491e883653
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
6.8 KiB
Decision Capsules — Audit-Grade Evidence Bundles
Status: Marketing Bridge Document · December 2025 Audience: Technical buyers, security architects, compliance teams
Executive Summary
Stella Ops isn't just another scanner—it's a different product category: deterministic, evidence-linked vulnerability decisions that survive auditors, regulators, and supply-chain propagation.
Decision Capsules are the mechanism that makes this possible: content-addressed bundles that seal every scan result with all inputs, outputs, and evidence needed to reproduce and verify vulnerability decisions. This is the heart of audit-grade assurance—every decision becomes a provable, replayable fact.
Key message: "Prove every fix, audit every finding."
What is a Decision Capsule?
A Decision Capsule is a signed, immutable bundle containing:
| Component | Description | Purpose |
|---|---|---|
| Exact SBOM | The precise software bill of materials used for the scan | Reproducibility |
| Vuln feed snapshots | Frozen advisory data (NVD, OSV, GHSA, etc.) at scan time | Consistency |
| Reachability evidence | Static call-graph artifacts + runtime traces | Proof of analysis |
| Policy version | Lattice rules and threshold configuration | Explainability |
| Derived VEX | The vulnerability status decision with justification | Outcome |
| DSSE signatures | Cryptographic signatures over all contents | Integrity |
┌─────────────────────────────────────────────────────────────┐
│ Decision Capsule │
├─────────────────────────────────────────────────────────────┤
│ ┌─────────┐ ┌─────────────┐ ┌──────────────────┐ │
│ │ SBOM │ │ Vuln Feeds │ │ Reachability │ │
│ │ (exact) │ │ (snapshots) │ │ Evidence │ │
│ └─────────┘ └─────────────┘ └──────────────────┘ │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌──────────────────┐ │
│ │ Policy Ver │ │ Derived VEX │ │ DSSE Signatures │ │
│ │ + Lattice │ │ + Justify. │ │ (integrity) │ │
│ └─────────────┘ └─────────────┘ └──────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Why Decision Capsules Matter
For Security Teams
- Reproduce any finding: Re-run a scan from 6 months ago with identical results
- Trust the evidence: Every decision has cryptographic proof
- Explain to stakeholders: Clear justification for every block/allow decision
For Compliance Teams
- Audit-ready artifacts: Evidence bundles meet regulatory requirements
- Chain of custody: Full provenance from scan to decision
- Tamper-evident: Any modification breaks the signature
For Developers
- No "works on my machine": Reproducible results across environments
- Fast debugging: Trace exactly why a vulnerability was flagged
- CI/CD integration: Capsules fit into existing pipelines
Competitive Differentiation
| Capability | Stella Ops | Competitors |
|---|---|---|
| Sealed evidence | Decision Capsules with DSSE signatures | Scan reports (mutable) |
| Reproducibility | Bit-for-bit replay from frozen feeds | "Re-scan" with current data |
| Evidence linking | Every VEX decision has proof pointers | VEX statements without proof |
| Offline verification | Full verification without network | Requires SaaS connection |
Battlecard one-liner: "Prove every fix, audit every finding—Decision Capsules seal evidence so you can replay scans bit-for-bit."
Technical Details
Capsule Format
apiVersion: capsule.stellaops.dev/v1
metadata:
id: "cap-2025-12-11-abc123"
timestamp: "2025-12-11T14:30:00Z"
scan_id: "scan-xyz789"
inputs:
sbom:
format: "cyclonedx@1.6"
digest: "sha256:..."
feeds:
- name: "nvd"
snapshot: "2025-12-11"
digest: "sha256:..."
- name: "osv"
snapshot: "2025-12-11"
digest: "sha256:..."
policy:
version: "corp-policy@2025-12-01"
digest: "sha256:..."
reachability:
graph_hash: "blake3:..."
edge_bundles: ["bundle:001", "bundle:002"]
outputs:
vex:
format: "openvex"
digest: "sha256:..."
findings:
digest: "sha256:..."
signatures:
- scheme: "DSSE"
profile: "FIPS-140-3"
signer: "build-ca@corp"
CLI Commands
# Create a capsule during scan
stella scan --image reg/app@sha256:... --capsule-out capsule.yaml
# Replay a capsule
stella replay capsule.yaml --assert-digest sha256:...
# Verify capsule integrity
stella capsule verify capsule.yaml
# Extract evidence for audit
stella capsule export capsule.yaml --format audit-bundle
Integration with Four Capabilities
Decision Capsules connect all four capabilities:
- Signed Reachability → Reachability evidence sealed in capsule
- Deterministic Replay → Capsule enables bit-for-bit replay
- Explainable Policy → Policy version + derived VEX in capsule
- Sovereign Offline → Capsule verifiable without network
Customer Scenarios
Scenario 1: Regulatory Audit
"Show me the evidence for this CVE decision from 6 months ago." → Replay the Decision Capsule, get identical results, provide the signed evidence bundle.
Scenario 2: Incident Response
"This vulnerability was marked not_affected—prove it." → Extract the reachability evidence from the capsule showing the vulnerable code path is not reachable.
Scenario 3: Supply Chain Attestation
"Provide proof that this image was scanned and passed policy." → Share the Decision Capsule; downstream consumers can verify the signature independently.
Related Documentation
docs/key-features.md— Feature overviewdocs/03_VISION.md— Product vision and moatsdocs/reachability/lattice.md— Reachability scoringdocs/16_VEX_CONSENSUS_GUIDE.md— VEX consensus and issuer trust