Files

StellaOps Bot a872da765d refactor: inject TimeProvider/IGuidProvider across multiple modules - DET-006 to DET-010

DET-006 Provenance module: Skipped - already uses TimeProvider in production code

DET-007 ReachGraph module:
- PostgresReachGraphRepository: Added TimeProvider for fallback timestamp in StoreAsync

DET-008 Registry module:
- RegistryTokenIssuer: Added IGuidProvider for JWT ID (jti) generation
- Added StellaOps.Determinism.Abstractions project reference

DET-009 Replay module:
- ReplayEngine: Added TimeProvider for ExecutedAt timestamp
- ReplayResult.Failed: Added optional executedAt parameter for determinism
- ReplayManifestExporter: Added TimeProvider constructor, replaced DateTimeOffset.UtcNow
- FeedSnapshotCoordinatorService: Updated GenerateSnapshotId to use injected TimeProvider
- ExportMetadataInfo: Made ExportedAt required (callers must provide explicitly)
- PolicySimulationInputLock: Made GeneratedAt required (callers must provide explicitly)

DET-010 RiskEngine module: Skipped - no determinism issues found

All changes maintain backward compatibility through optional parameters with system defaults.

2026-01-04 15:08:48 +02:00

32 KiB

Raw Blame History

Full Features List - Stella Ops

Comprehensive catalog of every capability in the Stella Ops platform.

For quick capability cards with competitive differentiation, see key-features.md. For tier-based availability (Free/Community/Enterprise), see 04_FEATURE_MATRIX.md.

How to Read This Document

Base Features: Core functionality available to all users
Enhanced Features: Advanced capabilities building on base features
Specialized Features: Domain-specific or enterprise-grade capabilities
Control Method: Indicates how each feature is accessed
- CLI - Command-line interface
- Config - YAML/JSON configuration files
- UI - Web user interface
- API - REST/gRPC API endpoints

Part I: Foundational Capabilities

1. Container Scanning

Container scanning is the core capability of Stella Ops. All other features build upon this foundation.

1.1 Image Scanning (Base)

Scan container images for vulnerabilities and generate SBOMs.

Feature	Description	Control
OCI image scanning	Scan OCI-compliant container images	`CLI` `API`
Docker image scanning	Scan Docker images from local daemon or registry	`CLI` `API`
Filesystem scanning	Scan extracted rootfs directories	`CLI`
Archive scanning	Scan .tar.gz container archives	`CLI`
Digest-based pull	Pull images by content-addressable digest	`CLI`

CLI Usage:

stella scan --image <registry/image:tag>
stella scan --image <registry/image@sha256:...>
stella scan --rootfs /path/to/extracted

1.2 Registry Integration (Base)

Connect to container registries for scanning.

Feature	Description	Control
Public registry	Scan images from public registries (Docker Hub, GHCR, etc.)	`CLI`
Private registry	Authenticate to private registries	`CLI` `Config`
Registry auth	Username/password, token, and keychain authentication	`Config`
Mirror support	Use registry mirrors for offline environments	`Config`

Configuration:

# etc/scanner.yaml
registry:
  mirrors:
    docker.io: "mirror.internal:5000"
  credentials:
    - registry: "private.registry.io"
      username: "${REGISTRY_USER}"
      password: "${REGISTRY_PASSWORD}"

1.3 Layer Analysis (Enhanced)

Analyze container layers for package changes.

Feature	Description	Control
Per-layer detection	Identify which packages came from which layer	`CLI`
Base image detection	Automatically identify base image	`CLI`
Layer change tracking	Track package additions/removals per layer	`CLI`
Inherited vs added	Distinguish base image packages from application packages	`CLI`

CLI Usage:

stella scan --image myapp:latest --show-layers

1.4 Scan Performance (Enhanced)

Performance optimizations for scanning at scale.

Feature	Description	Control
Delta-SBOM cache	Cache layer SBOMs for sub-second warm scans	`Config`
Concurrent workers	Run multiple scan workers in parallel	`Config`
Content-addressed caching	Deduplicate layers by content hash	Automatic
Incremental analysis	Only analyze changed layers	Automatic

Performance Tiers:

Free: 1 concurrent scan worker
Community: 3 concurrent scan workers
Enterprise: Unlimited concurrent workers

2. Package Detection

2.1 OS Packages (Base)

Detect operating system packages and their vulnerabilities.

Feature	Description	Control
Alpine APK	Detect Alpine Linux packages	Automatic
Debian/Ubuntu APT	Detect apt packages from dpkg database	Automatic
RHEL/CentOS/Fedora RPM	Detect RPM packages	Automatic
Arch Linux Pacman	Detect Arch packages	Automatic
SUSE Zypper	Detect SUSE packages	Automatic

2.2 Language Ecosystems (Base)

Detect packages from application language ecosystems.

Ecosystem	Package Manager	Manifest Files	Control
JavaScript/Node.js	npm, yarn, pnpm	package.json, package-lock.json, yarn.lock	Automatic
Python	pip, poetry, pipenv	requirements.txt, Pipfile.lock, pyproject.toml	Automatic
Java	Maven, Gradle	pom.xml, build.gradle, *.jar	Automatic
Go	Go Modules	go.mod, go.sum	Automatic
.NET	NuGet	.csproj, packages.config, .deps.json	Automatic
Ruby	Bundler	Gemfile, Gemfile.lock	Automatic
Rust	Cargo	Cargo.toml, Cargo.lock	Automatic
PHP	Composer	composer.json, composer.lock	Automatic
Bun	Bun	bun.lockb, package.json	Automatic
Deno	Deno	deno.json, import_map.json	Automatic
Native/C/C++	conan, vcpkg	conanfile.txt, vcpkg.json	Automatic

2.3 Advanced Detection (Enhanced)

Enhanced package detection capabilities.

Feature	Description	Control
Transitive dependency mapping	Map full dependency tree	Automatic
License detection	Detect package licenses	`CLI`
Binary fingerprinting	Identify packages from compiled binaries	`CLI`
Symbol extraction	Extract symbol tables for reachability	`CLI`

3. Vulnerability Detection

3.1 Advisory Sources (Base)

Vulnerability data sources used for detection.

Source	Description	Update Frequency	Control
NVD (NIST)	National Vulnerability Database	Hourly	`Config`
GitHub Security Advisories (GHSA)	GitHub ecosystem advisories	Real-time	`Config`
OSV	Open Source Vulnerabilities	Real-time	`Config`
Alpine SecDB	Alpine-specific advisories	Hourly	`Config`
Debian Tracker	Debian-specific advisories	Hourly	`Config`
RHEL/CentOS Errata	Red Hat security errata	Daily	`Config`
Ubuntu USN	Ubuntu Security Notices	Hourly	`Config`

Configuration:

# etc/concelier.yaml
concelier:
  sources:
    ghsa:
      apiToken: "${GITHUB_PAT}"
      pageSize: 50
    nvd:
      enabled: true
      apiKey: "${NVD_API_KEY}"

3.2 Vulnerability Enrichment (Enhanced)

Additional metadata added to detected vulnerabilities.

Feature	Description	Control
KEV (Known Exploited)	CISA Known Exploited Vulnerabilities flag	Automatic
EPSS	Exploit Prediction Scoring System percentile	Automatic
CVSS v4.0	CVSS 4.0 scoring with environmental metrics	Automatic
Exploit maturity	Proof of concept, weaponized, in-the-wild	Automatic

3.3 Backport Detection (Specialized)

Detect security patches backported by vendors.

Feature	Description	Control
Binary backport detection	Identify backported patches in binaries	`CLI`
Changelog evidence	Match changelogs to security fixes	Automatic
Vendor VEX integration	Apply vendor-provided VEX statements	`Config`

4. Output & Reporting

4.1 Output Formats (Base)

Standard output formats for scan results.

Format	Description	Control
Table (human-readable)	Formatted table output for terminal	`CLI --output table`
JSON	Machine-readable JSON output	`CLI --output json`
SARIF	Static Analysis Results Interchange Format	`CLI --output sarif`
CycloneDX VEX	CycloneDX VEX format	`CLI --output cdx-vex`
OpenVEX	OpenVEX format	`CLI --output openvex`

CLI Usage:

stella scan --image myapp:latest --output json > results.json
stella scan --image myapp:latest --output sarif > results.sarif

4.2 Filtering & Thresholds (Base)

Filter and threshold controls for scan results.

Feature	Description	Control
Severity filter	Filter by CRITICAL, HIGH, MEDIUM, LOW	`CLI --severity`
Fix available	Show only vulnerabilities with fixes	`CLI --fixable`
Exit codes	Configurable exit codes for CI/CD	`CLI`
Ignore file	.stellaignore for suppression	`Config`

CLI Usage:

stella scan --image myapp --severity HIGH,CRITICAL --fixable
stella scan --image myapp --exit-code-if-vuln 1

4.3 Export Center (Enhanced)

Batch export and report generation.

Feature	Description	Control
Scheduled exports	Export scan results on schedule	`Config` `UI`
Multiple formats	Export to JSON, CSV, PDF, Excel	`API`
Template-based reports	Customizable report templates	`Config`
Compliance reports	Pre-built compliance report templates	`UI`

Part II: Enhanced Analysis

5. SBOM Management

5.1 SBOM Generation (Base)

Generate Software Bill of Materials.

Format	Version	Description	Control
CycloneDX	1.7	Primary output format	`CLI --sbom-format cyclonedx`
CycloneDX	1.6	Backward compatible	`CLI --sbom-format cyclonedx-1.6`
SPDX	3.0.1	SPDX 3.0.1 format	`CLI --sbom-format spdx`
SPDX-JSON	2.3	SPDX JSON format	`CLI --sbom-format spdx-json`

CLI Usage:

stella scan --image myapp --sbom-out sbom.json --sbom-format cyclonedx

5.2 SBOM Ingestion (Base)

Import existing SBOMs.

Feature	Description	Control
Auto-format detection	Automatically detect SBOM format	Automatic
BYOS (Bring Your Own SBOM)	Scan using provided SBOM	`CLI --sbom`
Third-party SBOM	Import SBOMs from external sources	`API`
Validation	Validate SBOM structure and content	`CLI`

CLI Usage:

stella scan --sbom existing-sbom.json

5.3 SBOM Diff (Enhanced)

Compare SBOMs between versions.

Feature	Description	Control
Package diff	Show added/removed packages	`CLI`
Version diff	Show version changes	`CLI`
License diff	Show license changes	`CLI`
Semantic diff	Understand meaning of changes	`CLI`

CLI Usage:

stella compare sbom --a v1.0-sbom.json --b v2.0-sbom.json

5.4 SBOM Lineage Ledger (Enterprise)

Full version history and lineage tracking.

Feature	Description	Control
Version history	Full SBOM version history	`API` `UI`
Lineage tracking	Track SBOM across builds	`API`
Traversal queries	Query SBOM lineage	`API`
Audit trail	Complete audit trail	`UI`

6. VEX Processing

6.1 VEX Ingestion (Base)

Import VEX statements from multiple sources.

Format	Description	Control
OpenVEX	OpenVEX JSON format	`CLI` `API`
CycloneDX VEX	CycloneDX VEX format	`CLI` `API`
CSAF	Common Security Advisory Framework	`CLI` `API`

CLI Usage:

stella vex import --file vendor-vex.json

6.2 VEX Statuses (Base)

Standard VEX status types.

Status	Description	Policy Effect
`not_affected`	Component not affected by vulnerability	Suppresses finding
`affected`	Component is affected	Surfaces finding
`fixed`	Vulnerability has been fixed	Contextual
`under_investigation`	Investigation in progress	Marks as Unknown

6.3 VEX Consensus Engine (Enhanced)

K4 lattice logic for VEX consensus.

Feature	Description	Control
Multi-issuer consensus	Merge VEX from multiple issuers	`Config`
Trust weighting	Weight VEX by issuer trust level	`Config`
Conflict detection	Detect conflicting VEX statements	Automatic
K4 lattice logic	Belnap four-valued logic (Unknown, True, False, Conflict)	Automatic

K4 Lattice Values:

Unknown - No information available
True - Positive assertion (affected)
False - Negative assertion (not affected)
Conflict - Contradictory assertions

6.4 Issuer Directory (Enhanced)

Manage trusted VEX issuers.

Feature	Description	Control
Issuer registry	Register trusted VEX issuers	`Config` `UI`
Trust levels	Assign trust weights to issuers	`Config`
CSAF publisher discovery	Discover CSAF publishers	`Config`

7. Reachability Analysis

7.1 Static Reachability (Enhanced)

Determine if vulnerable code is reachable.

Feature	Description	Control
Call graph analysis	Build call graph from entrypoint	`CLI`
Reachable/Unreachable classification	Mark vulnerabilities by reachability	`CLI`
Path visualization	Show call paths to vulnerable code	`CLI`

CLI Usage:

stella scan --image myapp --reachability
stella graph show --cve CVE-2024-1234 --artifact sha256:abc...

7.2 Three-Layer Proofs (Specialized)

Multi-layer reachability validation.

Layer	What It Proves	Confidence
Static	Call graph shows path exists	Likely
Binary	Compiled binary contains symbol	Higher
Runtime	eBPF probe confirms execution	Confirmed

Confidence Tiers:

Confirmed - All three layers agree
Likely - Static + binary agree; no runtime
Present - Package present; no reachability evidence
Unreachable - Static analysis proves no path

7.3 Signed Reachability (Specialized)

Cryptographic binding for reachability proofs.

Feature	Description	Control
Graph-level DSSE	Sign entire reachability graph	`Config`
Edge-bundle attestation	Sign individual path edges	`Config`
Proof export	Export reachability proofs	`CLI`

8. Policy Engine

8.1 Policy Packs (Base)

Pre-built and custom policy configurations.

Feature	Description	Control
Built-in starter pack	Production-ready Day 1 policy	`CLI policy install starter-day1`
Custom policies	Define custom policy rules	`Config`
Policy validation	Validate policy YAML syntax	`CLI policy validate`

CLI Usage:

stella policy install starter-day1
stella policy validate --path ./my-policy.yaml
stella policy list-packs

8.2 Policy Rules (Base)

Define rules for vulnerability handling.

Rule Type	Description	Example
Severity block	Block by severity level	Block CRITICAL reachable
Reachability gate	Gate based on reachability	Allow unreachable HIGH
VEX bypass	Allow VEX-suppressed findings	Allow with VEX:not_affected
Unknowns budget	Set unknowns threshold	Fail if unknowns > 5%

Policy Example:

apiVersion: policy.stellaops.io/v1
kind: PolicyPack
metadata:
  name: production-gates
spec:
  rules:
    - name: block-reachable-critical
      action: block
      severity: [CRITICAL]
      reachability: reachable
      message: "Reachable critical vulnerabilities must be fixed"
    - name: allow-unreachable
      action: allow
      reachability: unreachable

8.3 Policy Simulation (Enhanced)

Test policies before deployment.

Feature	Description	Control
Simulate against scan	Test policy against historical scan	`CLI policy simulate`
Diff policies	Compare two policy outcomes	`CLI policy simulate --diff`
Dry-run	Preview policy effects	`CLI`

CLI Usage:

stella policy simulate --policy ./new-policy.yaml --scan scan-id-123
stella policy simulate --policy ./new-policy.yaml --scan scan-id --diff ./old-policy.yaml

8.4 Policy Gates (Specialized)

Advanced policy evaluation gates.

Gate	Description	Control
Quality Gate	Block deploy based on thresholds	`Config`
Approval Gate	Require human approval	`Config` `UI`
Exception Gate	Manage temporary exceptions	`Config` `UI`
Stability Damping	Prevent gate flickering	`Config`

8.5 Policy Distribution (Enhanced)

Distribute policies across environments.

Feature	Description	Control
OCI registry push	Push policies to OCI registry	`CLI policy push`
OCI registry pull	Pull policies from registry	`CLI policy pull`
Offline bundle export	Export for air-gapped environments	`CLI policy export-bundle`
Environment overrides	Apply environment-specific overrides	`Config`

CLI Usage:

stella policy push --policy ./policy.yaml --to registry.io/policies/prod:1.0
stella policy pull --from registry.io/policies/prod:1.0 --output ./
stella policy export-bundle --policy ./policy.yaml --output bundle.tar.gz

Part III: Specialized Capabilities

9. Determinism & Reproducibility

9.1 Replay Manifests (Specialized)

Capture everything needed to reproduce a scan.

Feature	Description	Control
SRM generation	Generate Scan Replay Manifest	`CLI --srm-out`
Replay execution	Replay scan from manifest	`CLI replay`
Determinism verification	Verify replay matches original	`CLI replay verify`

CLI Usage:

# Generate replay manifest
stella scan --image myapp --srm-out manifest.yaml

# Replay later
stella replay --manifest manifest.yaml --assert-digest sha256:abc...

9.2 Knowledge Snapshots (Specialized)

Frozen point-in-time vulnerability knowledge.

Feature	Description	Control
Snapshot export	Export frozen knowledge state	`CLI airgap export`
Snapshot import	Import knowledge snapshot	`CLI airgap import`
Snapshot diff	Compare two snapshots	`CLI airgap diff`
Staleness tracking	Track snapshot age	`CLI airgap status`

CLI Usage:

stella airgap export --output knowledge-2024-01.tar.gz --sign
stella airgap import knowledge-2024-01.tar.gz --verify-only
stella airgap diff --base old.tar.gz --target new.tar.gz
stella airgap status

9.3 Verdict Replay (Specialized)

Replay policy decisions for audit.

Feature	Description	Control
Snapshot replay	Replay using knowledge snapshot	`CLI replay snapshot`
Verdict comparison	Compare replayed vs original verdict	`CLI`
Drift detection	Detect verdict drift	`CLI`

CLI Usage:

stella replay snapshot --verdict <id>
stella replay snapshot --artifact sha256:... --snapshot <snapshot-id>

10. Attestation & Signing

10.1 DSSE Attestation (Specialized)

in-toto DSSE attestations for evidence.

Feature	Description	Control
SBOM attestation	Sign SBOMs with DSSE	`CLI attest`
Verdict attestation	Sign policy verdicts	`CLI`
Evidence bundles	Create signed evidence bundles	`CLI`

10.2 Keyless Signing (Specialized)

Sigstore-compatible keyless signing.

Feature	Description	Control
Keyless sign	Sign using OIDC identity	`CLI sign keyless`
Rekor upload	Upload to transparency log	`CLI sign keyless --rekor`
Verify keyless	Verify keyless signatures	`CLI sign verify-keyless`
Self-hosted Sigstore	Use self-hosted Fulcio/Rekor	`Config`

CLI Usage:

stella sign keyless --input artifact.json --rekor
stella sign verify-keyless --input artifact.json --bundle artifact.sigstore

10.3 Regional Cryptography (Specialized)

Sovereign cryptography profiles.

Profile	Algorithms	Use Case	Control
FIPS-140-3	ECDSA P-256, RSA-PSS	US federal	`Config`
eIDAS	ETSI TS 119 312	EU qualified	`Config`
GOST-2012	GOST R 34.10-2012	Russian Federation	`Config`
SM2	GM/T 0003.2-2012	PRC	`Config`
PQC	Dilithium, Falcon	Post-quantum	`Config`

Configuration:

# etc/appsettings.crypto.yaml
cryptography:
  profile: "fips-140-3"
  algorithms:
    signing: "ES256"
    hashing: "SHA256"

11. Offline Operations

11.1 Offline Update Kits (Specialized)

Bundle everything for air-gapped environments.

Feature	Description	Control
Kit export	Export complete offline bundle	`CLI offline export`
Kit import	Import offline bundle	`CLI offline import`
Kit verification	Verify bundle integrity	`CLI`
Staleness policy	Configure max bundle age	`Config`

Configuration:

# etc/airgap.yaml
staleness:
  maxAgeHours: 168        # 7 days
  warnAgeHours: 72        # 3 days
  staleAction: block      # block or warn

import:
  verifySignature: true
  verifyMerkleRoot: true
  enforceMonotonicity: true

11.2 Mirror Services (Specialized)

Local mirrors for vulnerability feeds.

Feature	Description	Control
Feed mirror	Mirror advisory feeds locally	`Config`
Registry mirror	Mirror container registry	`Config`
Transparency mirror	Mirror Rekor transparency log	`Config`

11.3 Egress Control (Specialized)

Network access control for sealed mode.

Feature	Description	Control
Allowlist mode	Only allow specified hosts	`Config`
Denylist mode	Block specified hosts	`Config`
Localhost only	Fully sealed operation	`Config`

Configuration:

# etc/airgap.yaml
egressPolicy:
  mode: allowlist
  allowedHosts: []
  allowLocalhost: true

12. Risk Scoring

12.1 CVSS Scoring (Enhanced)

CVSS-based risk assessment.

Feature	Description	Control
CVSS v4.0	Full CVSS 4.0 support	Automatic
Environmental metrics	Apply environmental context	`Config`
Temporal metrics	Apply temporal context	Automatic
CVSS receipts	Signed CVSS calculations	`CLI`

CLI Usage:

stella cvss score --vuln CVE-2024-1234 --policy cvss-policy.json --vector "CVSS:4.0/..."
stella cvss show --receipt <receipt-id>

12.2 Risk Budgets (Enhanced)

Track risk across portfolios.

Feature	Description	Control
Risk budget definition	Define acceptable risk levels	`Config`
Budget tracking	Track consumption over time	`UI`
Budget alerts	Alert when budget exceeded	`Config`

12.3 Unknowns Tracking (Specialized)

Track and manage unknown components.

Feature	Description	Control
Unknown detection	Detect unidentified components	Automatic
Unknown classification	Hot/Warm/Cold/Resolved bands	Automatic
Decay tracking	Track uncertainty over time	Automatic
Budget enforcement	Fail if unknowns exceed threshold	`Config`

CLI Usage:

stella unknowns list
stella unknowns show --id <unknown-id>

Part IV: Platform Features

13. Authentication & Authorization

13.1 Authentication Methods (Base)

User and service authentication.

Method	Description	Control
OAuth 2.0	Authorization code flow	`Config`
Client credentials	Service-to-service auth	`Config`
DPoP	Demonstrating Proof of Possession	`Config`
mTLS	Mutual TLS authentication	`Config`

Configuration:

# etc/authority.yaml
clients:
  - clientId: "scanner-service"
    grantTypes: ["client_credentials"]
    scopes: ["scan:read", "scan:write"]
    senderConstraint: "dpop"

13.2 Role-Based Access (Base)

Predefined roles and permissions.

Role	Permissions
policy-author	Create and edit policies
policy-reviewer	Review policy changes
policy-approver	Approve policy promotion
export-viewer	View export results
export-operator	Trigger exports
airgap-operator	Import/export offline kits

13.3 Service Accounts (Enhanced)

Automated service identities.

Feature	Description	Control
Service accounts	Define service identities	`Config`
Delegated tokens	Issue delegated access tokens	`Config`
ABAC attributes	Attribute-based access control	`Config`

14. Deployment & Operations

14.1 Deployment Options (Base)

Platform deployment configurations.

Option	Description
Docker Compose	Single-node development/test
Kubernetes/Helm	Production Kubernetes deployment
Air-gapped	Fully offline deployment
Multi-tenant	Isolated tenant deployments

14.2 Storage (Base)

Data storage options.

Backend	Use Case	Control
PostgreSQL	Primary data store (16+)	`Config`
Valkey/Redis	Caching and rate limiting	`Config`

Configuration:

# etc/concelier.yaml
storage:
  driver: postgres
  connectionString: "Host=postgres;Database=stellaops..."
  maxPoolSize: 100
  autoMigrate: false

14.3 Scaling (Enterprise)

Horizontal scaling options.

Feature	Description	Control
Worker pools	Scale scan workers	`Config`
Queue sharding	Distribute work across queues	`Config`
Read replicas	Scale read operations	`Config`

15. Integrations

15.1 CI/CD Integration (Base)

Integrate with CI/CD pipelines.

Feature	Description	Control
Exit codes	Configurable exit codes	`CLI`
SARIF output	GitHub/GitLab SARIF integration	`CLI --output sarif`
CI templates	GitHub Actions, GitLab CI templates	`CLI ci generate`

CLI Usage:

stella ci generate --platform github > .github/workflows/scan.yml
stella ci generate --platform gitlab > .gitlab-ci.yml

15.2 Registry Webhooks (Enhanced)

React to registry events.

Feature	Description	Control
Push webhook	Trigger scan on image push	`Config`
Admission control	Block deployment on failure	`Config`

15.3 Notifications (Enhanced)

Alert and notification channels.

Channel	Description	Control
Slack	Slack webhook integration	`Config`
Microsoft Teams	Teams webhook integration	`Config`
Email	SMTP email notifications	`Config`
Webhooks	Generic webhook integration	`Config`
PagerDuty	PagerDuty incident integration	`Config`

16. Observability

16.1 Telemetry (Base)

OpenTelemetry-based observability.

Feature	Description	Control
Structured logging	JSON structured logs	`Config`
Tracing	Distributed tracing via OTLP	`Config`
Metrics	Prometheus-compatible metrics	`Config`

Configuration:

# etc/concelier.yaml
telemetry:
  enabled: true
  enableTracing: true
  enableMetrics: true
  otlpEndpoint: "http://otel-collector:4317"
  serviceName: "stellaops-scanner"

16.2 Timeline Indexer (Enhanced)

Historical event tracking.

Feature	Description	Control
Event indexing	Index security events	Automatic
Timeline queries	Query event history	`API` `UI`
Audit trail	Complete audit log	`UI`

16.3 Evidence Locker (Specialized)

Sealed evidence storage.

Feature	Description	Control
Evidence sealing	Create tamper-evident evidence	`API`
Legal hold	Apply legal holds to evidence	`API` `UI`
Retention policies	Configure retention periods	`Config`

Appendices

Appendix A: CLI Command Reference

Top-Level Commands

Command	Description
`stella scan`	Scan container images for vulnerabilities
`stella replay`	Replay scans from manifests
`stella policy`	Policy management commands
`stella airgap`	Air-gap operations
`stella sign`	Signing operations
`stella verify`	Verification operations
`stella vex`	VEX management
`stella graph`	Reachability graph operations
`stella compare`	Comparison operations
`stella ci`	CI/CD integration
`stella unknowns`	Unknown component tracking
`stella cvss`	CVSS scoring operations

Scan Command Options

stella scan [options]
  --image <reference>      Container image to scan
  --sbom <path>            Use existing SBOM instead of image
  --rootfs <path>          Scan extracted filesystem
  --output <format>        Output format: table, json, sarif, cyclonedx
  --severity <levels>      Filter by severity: CRITICAL,HIGH,MEDIUM,LOW
  --fixable                Show only vulnerabilities with fixes
  --reachability           Enable reachability analysis
  --sbom-out <path>        Export SBOM to file
  --srm-out <path>         Export replay manifest
  --exit-code-if-vuln <n>  Exit code when vulnerabilities found

Policy Command Options

stella policy <subcommand> [options]
  validate --path <file>   Validate policy YAML
  install <pack>           Install policy pack
  list-packs              List available policy packs
  simulate --policy <path> --scan <id>  Simulate policy
  push --policy <path> --to <ref>       Push to OCI registry
  pull --from <ref>        Pull from OCI registry
  export-bundle --policy <path> --output <file>
  import-bundle --bundle <file>

Air-Gap Command Options

stella airgap <subcommand> [options]
  export --output <path>   Export knowledge snapshot
    --include-advisories   Include advisory feeds
    --include-vex          Include VEX statements
    --include-policies     Include policy bundles
    --sign                 Sign the manifest
  import <bundle>          Import knowledge snapshot
    --verify-only          Verify without applying
    --force                Force import despite staleness
  diff --base <a> --target <b>  Compare snapshots
  status                   Show staleness status

Appendix B: Configuration Reference

Configuration Files

File	Purpose
`etc/concelier.yaml`	Advisory ingestion configuration
`etc/authority.yaml`	Authentication and authorization
`etc/airgap.yaml`	Air-gap operations
`etc/scanner.yaml`	Scanner configuration
`etc/appsettings.crypto.*.yaml`	Cryptography profiles

Environment Variables

Variable	Description
`STELLAOPS_BACKEND_URL`	Backend API URL
`GITHUB_PAT`	GitHub Personal Access Token for GHSA
`NVD_API_KEY`	NVD API key for enhanced rate limits
`STELLAOPS_KMS_PASSPHRASE`	KMS key passphrase

Appendix C: API Reference

REST API Endpoints

Endpoint	Method	Description
`/api/v1/scans`	POST	Trigger new scan
`/api/v1/scans/{id}`	GET	Get scan results
`/api/v1/sboms`	POST	Import SBOM
`/api/v1/sboms/{id}`	GET	Get SBOM
`/api/v1/vex`	POST	Import VEX statement
`/api/v1/policies`	POST	Create policy
`/api/v1/policies/{id}/evaluate`	POST	Evaluate policy
`/api/v1/evidence`	POST	Create evidence bundle

API Authentication

All API requests require authentication via:

Bearer token (OAuth 2.0 access token)
DPoP proof header for high-security operations
mTLS client certificate for service-to-service

Version Information

Component	Version
Document Version	2.0.0
Last Updated	2026-01-04
Platform Version	2026.01

For the latest information, see the online documentation at https://docs.stella-ops.org

32 KiB Raw Blame History

Full Features List - Stella Ops

How to Read This Document

Table of Contents

Part I: Foundational Capabilities

Part II: Enhanced Analysis

Part III: Specialized Capabilities

Part IV: Platform Features

Appendices

Part I: Foundational Capabilities

1. Container Scanning

1.1 Image Scanning (Base)

1.2 Registry Integration (Base)

1.3 Layer Analysis (Enhanced)

1.4 Scan Performance (Enhanced)

2. Package Detection

2.1 OS Packages (Base)

2.2 Language Ecosystems (Base)

2.3 Advanced Detection (Enhanced)

3. Vulnerability Detection

3.1 Advisory Sources (Base)

3.2 Vulnerability Enrichment (Enhanced)

3.3 Backport Detection (Specialized)

4. Output & Reporting

4.1 Output Formats (Base)

4.2 Filtering & Thresholds (Base)

4.3 Export Center (Enhanced)

Part II: Enhanced Analysis

5. SBOM Management

5.1 SBOM Generation (Base)

5.2 SBOM Ingestion (Base)

5.3 SBOM Diff (Enhanced)

5.4 SBOM Lineage Ledger (Enterprise)

6. VEX Processing

6.1 VEX Ingestion (Base)

6.2 VEX Statuses (Base)

6.3 VEX Consensus Engine (Enhanced)

6.4 Issuer Directory (Enhanced)

7. Reachability Analysis

7.1 Static Reachability (Enhanced)

7.2 Three-Layer Proofs (Specialized)

7.3 Signed Reachability (Specialized)

8. Policy Engine

8.1 Policy Packs (Base)

8.2 Policy Rules (Base)

8.3 Policy Simulation (Enhanced)

8.4 Policy Gates (Specialized)

8.5 Policy Distribution (Enhanced)

Part III: Specialized Capabilities

9. Determinism & Reproducibility

9.1 Replay Manifests (Specialized)

9.2 Knowledge Snapshots (Specialized)

9.3 Verdict Replay (Specialized)

10. Attestation & Signing

10.1 DSSE Attestation (Specialized)

10.2 Keyless Signing (Specialized)

10.3 Regional Cryptography (Specialized)

11. Offline Operations

11.1 Offline Update Kits (Specialized)

11.2 Mirror Services (Specialized)

11.3 Egress Control (Specialized)

12. Risk Scoring

12.1 CVSS Scoring (Enhanced)

12.2 Risk Budgets (Enhanced)

12.3 Unknowns Tracking (Specialized)

Part IV: Platform Features

13. Authentication & Authorization

13.1 Authentication Methods (Base)

13.2 Role-Based Access (Base)

13.3 Service Accounts (Enhanced)

14. Deployment & Operations

14.1 Deployment Options (Base)

14.2 Storage (Base)

14.3 Scaling (Enterprise)

15. Integrations

15.1 CI/CD Integration (Base)

15.2 Registry Webhooks (Enhanced)

15.3 Notifications (Enhanced)

16. Observability

16.1 Telemetry (Base)

32 KiB

Raw Blame History