Enterprise)

6.3 Advisory Processing (Concelier)

  • Multi-source advisory ingestion
  • Advisory normalization
  • Duplicate detection
  • Conflict resolution
  • Advisory merge engine (Enterprise)
  • Custom advisory connectors (Enterprise)

6.4 Feed Management

  • Automated feed updates
  • Feed mirroring for offline operation
  • Feed snapshot versioning
  • Content-addressed feed storage

7. VEX Processing

7.1 VEX Formats Supported

  • OpenVEX (primary format)
  • CycloneDX VEX
  • CSAF VEX (Community/Enterprise)

7.2 VEX Ingestion (Excititor)

  • Multi-format VEX import
  • VEX validation
  • VEX normalization
  • Statement extraction

7.3 VEX Consensus Engine (VexLens)

  • Trust vector scoring (Precision/Coverage/Recency)
  • Claim strength multipliers
  • Freshness decay algorithms
  • Conflict detection and penalty (K4 lattice logic)
  • Multi-issuer statement aggregation

7.4 Trust Weighting

  • Issuer trust scoring
  • Statement freshness weighting
  • Claim strength assessment
  • Conflict penalty calculation

7.5 VEX Conflict Resolution

  • K4 four-valued logic (Unknown/True/False/Conflict)
  • Conflict surfacing (not hiding)
  • Visual conflict resolution (VEX Conflict Studio UI)
  • Deterministic outcome selection

7.6 VEX Hub

  • VEX distribution and exchange
  • Internal VEX network
  • VEX statement sharing
  • VEX propagation across supply chain

7.7 Issuer Directory

  • Issuer trust registry
  • CSAF publisher management
  • Trust root configuration
  • Issuer metadata storage

7.8 Trust Calibration Service (Enterprise)

  • Organization-specific trust tuning
  • Custom trust weightings
  • Historical trust analysis

8. Reachability Analysis

8.1 Static Call Graph

  • Function-level call graph construction
  • Cross-module call tracking
  • Entry point identification
  • Path enumeration

8.2 Entrypoint Detection

  • 9+ framework types supported
  • HTTP endpoints
  • CLI entry points
  • Event handlers
  • Message consumers
  • Scheduled tasks

8.3 BFS Reachability

  • Breadth-first path search
  • Shortest path calculation
  • All paths enumeration
  • Path filtering

8.4 Three-Layer Reachability Proofs

  • Layer 1 (Static): Call graph path from entrypoint to vulnerable function
  • Layer 2 (Binary): Compiled binary contains symbol with matching offset
  • Layer 3 (Runtime): eBPF probe confirms function execution

8.5 Confidence Tiers

  • Confirmed: All three layers agree
  • Likely: Static + binary agree; no runtime data
  • Present: Package present; no reachability evidence
  • Unreachable: Static analysis proves no path exists

8.6 Binary Loader Resolution (Community/Enterprise)

  • ELF dynamic linking resolution
  • PE import table analysis
  • Mach-O load command parsing

8.7 Feature Flag/Config Gating (Community/Enterprise)

  • Configuration-based path analysis
  • Feature flag detection
  • Conditional path evaluation

8.8 Runtime Signal Correlation (Enterprise)

  • Zastava integration for runtime signals
  • eBPF-based function tracing
  • Actual execution path verification

8.9 Gate Detection (Enterprise)

  • Authentication gate detection
  • Authorization check identification
  • Admin-only path detection

8.10 Path Witness Generation (Enterprise)

  • Audit evidence for reachability claims
  • Detailed path documentation
  • Witness verification

8.11 Reachability Drift Detection

  • Cross-version reachability comparison
  • Path change detection
  • Risk delta calculation

8.12 Reachability Mini-Map API (Enterprise)

  • UI visualization data
  • Compact graph representation
  • Interactive exploration support

8.13 Runtime Timeline API (Enterprise)

  • Temporal execution analysis
  • Time-based function tracking
  • Historical runtime data

9. Binary Analysis

9.1 Binary Identity Extraction

  • Build-ID extraction
  • SHA-256 hash computation
  • Content-addressed identification
  • Metadata extraction

9.2 Binary Format Parsers (Community/Enterprise)

  • ELF (Linux) parser
  • PE (Windows) parser
  • Mach-O (macOS) parser

9.3 Build-ID Vulnerability Lookup

  • Direct build-ID to CVE mapping
  • Pre-computed vulnerability databases

9.4 Binary Corpus Support

  • Debian/Ubuntu Corpus (all tiers)
  • RPM/RHEL Corpus (Community/Enterprise)

9.5 Patch-Aware Backport Detection (Community/Enterprise)

  • Distribution patch tracking
  • Backported fix detection
  • False positive reduction

9.6 Binary Fingerprint Generation (Enterprise)

  • Function-level fingerprints
  • Code similarity hashing
  • Version-independent matching

9.7 Fingerprint Matching Engine (Enterprise)

  • Similarity search across binaries
  • Fuzzy matching for modified code
  • Large-scale fingerprint database

9.8 DWARF/Symbol Analysis (Enterprise)

  • Debug symbol parsing
  • Source location mapping
  • Type information extraction

9.9 Symbol Resolution (Symbols Module)

  • Symbol table parsing
  • Name demangling
  • Cross-reference building
  • Symbol repository

10. Policy Engine

10.1 Policy Rule Formats

  • YAML Policy Rules (all tiers)
  • OPA/Rego Integration (Enterprise)
  • Score Policy YAML (Enterprise)

10.2 Belnap K4 Four-Valued Logic

  • Unknown (no information)
  • True (positive assertion)
  • False (negative assertion)
  • Conflict (contradictory assertions)

10.3 Security Atoms (6 Types)

  • PRESENT: Package is present in artifact
  • APPLIES: CVE applies to package version
  • REACHABLE: Vulnerable code is reachable
  • MITIGATED: Compensating controls exist
  • FIXED: Vulnerability is fixed
  • MISATTRIBUTED: CVE incorrectly assigned

10.4 Policy Gates

  • Minimum Confidence Gate: Enforce minimum confidence threshold
  • Unknowns Budget Gate (Community/Enterprise): Limit acceptable unknowns
  • Source Quota Gate (Enterprise): 60% source cap enforcement
  • Reachability Requirement Gate (Enterprise): Require reachability proof for criticals
  • Evidence Freshness Gate: Enforce evidence age limits
  • VEX Trust Gate: VEX-based policy decisions
  • Drift Gate: Reachability drift enforcement
  • Stability Damping Gate: Noise reduction

10.5 Disposition Selection

  • ECMA-424 compliant disposition mapping
  • Deterministic outcome selection
  • Traceable decision paths

10.6 Exception Objects & Workflow (Enterprise)

  • Time-bound exceptions
  • Approval chain management
  • Exception tracking

10.7 Policy Version History (Enterprise)

  • Full policy change audit trail
  • Policy rollback capability
  • Version comparison

10.8 Configurable Scoring Profiles (Enterprise)

  • Simple profile (basic scoring)
  • Advanced profile (multi-factor scoring)
  • Custom profile creation

11. Attestation & Signing

11.1 DSSE Envelope Signing

  • Detached signature envelopes
  • Canonical JSON payloads
  • Multi-signature support

11.2 in-toto Statement Structure

  • Statement v1 format
  • Subject binding to artifacts
  • Predicate flexibility

11.3 Attestation Predicates

  • SBOM Predicate: SBOM content attestation
  • VEX Predicate: VEX statement attestation
  • Reachability Predicate (Community/Enterprise): Reachability proof attestation
  • Policy Decision Predicate (Community/Enterprise): Policy outcome attestation
  • Human Approval Predicate (Enterprise): Manual approval attestation
  • Boundary Predicate (Enterprise): Network exposure attestation

11.4 Verdict Manifest

  • Signed verdict bundles (Community/Enterprise)
  • Complete decision documentation
  • Replay verification support

11.5 Key Management

  • Ephemeral OIDC/keyless signing
  • Short-lived key support
  • HSM/KMS integration
  • Key rotation management (Enterprise)

11.6 SLSA Provenance (Enterprise)

  • SLSA v1.0 provenance attestations
  • Build provenance capture
  • Supply chain attestation

11.7 Transparency Logging

  • Rekor Transparency Log (Enterprise): Public attestation logging
  • Cosign Integration (Enterprise): Sigstore ecosystem compatibility
  • Inclusion proof storage
  • Local transparency mirror for offline

12. Regional Cryptography

12.1 Default Cryptography

  • Ed25519 signing (default)
  • Modern elliptic curve cryptography
  • High performance signing/verification

12.2 FIPS 140-2/3 Mode

  • ECDSA P-256 signing
  • RSA-PSS signing
  • US Federal compliance
  • FIPS-validated modules

12.3 eIDAS Signatures

  • ETSI TS 119 312 compliance
  • EU qualified electronic signatures
  • European compliance

12.4 GOST/CryptoPro

  • GOST R 34.10-2012 signing
  • Russian Federation compliance
  • CryptoPro integration

12.5 SM National Standard

  • GM/T 0003.2-2012 compliance
  • SM2 signing algorithm
  • China compliance

12.6 Post-Quantum Cryptography

  • Dilithium signing (NIST PQC)
  • Falcon signing support
  • Future-proof security

12.7 Crypto Plugin Architecture

  • Custom HSM integration
  • Pluggable crypto providers
  • Multi-signature DSSE envelopes (sign with multiple profiles)

12.8 RootPack Bundles

  • Pre-configured trust root packages
  • Regional trust root distribution
  • Offline trust root updates

13. Risk Scoring & Assessment

13.1 Score Display

  • CVSS v4.0/v3.1/v2.0 display
  • EPSS v4 probability display
  • Composite risk scores

13.2 Priority Band Classification

  • Critical/High/Medium/Low/Informational bands
  • Configurable band thresholds
  • Multi-factor classification

13.3 EPSS-at-Scan Immutability (Community/Enterprise)

  • EPSS score captured at scan time
  • Historical score preservation
  • Score drift tracking

13.4 Unified Confidence Model (Community/Enterprise)

  • 5-factor confidence scoring
  • Source confidence weighting
  • Evidence strength assessment

13.5 Entropy-Based Scoring (Enterprise)

  • Information-theoretic risk assessment
  • Uncertainty quantification

13.6 Gate Multipliers (Enterprise)

  • Reachability-aware score adjustment
  • Gate-based risk modification

13.7 Unknowns Pressure Factor (Enterprise)

  • Uncertainty budget enforcement
  • Unknown count impact on risk

13.8 Custom Scoring Profiles (Enterprise)

  • Organization-specific scoring
  • Factor weight customization
  • Profile versioning

13.9 Score Explanation Arrays

  • Per-finding score breakdown
  • Factor contribution transparency
  • Decision audit support

14. Evidence Management

14.1 Findings List

  • Comprehensive finding catalog
  • Filtering and sorting
  • Export capabilities

14.2 Evidence Graph View

  • Visual evidence relationships
  • Interactive exploration
  • Dependency visualization

14.3 Findings Ledger (Enterprise)

  • Immutable finding history
  • Audit trail for all findings
  • Finding lifecycle tracking

14.4 Evidence Locker (Enterprise)

  • Sealed evidence storage
  • Tamper-evident packaging
  • Import/export capabilities

14.5 Evidence TTL Policies (Enterprise)

  • Configurable retention rules
  • Automatic expiration
  • Compliance-driven retention

14.6 Evidence Size Budgets (Enterprise)

  • Storage governance
  • Quota enforcement
  • Capacity planning

14.7 Retention Tiers (Enterprise)

  • Hot tier (immediate access)
  • Warm tier (near-line storage)
  • Cold tier (archive storage)

14.8 Privacy Controls (Enterprise)

  • Sensitive data redaction
  • PII handling
  • Anonymization support

14.9 Audit Pack Export (Enterprise)

  • Compliance bundle generation
  • Regulatory export formats
  • Complete evidence packaging

15. Determinism & Reproducibility

15.1 Canonical JSON Serialization

  • RFC 8785 compliant serialization
  • Sorted keys
  • Minimal escaping
  • Consistent number formatting

15.2 Content-Addressed IDs

  • SHA-256 based identification
  • Immutable references
  • Deduplication support

15.3 Replay Manifest (SRM)

  • Complete scan input capture
  • Version pinning
  • Configuration recording

15.4 Replay Verification

  • stella replay CLI command
  • Digest assertion
  • Bit-for-bit comparison

15.5 Evidence Freshness Multipliers (Community/Enterprise)

  • Age-based confidence adjustment
  • Decay algorithms
  • Freshness enforcement

15.6 Proof Coverage Metrics (Community/Enterprise)

  • Evidence completeness measurement
  • Gap identification
  • Coverage reporting

15.7 Fidelity Metrics (Enterprise)

  • BF (Base Fidelity): Input quality
  • SF (Scan Fidelity): Detection quality
  • PF (Proof Fidelity): Evidence quality
  • Audit dashboard integration

15.8 FN-Drift Rate Tracking (Enterprise)

  • False negative monitoring
  • Quality trend analysis
  • Alert thresholds

15.9 Determinism Gate CI (Enterprise)

  • Automated determinism testing
  • CI/CD integration
  • Drift prevention

16. CLI Features

16.1 Core Commands

  • stella scan - Container image scanning
  • stella sbom - SBOM generation and inspection
  • stella vex - VEX evaluation and generation
  • stella advisory - Advisory management
  • stella policy - Policy evaluation
  • stella replay - Deterministic replay

16.2 SBOM Commands

  • stella sbom generate - Generate SBOM from image
  • stella sbom inspect - View SBOM contents
  • stella sbom diff - Compare SBOMs
  • stella sbom validate - Validate SBOM format
  • stella sbom convert - Convert between formats

16.3 VEX Commands

  • stella vex evaluate - Evaluate VEX statements
  • stella vex generate - Generate VEX documents
  • stella vex import - Import VEX from file
  • stella vex export - Export VEX statements

16.4 Attestation Commands

  • stella attest sign - Sign attestations
  • stella attest verify (Community/Enterprise) - Verify attestations
  • stella attest export - Export attestations

16.5 Reachability Commands

  • stella reachability analyze - Run reachability analysis
  • stella graph show - Display reachability graph
  • stella reachability export - Export reachability data

16.6 Risk Commands

  • stella risk evaluate - Calculate risk scores
  • stella risk report - Generate risk reports

16.7 Policy Commands

  • stella policy evaluate - Run policy evaluation
  • stella policy validate - Validate policy files
  • stella policy export - Export policy decisions

16.8 Offline Commands

  • stella rootpack import - Import trust root bundles
  • stella offline sync - Sync offline data
  • stella offline verify - Verify offline package

16.9 Database Commands

  • stella db update - Update vulnerability database
  • stella db status - Check database status
  • stella db export - Export database snapshot

16.10 Export Commands

  • stella export sarif - Export SARIF format
  • stella export json - Export JSON format
  • stella export csv - Export CSV format
  • stella export audit-pack (Enterprise) - Export audit bundle

16.11 Administrative Commands (Enterprise)

  • stella admin - Administrative utilities
  • stella symbols - Symbol resolution commands
  • stella notify - Notification management
  • stella orchestrator - Workflow control

16.12 CLI Technical Features

  • Native AOT compilation
  • Cross-platform support (linux-x64, linux-arm64, osx-x64, osx-arm64, win-x64)
  • Machine-readable output (JSON, NDJSON)
  • Exit codes for CI/CD integration
  • Environment variable configuration

17. Web UI Features

17.1 Core Interface

  • Dark/Light mode toggle
  • Responsive design
  • Locale support (Cyrillic, etc.) (Community/Enterprise)
  • Keyboard shortcuts (Enterprise)

17.2 Findings View

  • Findings Row Component
  • Filtering and sorting
  • Bulk actions
  • Export capabilities

17.3 Evidence Visualization

  • Evidence Drawer panel
  • Proof Tab for attestations
  • Evidence Graph View
  • Confidence Meter

17.4 VEX Interface

  • VEX Conflict Studio UI
  • Claim Comparison Table (Enterprise)
  • Trust Algebra Panel (Enterprise)

17.5 Reachability Visualization

  • Reachability Mini-Map (Enterprise)
  • Path visualization
  • Call graph explorer

17.6 Policy Interface

  • Policy Chips Display (Enterprise)
  • Gate status visualization
  • Policy decision trace

17.7 Triage Features

  • Triage Canvas component
  • Vulnerability triage workflow
  • Status management
  • Assignment capabilities

17.8 Timeline Features (Enterprise)

  • Runtime Timeline view
  • Historical execution data
  • Temporal analysis

17.9 Administrative Features (Enterprise)

  • Audit Trail UI
  • Knowledge Snapshot UI (air-gap prep)
  • Operator/Auditor Toggle (role separation)
  • Reproduce Verdict Button

17.10 Noise Gating UI

  • Delta visualization
  • Gating statistics
  • Noise reduction controls

18. Offline & Air-Gap Operations

18.1 Offline Update Kits (OUK)

  • Complete feed bundles
  • Monthly (Community) / Weekly (Enterprise) updates
  • Signed packages

18.2 Knowledge Snapshots (Enterprise)

  • Sealed feed exports
  • Complete knowledge state capture
  • Merkle root verification

18.3 Offline Signature Verification (Community/Enterprise)

  • Local verification without network
  • Embedded revocation lists
  • Cached trust roots

18.4 Offline JWT Tokens (Enterprise)

  • 90-day offline tokens
  • Local token validation
  • Extended offline operation

18.5 Air-Gap Bundle Manifest (Enterprise)

  • Transfer package specification
  • Integrity verification
  • Import/export workflows

18.6 No-Egress Enforcement (Enterprise)

  • Strict network isolation
  • Egress policy enforcement
  • Connectivity validation

18.7 Offline Components

  • Mirrored vulnerability feeds
  • Local transparency log mirror
  • RootPack trust bundles
  • Embedded revocation lists

18.8 One-Command Replay (Community/Enterprise)

  • stella replay srm.yaml for offline verification
  • No network required for replay
  • Complete evidence bundle

19. Deployment Options

19.1 Docker Compose

  • Single-node deployment (all tiers)
  • Development environment setup
  • Quick start configuration

19.2 Helm Chart (Community/Enterprise)

  • Kubernetes deployment
  • Configurable replicas
  • Resource management
  • Secret management

19.3 High Availability (Enterprise)

  • Multi-replica deployment
  • Load balancing
  • Failover support
  • Disaster recovery

19.4 Horizontal Scaling (Enterprise)

  • Auto-scaling support
  • Workload distribution
  • Resource optimization

19.5 Dedicated Capacity (Enterprise)

  • Reserved resources
  • Guaranteed performance
  • Isolation options

19.6 Infrastructure Requirements

  • PostgreSQL 16+: Primary database
  • Valkey 8.0+: Caching and queuing
  • RustFS (S3) (Community/Enterprise): Object storage

19.7 Container Images

  • Multi-architecture support (amd64, arm64)
  • Minimal base images
  • Regular security updates

20. Authentication & Authorization

20.1 Authentication Methods

  • Basic Auth: Username/password (all tiers)
  • API Keys: Token-based access (all tiers)
  • SSO/SAML: Okta, Azure AD integration (all tiers)
  • OIDC Support: OpenID Connect with discovery (all tiers)

20.2 OAuth 2.0 Grant Types

  • Client Credentials: Service-to-service authentication
  • Resource Owner Password Credentials: User login
  • Authorization Code + PKCE: Browser-based UI flows
  • Device Code: CLI login on headless agents
  • Refresh Token Grant: DPoP-bound or mTLS constrained

20.3 Sender-Constraint Technologies

DPoP (Demonstration of Proof-of-Possession)

  • Proof JWT on every HTTP request
  • Token bound via cnf.jkt (JWK thumbprint)
  • Replay prevention with JTI cache
  • Nonce support for high-value services

mTLS (Mutual TLS Binding)

  • Client certificate-bound tokens
  • Token carries cnf.x5t#S256 (cert thumbprint)
  • Enforced for high-value audiences (Signer, Attestor)
  • Certificate chain validation

20.4 Token Management

  • Access Token (OpTok): 120-300 second TTL
  • Refresh Tokens: Optional, short-lived (≤ 8h), rotating
  • Token refresh (12h Free / 30d Community / Annual Enterprise)
  • Short-lived key support
  • JWT format with custom claims

20.5 Identity Provider Plugins

  • Standard Plugin: Local username/password, MFA support
  • LDAP Plugin: Active Directory / OpenLDAP integration
  • OIDC Plugin: External OIDC provider federation
  • SAML Plugin: SAML 2.0 assertion processing

20.6 RBAC (Role-Based Access Control)

  • Basic RBAC: User/Admin roles (all tiers)
  • Advanced RBAC (Enterprise): Team-based scopes, custom roles
  • 70+ granular permission scopes
  • Scope-based authorization enforcement

20.7 Scope Categories

  • Authority Admin: authority:tenants.*, authority:users.*, authority:roles.*
  • Scanner: scanner:read, scanner:scan, scanner:export
  • Signer: signer:read, signer:sign, signer:rotate
  • Policy: policy:write, policy:review, policy:approve, policy:publish
  • VulnExplorer: vuln:view, vuln:investigate, vuln:operate
  • VEX: vex:read, vex:ingest
  • Graph: graph:read, graph:write, graph:export
  • Evidence: evidence:create, evidence:read, evidence:hold
  • Attestation: attest:read, attest:create, attest:admin
  • Observability: obs:read, obs:incident, timeline:read

20.8 ABAC (Attribute-Based Access Control)

  • Environment attribute filtering (stellaops:attr:env)
  • Ownership visibility (stellaops:attr:owner)
  • Business tier filtering (stellaops:attr:business_tier)

20.9 Multi-Tenant Management (Enterprise)

  • Organization hierarchy
  • Tenant isolation via tid claim
  • Installation isolation via inst claim
  • Cross-tenant policy enforcement

20.10 Specialized Tokens

  • Incident Mode Tokens: 5-minute freshness, requires human reason
  • Vulnerability Workflow Tokens: Anti-forgery for mutations
  • Attachment Access Tokens: Evidence bundle downloads
  • Acknowledgment Tokens: Notification workflows

20.11 Security Features

  • Password lockout with configurable attempts
  • Key rotation (30-90 day cadence, zero-downtime)
  • KMS/HSM support (private keys never leave)
  • Rate limiting (per-client, per-IP, per-endpoint)
  • PKCE required for Authorization Code flow

20.12 Audit Logging (Enterprise)

  • Token issuance audit (sub, aud, scopes, tid, jti)
  • Revocation events
  • Admin changes (client/user/role)
  • Credential attempt tracking with failure codes
  • DPoP/mTLS validation events
  • SIEM integration
  • User activity tracking

21. Integrations & Notifications

21.1 Notification Channels

  • In-App Notifications (all tiers)
  • Email Notifications (Community/Enterprise)
  • Slack Integration (all tiers)
  • Microsoft Teams Integration (all tiers)

21.2 Alert Types

  • New vulnerability alerts
  • EPSS change alerts (Community/Enterprise)
  • Policy violation alerts
  • Scan completion notifications

21.3 Registry Integration

  • Zastava Registry Hooks: Auto-scan on container push (all tiers)
  • Registry webhook observer
  • Event-driven scanning

21.4 CI/CD Integration (Enterprise)

  • GitLab CI/CD gates
  • GitHub Actions integration
  • Jenkins plugin
  • Custom webhook endpoints

21.5 Custom Webhooks (Enterprise)

  • Configurable endpoints
  • Event filtering
  • Payload customization

21.6 Enterprise Connectors (Enterprise)

  • Grid/Premium API access
  • Custom connector development
  • Third-party integration support

21.7 Gateway & Router

  • API gateway with routing
  • Transport abstraction (TCP/TLS/UDP/RabbitMQ/Valkey)
  • Rate limiting
  • Request routing

22. Observability & Telemetry

22.1 Metrics

  • Basic metrics (all tiers)
  • Scan performance metrics
  • Resource utilization metrics
  • Error rate tracking

22.2 OpenTelemetry (Enterprise)

  • Full distributed tracing
  • Trace context propagation
  • Custom span attributes

22.3 Prometheus Export (Enterprise)

  • Prometheus metric format
  • Custom metrics endpoints
  • Grafana dashboard support

22.4 Telemetry Options

  • Opt-in telemetry (all tiers)
  • Telemetry configuration
  • Privacy controls

22.5 Quality KPIs Dashboard (Enterprise)

  • Triage metrics
  • Detection accuracy
  • Coverage statistics

22.6 SLA Monitoring (Enterprise)

  • Uptime tracking
  • Performance monitoring
  • SLA compliance reporting

22.7 Logging

  • Structured logging
  • Log levels configuration
  • Log aggregation support

23. Scheduling & Automation

23.1 Manual Scans

  • On-demand scanning (all tiers)
  • CLI-triggered scans
  • UI-initiated scans

23.2 Scheduled Scans (Enterprise)

  • Cron-based scheduling
  • Recurring scan configuration
  • Schedule management

23.3 Event-Driven Scanning (Enterprise)

  • Registry push triggers
  • Webhook-initiated scans
  • Pipeline integration

23.4 Task Pack Orchestration (Enterprise)

  • Declarative workflow definition
  • Task pack execution
  • Plan-hash binding
  • Approval gates
  • Sealed mode for air-gap

23.5 EPSS Daily Refresh (Enterprise)

  • Automatic EPSS updates
  • Score recalculation
  • Delta notifications

23.6 Scheduler Features

  • Job queue management
  • Priority scheduling
  • Resource allocation
  • Failure retry policies

23.7 Orchestrator Features

  • Workflow coordination
  • Task dependency management
  • Parallel execution
  • Status tracking

24. Version Comparison

24.1 Package Version Formats

  • RPM (NEVRA): Name-Epoch-Version-Release-Architecture
  • Debian (EVR): Epoch-Version-Release
  • Alpine (APK): Alpine package versioning
  • SemVer: Semantic versioning (major.minor.patch)

24.2 PURL Resolution

  • Package URL parsing
  • Ecosystem-aware resolution
  • Version normalization

24.3 Version Range Matching

  • Affected version range detection
  • Fixed version identification
  • Upgrade path calculation

25. Database & Storage

25.1 PostgreSQL Features

  • PostgreSQL 16+ support
  • Per-module schema isolation
  • Row-Level Security (RLS) for multi-tenancy
  • Connection pooling

25.2 Valkey/Redis Features

  • Valkey 8.0+ support
  • Caching layer
  • Job queue backend
  • Session storage

25.3 Object Storage (RustFS/S3)

  • S3-compatible storage (Community/Enterprise)
  • Content-addressed blob storage
  • SBOM/evidence storage
  • Artifact storage

25.4 Storage Features

  • Content deduplication
  • Compression support
  • Encryption at rest
  • Retention policies

26. API Capabilities

26.1 REST API

  • RESTful endpoints
  • OpenAPI 3.0 specification
  • JSON request/response
  • Pagination support

26.2 API Features

  • Rate limiting (all tiers)
  • 429 Backpressure handling
  • Retry-After headers
  • Priority queue (Enterprise)
  • Burst allowance (Enterprise)

26.3 Quota Management

  • Usage API (/quota)
  • Scan quota tracking
  • Quota enforcement
  • Custom quotas (Enterprise)

26.4 API Authentication

  • API key authentication
  • JWT bearer tokens
  • OAuth 2.0 support
  • DPoP support

27. Support & Services

27.1 Documentation

  • Comprehensive documentation (all tiers)
  • API reference
  • Architecture guides
  • Tutorials and guides

27.2 Community Support

  • Community forums (all tiers)
  • GitHub Issues (all tiers)
  • Documentation wiki

27.3 Email Support (Enterprise)

  • Business hours support
  • Ticket-based support

27.4 Priority Support (Enterprise)

  • 4-hour response time
  • Priority ticket handling

27.5 24/7 Critical Support (Enterprise)

  • Round-the-clock support (add-on)
  • Emergency response

27.6 Dedicated CSM (Enterprise)

  • Named customer success manager
  • Regular check-ins
  • Account management

27.7 Professional Services (Enterprise)

  • Implementation assistance
  • Custom development
  • Architecture review

27.8 Training & Certification (Enterprise)

  • Team enablement
  • Certification programs
  • Custom training

27.9 SLA Guarantee (Enterprise)

  • 99.9% uptime guarantee
  • SLA credits
  • Performance guarantees

Appendix A: Module Reference

Module Description
Authority Authentication, authorization, OAuth/OIDC, DPoP
Gateway API gateway with routing and transport abstraction
Router Transport-agnostic messaging
Concelier Vulnerability advisory ingestion and merge engine
Excititor VEX document ingestion and export
VexLens VEX consensus computation across issuers
VexHub VEX distribution and exchange hub
IssuerDirectory Issuer trust registry
Feedser Evidence collection for backport detection
Mirror Vulnerability feed mirror and distribution
Scanner Container scanning with SBOM generation
BinaryIndex Binary identity extraction and fingerprinting
AdvisoryAI AI-assisted advisory analysis
ReachGraph Reachability graph service
Symbols Symbol resolution and debug information
Attestor in-toto/DSSE attestation generation
Signer Cryptographic signing operations
SbomService SBOM storage, versioning, and lineage ledger
EvidenceLocker Sealed evidence storage and export
ExportCenter Batch export and report generation
Provenance SLSA/DSSE attestation tooling
Policy Policy engine with K4 lattice logic
RiskEngine Risk scoring runtime
VulnExplorer Vulnerability exploration and triage UI backend
Unknowns Unknown component and symbol tracking
Scheduler Job scheduling and queue management
Orchestrator Workflow orchestration and task coordination
TaskRunner Task pack execution engine
Notify Notification toolkit
Notifier Notifications Studio host
PacksRegistry Task packs registry and distribution
TimelineIndexer Timeline event indexing
Replay Deterministic replay engine
CLI Command-line interface
Zastava Container registry webhook observer
Web Angular frontend SPA
Cryptography Crypto plugins (FIPS, eIDAS, GOST, SM, PQ)
Telemetry OpenTelemetry traces, metrics, logging
Graph Call graph and reachability data structures
Signals Runtime signal collection and correlation
AirGap Air-gapped deployment support
AOC Append-Only Contract enforcement

Appendix B: Supported Standards

Standard Version Usage
CycloneDX 1.7 Primary SBOM format
SPDX 3.0.1 SBOM format
in-toto Statement v1 Attestation format
DSSE v1 Envelope signing
OpenVEX Current spec VEX format
SARIF 2.1.0 Findings interchange
Sigstore Rekor API stable Transparency logging
SLSA v1.0 Provenance attestation

Appendix C: Glossary

Term Definition
SBOM Software Bill of Materials - component inventory
VEX Vulnerability Exploitability eXchange - exploitability status
DSSE Dead Simple Signing Envelope - detached signatures
in-toto Software supply chain attestation framework
K4 Lattice Belnap four-valued logic (Unknown, True, False, Conflict)
SRM Scan Replay Manifest - deterministic replay bundle
PURL Package URL - universal package identifier
NEVRA Name-Epoch-Version-Release-Architecture (RPM)
EVR Epoch-Version-Release (Debian)
KEV Known Exploited Vulnerabilities
EPSS Exploit Prediction Scoring System
OVAL Open Vulnerability and Assessment Language

Last updated: 4 Jan 2026 For tier availability, see 04_FEATURE_MATRIX.md