49 KiB
49 KiB
Stella Ops - Complete Features Catalog
Comprehensive table of every capability in the platform.
For competitive differentiation highlights, see
key-features.md. For tier-based pricing details, seeFEATURE_MATRIX.md.
Legend
| Symbol | Meaning |
|---|---|
| Y | Available |
| - | Not available |
| Limited | Partial functionality |
| Coming | Planned feature |
Tiers: Free (F), Community (C), Enterprise (E)
Table of Contents
- Container & Image Scanning
- Package Detection - Operating Systems
- Package Detection - Language Ecosystems
- Vulnerability Data Sources
- Vulnerability Enrichment
- SBOM Capabilities
- Output Formats
- Filtering & Thresholds
- VEX Processing
- Reachability Analysis
- Secrets Detection
- Policy Engine
- Policy Gates
- Risk Scoring
- Comparison & Diff
- Deterministic Replay
- Attestation & Signing
- Cryptography Profiles
- Offline & Air-Gap
- Verification
- Authentication
- Authorization & Access Control
- Evidence Management
- Observability
- Notifications
- CI/CD Integration
- Registry Integration
- Deployment Options
- Storage & Infrastructure
- Web UI Features
1. Container & Image Scanning
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Scan image by tag | Scan container image using registry tag | stella scan --image registry/app:tag |
Y | Y | Y |
| Scan image by digest | Scan container image using content-addressable digest | stella scan --image registry/app@sha256:... |
Y | Y | Y |
| Scan local Docker image | Scan image from local Docker daemon | stella scan --image myapp:local |
Y | Y | Y |
| Scan filesystem | Scan extracted container rootfs directory | stella scan --rootfs /path/to/rootfs |
Y | Y | Y |
| Scan tar archive | Scan container image from .tar.gz archive | stella scan --archive image.tar.gz |
Y | Y | Y |
| Layer-by-layer analysis | Analyze each container layer separately | Automatic during scan | Y | Y | Y |
| Base image detection | Identify the base image used | Automatic during scan | Y | Y | Y |
| Base image separation | Separate base image vulns from app vulns | --show-layers flag |
Y | Y | Y |
| Delta-SBOM caching | Cache layer SBOMs for faster warm scans | Configure in scanner.yaml |
- | Y | Y |
| Sub-second warm scans | Achieve <1s scan times for cached images | Automatic with caching | - | Y | Y |
| Concurrent scan workers | Run multiple scans in parallel | Configure scanner.workers |
1 | 3 | Unlimited |
| Scan queue management | Queue and prioritize scan jobs | Configure in scheduler.yaml |
- | Y | Y |
| Scan timeout control | Set maximum scan duration | --timeout 300 |
Y | Y | Y |
| Scan retry on failure | Automatically retry failed scans | Configure in scanner.yaml |
- | Y | Y |
2. Package Detection - Operating Systems
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Alpine APK packages | Detect packages from Alpine Linux | Automatic | Y | Y | Y |
| Debian dpkg packages | Detect packages from Debian/Ubuntu | Automatic | Y | Y | Y |
| Ubuntu packages | Detect packages from Ubuntu | Automatic | Y | Y | Y |
| RHEL RPM packages | Detect packages from Red Hat Enterprise Linux | Automatic | Y | Y | Y |
| CentOS RPM packages | Detect packages from CentOS | Automatic | Y | Y | Y |
| Fedora RPM packages | Detect packages from Fedora | Automatic | Y | Y | Y |
| Rocky Linux packages | Detect packages from Rocky Linux | Automatic | Y | Y | Y |
| AlmaLinux packages | Detect packages from AlmaLinux | Automatic | Y | Y | Y |
| Oracle Linux packages | Detect packages from Oracle Linux | Automatic | Y | Y | Y |
| Amazon Linux packages | Detect packages from Amazon Linux | Automatic | Y | Y | Y |
| SUSE zypper packages | Detect packages from SUSE/openSUSE | Automatic | Y | Y | Y |
| Arch Linux pacman | Detect packages from Arch Linux | Automatic | Y | Y | Y |
| Photon OS packages | Detect packages from VMware Photon OS | Automatic | Y | Y | Y |
| CBL-Mariner packages | Detect packages from Microsoft CBL-Mariner | Automatic | Y | Y | Y |
| Wolfi packages | Detect packages from Wolfi | Automatic | Y | Y | Y |
| Chainguard packages | Detect packages from Chainguard images | Automatic | Y | Y | Y |
3. Package Detection - Language Ecosystems
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| npm packages | Detect Node.js npm packages | Automatic from package-lock.json | Y | Y | Y |
| yarn packages | Detect Node.js yarn packages | Automatic from yarn.lock | Y | Y | Y |
| pnpm packages | Detect Node.js pnpm packages | Automatic from pnpm-lock.yaml | Y | Y | Y |
| Python pip packages | Detect pip packages | Automatic from requirements.txt | Y | Y | Y |
| Python poetry packages | Detect poetry packages | Automatic from poetry.lock | Y | Y | Y |
| Python pipenv packages | Detect pipenv packages | Automatic from Pipfile.lock | Y | Y | Y |
| Python conda packages | Detect conda packages | Automatic from conda-lock.yml | Y | Y | Y |
| Java Maven dependencies | Detect Maven dependencies | Automatic from pom.xml | Y | Y | Y |
| Java Gradle dependencies | Detect Gradle dependencies | Automatic from build.gradle | Y | Y | Y |
| Java JAR analysis | Analyze embedded JARs for dependencies | Automatic | Y | Y | Y |
| Java WAR/EAR analysis | Analyze web archives for dependencies | Automatic | Y | Y | Y |
| Go modules | Detect Go module dependencies | Automatic from go.mod, go.sum | Y | Y | Y |
| .NET NuGet packages | Detect NuGet packages | Automatic from *.csproj, packages.config | Y | Y | Y |
| .NET deps.json analysis | Analyze .NET deps.json files | Automatic | Y | Y | Y |
| Ruby Bundler gems | Detect Ruby gems | Automatic from Gemfile.lock | Y | Y | Y |
| Rust Cargo crates | Detect Rust crates | Automatic from Cargo.lock | Y | Y | Y |
| PHP Composer packages | Detect Composer packages | Automatic from composer.lock | Y | Y | Y |
| Bun packages | Detect Bun packages | Automatic from bun.lockb | Y | Y | Y |
| Deno imports | Detect Deno imports | Automatic from deno.json, import_map.json | Y | Y | Y |
| Swift packages | Detect Swift Package Manager packages | Automatic from Package.resolved | Y | Y | Y |
| Conan packages | Detect C/C++ Conan packages | Automatic from conanfile.txt | Y | Y | Y |
| vcpkg packages | Detect C/C++ vcpkg packages | Automatic from vcpkg.json | Y | Y | Y |
| Hex packages | Detect Elixir Hex packages | Automatic from mix.lock | Y | Y | Y |
| Pub packages | Detect Dart/Flutter packages | Automatic from pubspec.lock | Y | Y | Y |
| Transitive dependencies | Map complete dependency tree | Automatic | Y | Y | Y |
| Dependency path tracking | Show how each dependency was introduced | In scan output | Y | Y | Y |
| License detection | Identify package licenses | Automatic, show with --licenses |
Y | Y | Y |
| Binary fingerprinting | Identify packages from compiled binaries | --binary-analysis |
- | Y | Y |
| Symbol extraction | Extract symbol tables from binaries | Automatic with binary analysis | - | Y | Y |
4. Vulnerability Data Sources
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| NVD (NIST) | National Vulnerability Database | Configure in concelier.yaml |
Y | Y | Y |
| GitHub Security Advisories | GHSA ecosystem advisories | Configure with GITHUB_PAT |
Y | Y | Y |
| OSV database | Open Source Vulnerabilities | Automatic | Y | Y | Y |
| Alpine SecDB | Alpine Linux security database | Automatic | Y | Y | Y |
| Debian Security Tracker | Debian vulnerability tracker | Automatic | Y | Y | Y |
| Ubuntu USN | Ubuntu Security Notices | Automatic | Y | Y | Y |
| Red Hat OVAL | Red Hat security data | Automatic | Y | Y | Y |
| Red Hat Security Errata | RHEL security errata | Automatic | Y | Y | Y |
| SUSE OVAL | SUSE security data | Automatic | Y | Y | Y |
| Amazon Linux Security | Amazon Linux advisories | Automatic | Y | Y | Y |
| Oracle Linux OVAL | Oracle Linux security data | Automatic | Y | Y | Y |
| Photon Security Advisories | VMware Photon advisories | Automatic | Y | Y | Y |
| Wolfi Security Advisories | Wolfi security data | Automatic | Y | Y | Y |
| CISA KEV | Known Exploited Vulnerabilities catalog | Automatic | Y | Y | Y |
| Custom advisory feeds | Import custom advisory sources | Configure in concelier.yaml |
- | Y | Y |
| Advisory feed scheduling | Configure update frequency | Configure in concelier.yaml |
- | Y | Y |
| Advisory feed mirroring | Mirror feeds locally | Configure Mirror service | - | - | Y |
5. Vulnerability Enrichment
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| CVSS v2.0 scores | Include CVSS 2.0 base scores | Automatic | Y | Y | Y |
| CVSS v3.0 scores | Include CVSS 3.0 base scores | Automatic | Y | Y | Y |
| CVSS v3.1 scores | Include CVSS 3.1 base scores | Automatic | Y | Y | Y |
| CVSS v4.0 scores | Include CVSS 4.0 base scores | Automatic | Y | Y | Y |
| CVSS environmental metrics | Apply environmental context | Configure CVSS policy | - | Y | Y |
| CVSS temporal metrics | Apply temporal context | Automatic from feed data | Y | Y | Y |
| KEV flagging | Flag Known Exploited Vulnerabilities | Automatic | Y | Y | Y |
| EPSS scores | Exploit Prediction Scoring System | Automatic | Y | Y | Y |
| EPSS percentile | Show EPSS percentile ranking | Automatic | Y | Y | Y |
| Exploit maturity | Show exploit availability status | Automatic | Y | Y | Y |
| Proof of concept available | Flag when PoC exists | Automatic | Y | Y | Y |
| Weaponized exploit | Flag weaponized exploits | Automatic | Y | Y | Y |
| In-the-wild exploitation | Flag active exploitation | Automatic from KEV + feeds | Y | Y | Y |
| Fix available | Show if fix version exists | Automatic | Y | Y | Y |
| Fix version | Show the version that fixes the vuln | Automatic | Y | Y | Y |
| Vendor advisory links | Link to vendor advisories | Automatic | Y | Y | Y |
| CWE mapping | Map to CWE weakness types | Automatic | Y | Y | Y |
| CAPEC mapping | Map to CAPEC attack patterns | Automatic | - | Y | Y |
6. SBOM Capabilities
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| CycloneDX 1.7 generation | Generate CycloneDX 1.7 SBOMs | --sbom-out sbom.json --sbom-format cyclonedx |
Y | Y | Y |
| CycloneDX 1.6 generation | Generate CycloneDX 1.6 SBOMs | --sbom-format cyclonedx-1.6 |
Y | Y | Y |
| CycloneDX 1.5 generation | Generate CycloneDX 1.5 SBOMs | --sbom-format cyclonedx-1.5 |
Y | Y | Y |
| SPDX 3.0.1 generation | Generate SPDX 3.0.1 SBOMs | --sbom-format spdx |
Y | Y | Y |
| SPDX 2.3 generation | Generate SPDX 2.3 SBOMs | --sbom-format spdx-2.3 |
Y | Y | Y |
| SPDX-JSON generation | Generate SPDX JSON format | --sbom-format spdx-json |
Y | Y | Y |
| SBOM auto-format detection | Detect format of imported SBOMs | Automatic | Y | Y | Y |
| SBOM import (CycloneDX) | Import CycloneDX SBOMs | stella scan --sbom file.json |
Y | Y | Y |
| SBOM import (SPDX) | Import SPDX SBOMs | stella scan --sbom file.spdx |
Y | Y | Y |
| SBOM import (Trivy JSON) | Import Trivy JSON format | stella scan --sbom trivy.json |
Y | Y | Y |
| SBOM validation | Validate SBOM structure | Automatic on import | Y | Y | Y |
| SBOM normalization | Normalize imported SBOMs | Automatic | Y | Y | Y |
| SBOM deduplication | Deduplicate SBOM components | Automatic | Y | Y | Y |
| SBOM storage | Store SBOMs in central repository | Automatic via SbomService | - | Y | Y |
| SBOM versioning | Track SBOM versions over time | Via SbomService API | - | Y | Y |
| SBOM lineage tracking | Track SBOM lineage across builds | Via Lineage API | - | - | Y |
| SBOM traversal queries | Query SBOM history and relationships | Via Lineage API | - | - | Y |
| SBOM retention policies | Configure SBOM retention periods | Configure in sbom-service.yaml |
- | Y | Y |
7. Output Formats
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Table output | Human-readable table format | --output table (default) |
Y | Y | Y |
| JSON output | Machine-readable JSON | --output json |
Y | Y | Y |
| SARIF output | Static Analysis Results Format | --output sarif |
Y | Y | Y |
| CycloneDX VEX output | CycloneDX VEX format | --output cdx-vex |
Y | Y | Y |
| OpenVEX output | OpenVEX format | --output openvex |
Y | Y | Y |
| CSV output | Comma-separated values | --output csv |
Y | Y | Y |
| Markdown output | Markdown formatted report | --output markdown |
Y | Y | Y |
| HTML output | HTML formatted report | --output html |
- | Y | Y |
| PDF output | PDF formatted report | Via Export Center | - | - | Y |
| Excel output | Excel spreadsheet format | Via Export Center | - | - | Y |
| Template-based output | Custom output templates | Configure templates | - | - | Y |
| Output to file | Write output to file | --output-file results.json |
Y | Y | Y |
| Output to stdout | Write output to stdout | Default behavior | Y | Y | Y |
| Quiet mode | Suppress non-essential output | --quiet |
Y | Y | Y |
| Verbose mode | Show detailed output | --verbose |
Y | Y | Y |
8. Filtering & Thresholds
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Filter by severity | Show only specific severity levels | --severity CRITICAL,HIGH |
Y | Y | Y |
| Minimum severity | Set minimum severity threshold | --min-severity HIGH |
Y | Y | Y |
| Fixable only | Show only vulns with available fixes | --fixable |
Y | Y | Y |
| Unfixed only | Show only vulns without fixes | --unfixed |
Y | Y | Y |
| Filter by package | Filter by package name pattern | --package "log4j*" |
Y | Y | Y |
| Filter by CVE | Filter by CVE ID pattern | --cve "CVE-2024-*" |
Y | Y | Y |
| Filter by CWE | Filter by CWE category | --cwe CWE-79 |
Y | Y | Y |
| Filter by ecosystem | Filter by package ecosystem | --ecosystem npm,maven |
Y | Y | Y |
| Ignore file support | Suppress findings via .stellaignore | Create .stellaignore file |
Y | Y | Y |
| Ignore by CVE | Ignore specific CVEs | Add to .stellaignore |
Y | Y | Y |
| Ignore by package | Ignore specific packages | Add to .stellaignore |
Y | Y | Y |
| Ignore with expiration | Time-limited ignores | Add expiry in .stellaignore |
- | Y | Y |
| Ignore with justification | Document ignore reasons | Add reason in .stellaignore |
Y | Y | Y |
| Exit code on vulns | Return non-zero exit code | --exit-code-if-vuln 1 |
Y | Y | Y |
| Exit code thresholds | Exit code based on severity count | --exit-code-if-critical 2 |
Y | Y | Y |
| Fail on unknowns | Fail when unknowns exceed threshold | --fail-on-unknowns 5% |
- | Y | Y |
9. VEX Processing
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| OpenVEX ingestion | Import OpenVEX documents | stella vex import --file vex.json |
Y | Y | Y |
| CycloneDX VEX ingestion | Import CycloneDX VEX documents | stella vex import --file cdx-vex.json |
Y | Y | Y |
| CSAF ingestion | Import CSAF advisories | stella vex import --file csaf.json |
Y | Y | Y |
| VEX auto-detection | Detect VEX format automatically | Automatic on import | Y | Y | Y |
| VEX validation | Validate VEX document structure | Automatic on import | Y | Y | Y |
| VEX status: not_affected | Apply not_affected status | Suppresses finding | Y | Y | Y |
| VEX status: affected | Apply affected status | Surfaces finding | Y | Y | Y |
| VEX status: fixed | Apply fixed status | Adds fix context | Y | Y | Y |
| VEX status: under_investigation | Apply investigation status | Marks as Unknown | Y | Y | Y |
| VEX justification tracking | Track VEX justifications | Automatic | Y | Y | Y |
| VEX impact statement | Include impact statements | Automatic | Y | Y | Y |
| VEX action statement | Include action statements | Automatic | Y | Y | Y |
| Multi-issuer VEX | Ingest VEX from multiple issuers | Multiple imports | - | Y | Y |
| VEX issuer trust levels | Assign trust weights to issuers | Configure Issuer Directory | - | Y | Y |
| VEX consensus engine | Compute consensus from multiple VEX | Automatic via VexLens | - | - | Y |
| K4 lattice logic | Use four-valued logic for consensus | Automatic | - | - | Y |
| VEX conflict detection | Detect conflicting VEX statements | Automatic | - | - | Y |
| VEX conflict surfacing | Surface conflicts in output | Automatic | - | - | Y |
| Issuer Directory | Manage trusted VEX issuers | Configure in issuer-directory.yaml |
- | Y | Y |
| CSAF publisher discovery | Discover CSAF publishers | Configure discovery | - | - | Y |
| VEX export | Export VEX from scan results | stella vex export --scan <id> |
Y | Y | Y |
| VEX generation | Generate VEX for findings | stella vex generate |
- | Y | Y |
10. Reachability Analysis
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Static reachability | Determine code reachability via static analysis | stella scan --reachability |
- | Y | Y |
| Call graph building | Build call graph from entry points | Automatic with reachability | - | Y | Y |
| Entry point detection | Detect application entry points | Automatic | - | Y | Y |
| Reachable classification | Mark vulns as REACHABLE | In scan output | - | Y | Y |
| Unreachable classification | Mark vulns as UNREACHABLE | In scan output | - | Y | Y |
| Unknown reachability | Mark vulns with unknown reachability | In scan output | - | Y | Y |
| Call path visualization | View call paths to vulnerable code | stella graph show --cve <id> |
- | Y | Y |
| Call path export | Export call paths | stella graph export |
- | Y | Y |
| Binary layer analysis | Analyze compiled binaries for symbols | Automatic | - | - | Y |
| Symbol presence verification | Verify vulnerable symbols exist | Automatic | - | - | Y |
| Runtime layer analysis | Confirm execution via eBPF probes | Configure runtime signals | - | - | Y |
| Three-layer proofs | Combine static + binary + runtime | Automatic when all available | - | - | Y |
| Confidence tier: Confirmed | All three layers agree | Automatic | - | - | Y |
| Confidence tier: Likely | Static + binary agree | Automatic | - | - | Y |
| Confidence tier: Present | Package present, no path evidence | Automatic | - | Y | Y |
| Signed reachability graphs | Sign reachability graphs with DSSE | Configure in attestor.yaml |
- | - | Y |
| Edge-bundle attestation | Sign individual path edges | Configure in attestor.yaml |
- | - | Y |
| Reachability proof export | Export reachability proofs | stella graph export --proof |
- | - | Y |
11. Secrets Detection
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Credential leak detection | Scan for accidentally committed secrets | stella scan --secrets |
Coming | Coming | Coming |
| AWS access key detection | Detect AWS access keys | Automatic with secrets scan | Coming | Coming | Coming |
| AWS secret key detection | Detect AWS secret access keys | Automatic | Coming | Coming | Coming |
| GitHub token detection | Detect GitHub personal access tokens | Automatic | Coming | Coming | Coming |
| GitLab token detection | Detect GitLab tokens | Automatic | Coming | Coming | Coming |
| Private key detection | Detect private keys (RSA, EC, etc.) | Automatic | Coming | Coming | Coming |
| Database credential detection | Detect database connection strings | Automatic | Coming | Coming | Coming |
| API key detection | Detect common API keys | Automatic | Coming | Coming | Coming |
| JWT secret detection | Detect JWT signing secrets | Automatic | Coming | Coming | Coming |
| Generic high-entropy strings | Detect high-entropy secrets | Automatic | Coming | Coming | Coming |
| Rule bundle management | Manage detection rule bundles | stella secrets bundle |
Coming | Coming | Coming |
| Built-in rule bundles | Use shipped rule bundles | Automatic | Coming | Coming | Coming |
| Custom rule bundles | Create custom rule bundles | stella secrets bundle create |
Coming | - | Coming |
| Rule bundle signing | Sign rule bundles | stella secrets bundle create --sign |
Coming | - | Coming |
| Rule bundle verification | Verify rule bundle integrity | stella secrets bundle verify |
Coming | Coming | Coming |
| Masked output | Mask detected secrets in output | Automatic | Coming | Coming | Coming |
| Secret location reporting | Report file and line of secrets | In scan output | Coming | Coming | Coming |
| Secrets in policy | Use secrets findings in policy rules | secret.hasFinding() predicate |
Coming | - | Coming |
| Secrets severity levels | Assign severity to secret types | In rule definitions | Coming | Coming | Coming |
| Secrets confidence levels | Assign confidence to detections | In rule definitions | Coming | Coming | Coming |
12. Policy Engine
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Policy pack support | Define policies as reusable packs | Create policy YAML files | Y | Y | Y |
| Starter-day1 pack | Production-ready starter policy | stella policy install starter-day1 |
Y | Y | Y |
| Custom policy creation | Create custom policy packs | Write policy YAML | Y | Y | Y |
| Policy validation | Validate policy syntax | stella policy validate --path policy.yaml |
Y | Y | Y |
| Severity-based rules | Block/warn based on severity | Define severity rules | Y | Y | Y |
| Reachability-based rules | Block/warn based on reachability | Define reachability rules | - | Y | Y |
| VEX-based rules | Allow VEX-suppressed findings | Define VEX bypass rules | Y | Y | Y |
| CVSS-based rules | Rules based on CVSS scores | Define CVSS threshold rules | Y | Y | Y |
| EPSS-based rules | Rules based on EPSS scores | Define EPSS threshold rules | - | Y | Y |
| KEV-based rules | Block KEV vulnerabilities | Define KEV rules | Y | Y | Y |
| Package-based rules | Rules for specific packages | Define package rules | Y | Y | Y |
| Ecosystem-based rules | Rules for specific ecosystems | Define ecosystem rules | Y | Y | Y |
| Age-based rules | Rules based on CVE age | Define age threshold rules | - | Y | Y |
| Fix-available rules | Rules requiring fixes to exist | Define fix-required rules | Y | Y | Y |
| Unknowns budget | Fail when unknowns exceed threshold | unknownsBudget: 5% |
- | Y | Y |
| Policy simulation | Test policy against historical scans | stella policy simulate |
- | Y | Y |
| Policy diff | Compare two policy outcomes | stella policy simulate --diff |
- | Y | Y |
| Policy dry-run | Preview policy effects | --dry-run flag |
- | Y | Y |
| Policy push to OCI | Push policies to OCI registry | stella policy push --to registry/policy:v1 |
- | Y | Y |
| Policy pull from OCI | Pull policies from OCI registry | stella policy pull --from registry/policy:v1 |
- | Y | Y |
| Policy list packs | List available policy packs | stella policy list-packs |
Y | Y | Y |
| Policy export bundle | Export policy for offline use | stella policy export-bundle |
- | - | Y |
| Policy import bundle | Import offline policy bundle | stella policy import-bundle |
- | - | Y |
| Policy inheritance | Inherit from base policies | Define extends in policy |
- | Y | Y |
| Policy overrides | Override inherited rules | Define overrides | - | Y | Y |
| Environment-specific policies | Different policies per environment | Define env-specific rules | - | Y | Y |
13. Policy Gates
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Quality gate | Block/warn based on thresholds | Configure quality gate rules | Y | Y | Y |
| Approval gate | Require human approval | Configure approval workflows | - | - | Y |
| Exception gate | Manage temporary exceptions | Request exceptions via UI/API | - | - | Y |
| Exception expiration | Auto-expire exceptions | Set expiration in exception | - | - | Y |
| Exception justification | Require justification for exceptions | Mandatory field | - | - | Y |
| Exception approval routing | Route to appropriate approvers | Configure routing templates | - | - | Y |
| Stability damping | Prevent gate flickering | Configure StabilityDampingGate |
- | - | Y |
| Progressive rollout | Gradual policy enforcement | Configure rollout percentage | - | - | Y |
| Gate bypass for emergencies | Emergency bypass mechanism | Requires elevated permissions | - | - | Y |
| Gate audit trail | Log all gate decisions | Automatic | - | Y | Y |
14. Risk Scoring
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| CVSS 4.0 base scoring | Calculate CVSS 4.0 base scores | Automatic | Y | Y | Y |
| CVSS environmental scoring | Apply environmental metrics | Configure CVSS policy | - | Y | Y |
| Custom risk scoring | Define custom scoring formulas | Configure in policy | - | - | Y |
| Risk budget definition | Define acceptable risk levels | Configure risk budgets | - | - | Y |
| Risk budget tracking | Track budget consumption | View in UI/API | - | - | Y |
| Risk budget alerts | Alert on budget thresholds | Configure alert thresholds | - | - | Y |
| Unknowns tracking | Track unidentified components | stella unknowns list |
- | Y | Y |
| Unknowns classification | Classify as Hot/Warm/Cold/Resolved | Automatic | - | - | Y |
| Unknowns decay tracking | Track uncertainty over time | Automatic | - | - | Y |
| Unknowns blast radius | Estimate impact of unknowns | In analysis output | - | - | Y |
| Portfolio risk view | Aggregate risk across images | Via UI dashboard | - | - | Y |
| Risk trends | View risk trends over time | Via UI dashboard | - | - | Y |
15. Comparison & Diff
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| SBOM comparison | Compare two SBOMs | stella compare sbom --a v1.json --b v2.json |
Y | Y | Y |
| Package diff | Show added/removed packages | In comparison output | Y | Y | Y |
| Version diff | Show version changes | In comparison output | Y | Y | Y |
| License diff | Show license changes | In comparison output | Y | Y | Y |
| Vulnerability diff | Show vuln changes between scans | stella compare scan --a <id1> --b <id2> |
Y | Y | Y |
| New vulnerabilities | Show newly introduced vulns | In comparison output | Y | Y | Y |
| Fixed vulnerabilities | Show fixed/removed vulns | In comparison output | Y | Y | Y |
| Semantic risk delta | Compare security meaning, not counts | stella compare risk |
- | - | Y |
| Reachability drift | Detect reachability changes | stella drift reachability |
- | - | Y |
| Policy outcome diff | Compare policy decisions | stella policy simulate --diff |
- | Y | Y |
| Smart-Diff summary | "Exploitability dropped 40%" style | In comparison output | - | - | Y |
16. Deterministic Replay
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Scan Replay Manifest (SRM) | Generate manifest for replay | stella scan --srm-out manifest.yaml |
- | - | Y |
| Replay scan from manifest | Replay using SRM | stella replay --manifest manifest.yaml |
- | - | Y |
| Replay digest assertion | Verify replay matches original | stella replay --assert-digest sha256:... |
- | - | Y |
| Knowledge snapshot export | Export frozen knowledge state | stella airgap export --output snapshot.tar.gz |
- | - | Y |
| Knowledge snapshot import | Import knowledge snapshot | stella airgap import snapshot.tar.gz |
- | - | Y |
| Knowledge snapshot diff | Compare two snapshots | stella airgap diff --base a.tar.gz --target b.tar.gz |
- | - | Y |
| Staleness tracking | Track snapshot age | stella airgap status |
- | - | Y |
| Staleness warnings | Warn when snapshot is aging | Automatic | - | - | Y |
| Staleness blocking | Block when snapshot too old | Configure staleAction: block |
- | - | Y |
| Verdict replay | Replay policy decisions | stella replay snapshot --verdict <id> |
- | - | Y |
| Replay verification | Verify replay produces same result | Automatic with assertion | - | - | Y |
| Feed snapshot inclusion | Include feed snapshots in replay | Automatic | - | - | Y |
| Analyzer version pinning | Pin analyzer versions for replay | In SRM | - | - | Y |
| Policy version pinning | Pin policy version for replay | In SRM | - | - | Y |
17. Attestation & Signing
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| DSSE attestation format | Use DSSE envelope format | Automatic | - | Y | Y |
| in-toto attestation | Generate in-toto attestations | Configure Attestor | - | Y | Y |
| SBOM attestation | Sign SBOMs with attestation | stella attest sbom |
- | Y | Y |
| Scan result attestation | Sign scan results | stella attest scan |
- | Y | Y |
| Verdict attestation | Sign policy verdicts | stella attest verdict |
- | - | Y |
| Evidence bundle creation | Create signed evidence bundles | stella evidence bundle |
- | - | Y |
| Keyless signing | Sign using OIDC identity (Sigstore) | stella sign keyless --input file |
- | Y | Y |
| Rekor transparency log | Upload to Rekor | stella sign keyless --rekor |
- | Y | Y |
| Keyless verification | Verify keyless signatures | stella sign verify-keyless |
- | Y | Y |
| Self-hosted Fulcio | Use self-hosted Fulcio | Configure --fulcio-url |
- | - | Y |
| Self-hosted Rekor | Use self-hosted Rekor | Configure --rekor-url |
- | - | Y |
| Traditional key signing | Sign with managed keys | stella sign --key-id <id> |
- | Y | Y |
| Key rotation support | Rotate signing keys | Via key management | - | - | Y |
| Multi-signature support | Sign with multiple keys | Configure multiple signers | - | - | Y |
| Signature verification | Verify signatures | stella verify signature |
- | Y | Y |
| Attestation verification | Verify attestations | stella verify attestation |
- | Y | Y |
18. Cryptography Profiles
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Default crypto profile | Standard cryptographic algorithms | Default | Y | Y | Y |
| FIPS-140-3 profile | US federal crypto requirements | Configure profile: fips-140-3 |
- | - | Y |
| eIDAS profile | EU qualified signatures | Configure profile: eidas |
- | - | Y |
| GOST-2012 profile | Russian Federation requirements | Configure profile: gost-2012 |
- | - | Y |
| SM2 profile | PRC cryptographic requirements | Configure profile: sm2 |
- | - | Y |
| Post-quantum profile | Dilithium, Falcon algorithms | Configure profile: pqc |
- | - | Y |
| Algorithm selection | Choose specific algorithms | Configure algorithms section |
- | - | Y |
| Multi-profile signing | Sign with multiple profiles | Configure multiple profiles | - | - | Y |
| Profile validation | Validate crypto configuration | Automatic on startup | - | - | Y |
| Hardware security module | HSM integration | Configure HSM provider | - | - | Y |
19. Offline & Air-Gap
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Offline Update Kit export | Export complete offline bundle | stella airgap export --output kit.tar.gz |
- | - | Y |
| Offline Update Kit import | Import offline bundle | stella airgap import kit.tar.gz |
- | - | Y |
| Kit signature verification | Verify kit signatures on import | Automatic or --verify-only |
- | - | Y |
| Kit Merkle root verification | Verify kit integrity via Merkle root | Automatic | - | - | Y |
| Advisory feed inclusion | Include advisory feeds in kit | --include-advisories |
- | - | Y |
| VEX document inclusion | Include VEX statements in kit | --include-vex |
- | - | Y |
| Policy bundle inclusion | Include policy bundles in kit | --include-policies |
- | - | Y |
| Trust root inclusion | Include trust roots in kit | Automatic | - | - | Y |
| Staleness policy configuration | Configure max bundle age | Configure in airgap.yaml |
- | - | Y |
| Staleness warning threshold | Warn when bundle ages | Configure warnAgeHours |
- | - | Y |
| Staleness block threshold | Block when bundle too old | Configure maxAgeHours |
- | - | Y |
| Version monotonicity | Prevent rollback attacks | enforceMonotonicity: true |
- | - | Y |
| Feed mirror service | Mirror advisory feeds locally | Deploy Mirror service | - | - | Y |
| Registry mirror support | Use registry mirrors | Configure mirrors in scanner.yaml |
- | Y | Y |
| Transparency log mirror | Mirror Rekor transparency log | Deploy Rekor mirror | - | - | Y |
| Egress allowlist mode | Only allow specified hosts | Configure egressPolicy.mode: allowlist |
- | - | Y |
| Egress denylist mode | Block specified hosts | Configure egressPolicy.mode: denylist |
- | - | Y |
| Sealed mode | Block all network access | Configure sealed mode | - | - | Y |
| Localhost-only mode | Allow only localhost traffic | Configure allowLocalhost: true |
- | - | Y |
| Time anchor (Roughtime) | Secure time from Roughtime servers | Configure Roughtime servers | - | - | Y |
| Time anchor (RFC 3161) | Secure time from TSA servers | Configure TSA servers | - | - | Y |
20. Verification
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Offline evidence verification | Verify evidence without network | stella verify offline --evidence-dir ./evidence |
- | - | Y |
| Image attestation verification | Verify image has required attestations | stella verify image registry/app@sha256:... |
- | Y | Y |
| Require SBOM attestation | Require SBOM attestation | --require sbom |
- | Y | Y |
| Require VEX attestation | Require VEX attestation | --require vex |
- | Y | Y |
| Require decision attestation | Require policy decision attestation | --require decision |
- | - | Y |
| Require approval attestation | Require approval attestation | --require approval |
- | - | Y |
| Strict mode | Fail if any attestation missing | --strict |
- | Y | Y |
| Evidence bundle verification | Verify complete evidence bundle | stella verify bundle --bundle ./bundle |
- | - | Y |
| Skip replay verification | Verify only input hashes | --skip-replay |
- | - | Y |
| Trust policy application | Apply trust policy during verification | --trust-policy policy.yaml |
- | - | Y |
| Certificate verification | Verify signing certificates | Automatic | - | Y | Y |
| Certificate chain validation | Validate full certificate chain | Automatic | - | Y | Y |
| OCSP checking | Check certificate revocation | Automatic when online | - | Y | Y |
| CRL checking | Check certificate revocation lists | Automatic | - | Y | Y |
| Offline revocation checking | Check revocation without network | Using embedded CRLs | - | - | Y |
21. Authentication
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| OAuth 2.0 authorization code | Authorization code flow for users | Configure Authority | - | Y | Y |
| OAuth 2.0 client credentials | Client credentials for services | Configure Authority | - | Y | Y |
| OAuth 2.0 refresh tokens | Refresh token support | Configure Authority | - | Y | Y |
| OpenID Connect | OIDC authentication | Configure Authority | - | Y | Y |
| DPoP (Proof of Possession) | Bind tokens to client keys | Configure senderConstraint: dpop |
- | - | Y |
| mTLS authentication | Mutual TLS for service auth | Configure mTLS | - | - | Y |
| API key authentication | Simple API key auth | Configure API keys | Y | Y | Y |
| Token lifetime configuration | Configure token expiration | Configure in authority.yaml |
- | Y | Y |
| Token refresh configuration | Configure refresh token lifetime | Configure in authority.yaml |
- | Y | Y |
| LDAP integration | Authenticate via LDAP | Deploy LDAP plugin | - | - | Y |
| SAML integration | Authenticate via SAML | Deploy SAML plugin | - | - | Y |
| External IdP integration | Use external identity provider | Configure OIDC provider | - | Y | Y |
| MFA requirement | Require multi-factor auth | Configure in Authority | - | - | Y |
| Session management | Manage user sessions | Via Authority | - | Y | Y |
| Token revocation | Revoke access tokens | Via Authority API | - | Y | Y |
22. Authorization & Access Control
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Role-based access control | Assign roles to users | Configure in Authority | - | Y | Y |
| policy-author role | Create and edit policies | Assign role | - | Y | Y |
| policy-reviewer role | Review policy changes | Assign role | - | Y | Y |
| policy-approver role | Approve policies for production | Assign role | - | - | Y |
| policy-operator role | Run and activate policies | Assign role | - | Y | Y |
| policy-auditor role | Audit policy decisions | Assign role | - | - | Y |
| airgap-viewer role | View offline kit status | Assign role | - | - | Y |
| airgap-operator role | Import/export offline kits | Assign role | - | - | Y |
| airgap-admin role | Full air-gap administration | Assign role | - | - | Y |
| vuln-viewer role | View vulnerability findings | Assign role | - | Y | Y |
| vuln-investigator role | Investigate and triage findings | Assign role | - | Y | Y |
| vuln-operator role | Take action on findings | Assign role | - | Y | Y |
| vuln-auditor role | Audit vulnerability decisions | Assign role | - | - | Y |
| export-viewer role | View export results | Assign role | - | Y | Y |
| export-operator role | Trigger exports | Assign role | - | Y | Y |
| export-admin role | Manage export configuration | Assign role | - | - | Y |
| notify-viewer role | View notifications | Assign role | - | Y | Y |
| notify-operator role | Manage notifications | Assign role | - | Y | Y |
| notify-admin role | Full notification admin | Assign role | - | - | Y |
| Custom roles | Define custom roles | Configure in Authority | - | - | Y |
| Attribute-based access | Fine-grained ABAC | Configure attributes | - | - | Y |
| Environment restrictions | Restrict access by environment | Configure env attributes | - | - | Y |
| Business tier restrictions | Restrict by business tier | Configure tier attributes | - | - | Y |
| Service accounts | Create service identities | Configure in Authority | - | Y | Y |
| Delegated tokens | Issue delegated access tokens | Via Authority API | - | - | Y |
| Scope-based permissions | Permission scopes on tokens | Configure scopes | - | Y | Y |
23. Evidence Management
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Evidence Locker | Store tamper-evident evidence | Via EvidenceLocker API | - | - | Y |
| Evidence sealing | Seal evidence with hashes | Automatic | - | - | Y |
| Evidence retrieval | Retrieve stored evidence | Via EvidenceLocker API | - | - | Y |
| Legal hold | Apply legal hold to evidence | Via UI/API | - | - | Y |
| Legal hold override | Prevent deletion during hold | Automatic | - | - | Y |
| Retention policies | Configure retention periods | Configure policies | - | - | Y |
| Per-type retention | Different retention by type | Configure policies | - | - | Y |
| Evidence export | Export evidence bundles | Via ExportCenter | - | - | Y |
| Evidence chain verification | Verify evidence chain integrity | Via verification APIs | - | - | Y |
24. Observability
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Structured JSON logging | JSON formatted log output | Configure logging | Y | Y | Y |
| Log level configuration | Set minimum log level | Configure minimumLogLevel |
Y | Y | Y |
| Console log output | Log to console | exportConsole: true |
Y | Y | Y |
| OpenTelemetry tracing | Distributed tracing | Configure enableTracing: true |
- | Y | Y |
| OpenTelemetry metrics | Prometheus-compatible metrics | Configure enableMetrics: true |
- | Y | Y |
| OTLP export | Export to OTLP collector | Configure otlpEndpoint |
- | Y | Y |
| Custom resource attributes | Add custom trace attributes | Configure resourceAttributes |
- | Y | Y |
| Service name configuration | Set service name for traces | Configure serviceName |
- | Y | Y |
| Timeline event indexing | Index security events | Automatic via TimelineIndexer | - | - | Y |
| Timeline queries | Query event history | Via Timeline API | - | - | Y |
| Audit trail | Complete action audit log | Automatic | - | Y | Y |
| Audit log export | Export audit logs | Via API | - | - | Y |
| Incident bridge | Bridge to incident management | Configure Incident Bridge | - | - | Y |
| Health checks | Service health endpoints | /health endpoint |
Y | Y | Y |
| Readiness probes | Kubernetes readiness | /ready endpoint |
Y | Y | Y |
| Liveness probes | Kubernetes liveness | /live endpoint |
Y | Y | Y |
25. Notifications
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Slack notifications | Send to Slack webhooks | Configure Slack webhook | - | Y | Y |
| Microsoft Teams notifications | Send to Teams webhooks | Configure Teams webhook | - | Y | Y |
| Email notifications | Send via SMTP | Configure SMTP settings | - | Y | Y |
| PagerDuty integration | Create PagerDuty incidents | Configure PagerDuty | - | - | Y |
| Generic webhooks | Send to custom webhooks | Configure webhook URL | - | Y | Y |
| Notification templates | Customize notification content | Configure templates | - | Y | Y |
| Severity-based routing | Route by severity level | Configure routing rules | - | Y | Y |
| Notification escalation | Escalate unacknowledged alerts | Configure escalation | - | - | Y |
| Notification acknowledgment | Acknowledge notifications | Via Notify API | - | Y | Y |
| Notification muting | Temporarily mute notifications | Configure mute windows | - | Y | Y |
| Notification rate limiting | Limit notification frequency | Configure rate limits | - | Y | Y |
26. CI/CD Integration
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Exit code control | Return codes for CI/CD | --exit-code-if-vuln 1 |
Y | Y | Y |
| GitHub Actions template | Generate GitHub Actions workflow | stella ci generate --platform github |
Y | Y | Y |
| GitLab CI template | Generate GitLab CI pipeline | stella ci generate --platform gitlab |
Y | Y | Y |
| Azure Pipelines template | Generate Azure Pipelines | stella ci generate --platform azure |
Y | Y | Y |
| Jenkins template | Generate Jenkinsfile | stella ci generate --platform jenkins |
Y | Y | Y |
| SARIF for GitHub | Upload SARIF to GitHub Security | --output sarif |
Y | Y | Y |
| SARIF for GitLab | Upload SARIF to GitLab Security | --output sarif |
Y | Y | Y |
| PR comments | Comment scan results on PRs | Configure CI integration | - | Y | Y |
| MR comments | Comment scan results on GitLab MRs | Configure CI integration | - | Y | Y |
| PR evidence annotations | Include attestation digest, policy verdict, and verify command in PR comments | --pr-comment --evidence-link |
- | Y | Y |
| ASCII-only annotation output | Deterministic PR/MR comments without Unicode glyphs | Default behavior | - | Y | Y |
| Status checks | Update PR status checks | Configure CI integration | - | Y | Y |
| Merge blocking | Block merge on policy failure | Configure CI integration | - | Y | Y |
27. Registry Integration
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Docker Hub | Pull from Docker Hub | Default | Y | Y | Y |
| GitHub Container Registry | Pull from GHCR | Authenticate with token | Y | Y | Y |
| AWS ECR | Pull from Amazon ECR | Configure ECR credentials | Y | Y | Y |
| Google GCR | Pull from Google Container Registry | Configure GCP credentials | Y | Y | Y |
| Azure ACR | Pull from Azure Container Registry | Configure Azure credentials | Y | Y | Y |
| Harbor | Pull from Harbor registry | Configure credentials | Y | Y | Y |
| JFrog Artifactory | Pull from Artifactory | Configure credentials | Y | Y | Y |
| Quay.io | Pull from Quay | Configure credentials | Y | Y | Y |
| Private registries | Pull from any private registry | Configure credentials | Y | Y | Y |
| Registry webhook (push) | Scan on image push | Configure Zastava webhook | - | Y | Y |
| Admission controller | Block deployment on failure | Deploy admission webhook | - | - | Y |
| Image signing verification | Verify image signatures | Configure signature policy | - | - | Y |
28. Deployment Options
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Docker Compose | Single-node deployment | docker compose up |
Y | Y | Y |
| Kubernetes deployment | Deploy on Kubernetes | Use Helm charts | - | Y | Y |
| Helm charts | Helm-based deployment | helm install stellaops |
- | Y | Y |
| Air-gapped deployment | Fully offline deployment | Use Offline Kit | - | - | Y |
| Multi-tenant deployment | Isolated tenants | Configure multi-tenancy | - | - | Y |
| High availability | HA deployment patterns | Configure replication | - | - | Y |
| Horizontal scaling | Scale workers horizontally | Configure replicas | - | - | Y |
| Auto-scaling | Kubernetes HPA integration | Configure HPA | - | - | Y |
29. Storage & Infrastructure
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| PostgreSQL 16+ | Primary data storage | Configure connection string | Y | Y | Y |
| PostgreSQL connection pooling | Connection pool management | Configure pool settings | Y | Y | Y |
| PostgreSQL read replicas | Scale read operations | Configure replicas | - | - | Y |
| Valkey/Redis caching | Cache layer | Configure Valkey/Redis | - | Y | Y |
| Rate limiting | API rate limiting | Configure rate limits | - | Y | Y |
| Queue management | Job queue management | Via Scheduler | - | Y | Y |
| Queue sharding | Distribute queue load | Configure sharding | - | - | Y |
| Blob storage | Store large artifacts | Configure blob storage | - | Y | Y |
| S3-compatible storage | Use S3-compatible storage | Configure S3 endpoint | - | Y | Y |
30. Web UI Features
| Feature | Description | How to Use | F | C | E |
|---|---|---|---|---|---|
| Dashboard | Overview dashboard | Access via browser | - | Y | Y |
| Scan results view | View scan findings | Navigate to scans | - | Y | Y |
| Vulnerability details | Detailed vuln information | Click on vulnerability | - | Y | Y |
| SBOM viewer | View SBOM contents | Navigate to SBOMs | - | Y | Y |
| Policy editor | Edit policies in UI | Navigate to policies | - | Y | Y |
| Policy simulation UI | Simulate policies in UI | Use simulation panel | - | Y | Y |
| Exception management UI | Manage exceptions | Navigate to exceptions | - | - | Y |
| Approval workflows UI | Approve in UI | Navigate to approvals | - | - | Y |
| Timeline view | View event timeline | Navigate to timeline | - | - | Y |
| Triage canvas | Visual triage interface | Navigate to triage | - | - | Y |
| Noise gating UI | Manage noise gating | Navigate to noise gating | - | - | Y |
| Risk dashboard | Portfolio risk view | Navigate to risk | - | - | Y |
| Export center UI | Configure exports | Navigate to exports | - | Y | Y |
| Notification settings | Configure notifications | Navigate to settings | - | Y | Y |
| User management | Manage users | Navigate to admin | - | - | Y |
| Tenant management | Manage tenants | Navigate to admin | - | - | Y |
| Audit log viewer | View audit logs | Navigate to audit | - | - | Y |
Feature Count Summary
| Category | Total Features | Free | Community | Enterprise |
|---|---|---|---|---|
| Container Scanning | 14 | 10 | 13 | 14 |
| OS Package Detection | 16 | 16 | 16 | 16 |
| Language Ecosystems | 29 | 27 | 29 | 29 |
| Vulnerability Sources | 17 | 14 | 16 | 17 |
| Vulnerability Enrichment | 18 | 15 | 17 | 18 |
| SBOM Capabilities | 17 | 12 | 15 | 17 |
| Output Formats | 16 | 12 | 14 | 16 |
| Filtering | 16 | 14 | 16 | 16 |
| VEX Processing | 22 | 12 | 17 | 22 |
| Reachability | 17 | 0 | 9 | 17 |
| Secrets Detection | 20 | 0 | 0 | 20 (Coming) |
| Policy Engine | 23 | 11 | 19 | 23 |
| Policy Gates | 10 | 2 | 3 | 10 |
| Risk Scoring | 12 | 2 | 5 | 12 |
| Comparison & Diff | 11 | 6 | 8 | 11 |
| Deterministic Replay | 14 | 0 | 0 | 14 |
| Attestation & Signing | 17 | 0 | 10 | 17 |
| Cryptography Profiles | 10 | 1 | 1 | 10 |
| Offline & Air-Gap | 20 | 0 | 2 | 20 |
| Verification | 15 | 0 | 8 | 15 |
| Authentication | 15 | 2 | 10 | 15 |
| Authorization | 26 | 0 | 13 | 26 |
| Evidence Management | 9 | 0 | 0 | 9 |
| Observability | 16 | 6 | 12 | 16 |
| Notifications | 11 | 0 | 8 | 11 |
| CI/CD Integration | 10 | 8 | 10 | 10 |
| Registry Integration | 12 | 10 | 11 | 12 |
| Deployment | 8 | 2 | 4 | 8 |
| Storage & Infrastructure | 9 | 3 | 6 | 9 |
| Web UI | 17 | 0 | 10 | 17 |
| TOTAL | 483 | 181 | 292 | 483 |
Last updated: 2026-01-04