stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
77ff0292054830443a8f89648515f13fa790c415
git.stella-ops.org/docs/FEATURE_MATRIX.md
master 77ff029205 todays product advirories implemented
2026-01-16 23:30:47 +02:00

725 lines
36 KiB
Markdown
Executable File
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Feature Matrix — Stella Ops Suite
*(rev 5.1 · 16 Jan 2026)*
> **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail.
---
## Product Evolution
**Stella Ops Suite** is now a centralized, auditable release control plane for non-Kubernetes container estates. The platform combines release orchestration with security decisioning as a gate.
- **Release orchestration** — UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks
- **Security decisioning as a gate** — Scan on build, evaluate on release, re-evaluate on CVE updates
- **OCI-digest-first releases** — Immutable digest-based release identity
- **Evidence packets** — Every release decision is cryptographically signed and stored
---
## Pricing Model
**Principle:** Pay for scale, not for features or automation. No per-seat, per-project, or per-deployment taxes.
| Plan | Price | Environments | New Digests/Day | Deployments | Notes |
|------|-------|--------------|-----------------|-------------|-------|
| **Free** | $0/month | 3 | 333 | Unlimited (fair use) | Full features |
| **Pro** | $699/month | 33 | 3,333 | Unlimited (fair use) | Same features |
| **Enterprise** | $1,999/month | Unlimited | Unlimited | Unlimited | Fair use on mirroring/audit bandwidth |
**Key Principles:**
- All plans include all features (no feature gating)
- Limits are environments + new digests analyzed per day
- Unlimited deployments with fair use policy
---
## Competitive Moat Features
*These differentiators are available across all plans.*
| Capability | Free | Pro | Enterprise | Notes |
|------------|:----:|:---:|:----------:|-------|
| Signed Replayable Risk Verdicts | ✅ | ✅ | ✅ | Core differentiator |
| Decision Capsules | ✅ | ✅ | ✅ | Audit-grade evidence bundles |
| VEX Decisioning Engine | ✅ | ✅ | ✅ | Trust lattice + conflict resolution |
| Reachability with Portable Proofs | ✅ | ✅ | ✅ | Three-layer analysis |
| Smart-Diff (Semantic Risk Delta) | ✅ | ✅ | ✅ | Material change detection |
| Unknowns as First-Class State | ✅ | ✅ | ✅ | Uncertainty budgets |
| Deterministic Replay | ✅ | ✅ | ✅ | `stella replay srm.yaml` |
| Non-Kubernetes First-Class | ✅ | ✅ | ✅ | Docker/Compose/ECS/Nomad targets |
| Digest-First Release Identity | ✅ | ✅ | ✅ | Immutable releases |
---
## Release Orchestration (Planned)
*Release orchestration capabilities are planned for implementation. All plans will include all features.*
| Capability | Free | Pro | Enterprise | Notes |
|------------|:----:|:---:|:----------:|-------|
| **Environment Management** | | | | |
| Environment CRUD | ⏳ | ⏳ | ⏳ | Dev/Stage/Prod definitions |
| Freeze Windows | ⏳ | ⏳ | ⏳ | Calendar-based blocking |
| Approval Policies | ⏳ | ⏳ | ⏳ | Per-environment rules |
| **Release Management** | | | | |
| Component Registry | ⏳ | ⏳ | ⏳ | Service → repository mapping |
| Release Bundles | ⏳ | ⏳ | ⏳ | Component → digest bundles |
| Semantic Versioning | ⏳ | ⏳ | ⏳ | SemVer release versions |
| Tag → Digest Resolution | ⏳ | ⏳ | ⏳ | Immutable digest pinning |
| **Promotion & Gates** | | | | |
| Promotion Workflows | ⏳ | ⏳ | ⏳ | Environment transitions |
| Security Gate | ⏳ | ⏳ | ⏳ | Scan verdict evaluation |
| Approval Gate | ⏳ | ⏳ | ⏳ | Human sign-off |
| Freeze Window Gate | ⏳ | ⏳ | ⏳ | Calendar enforcement |
| Policy Gate (OPA/Rego) | ⏳ | ⏳ | ⏳ | Custom rules |
| Decision Records | ⏳ | ⏳ | ⏳ | Evidence-linked decisions |
| **Deployment Execution** | | | | |
| Docker Host Agent | ⏳ | ⏳ | ⏳ | Direct container deployment |
| Compose Host Agent | ⏳ | ⏳ | ⏳ | Docker Compose deployment |
| SSH Agentless | ⏳ | ⏳ | ⏳ | Linux remote execution |
| WinRM Agentless | ⏳ | ⏳ | ⏳ | Windows remote execution |
| ECS Agent | ⏳ | ⏳ | ⏳ | AWS ECS deployment |
| Nomad Agent | ⏳ | ⏳ | ⏳ | HashiCorp Nomad deployment |
| Rollback | ⏳ | ⏳ | ⏳ | Previous version restore |
| **Progressive Delivery** | | | | |
| A/B Releases | ⏳ | ⏳ | ⏳ | Traffic splitting |
| Canary Deployments | ⏳ | ⏳ | ⏳ | Gradual rollout |
| Blue-Green | ⏳ | ⏳ | ⏳ | Zero-downtime switch |
| Traffic Routing Plugins | ⏳ | ⏳ | ⏳ | Nginx/HAProxy/Traefik/ALB |
| **Workflow Engine** | | | | |
| DAG Workflow Execution | ⏳ | ⏳ | ⏳ | Directed acyclic graphs |
| Step Registry | ⏳ | ⏳ | ⏳ | Built-in + custom steps |
| Workflow Templates | ⏳ | ⏳ | ⏳ | Reusable workflows |
| Script Steps (Bash/C#) | ⏳ | ⏳ | ⏳ | Custom automation |
| **Evidence & Audit** | | | | |
| Evidence Packets | ⏳ | ⏳ | ⏳ | Sealed decision bundles |
| Version Stickers | ⏳ | ⏳ | ⏳ | On-target deployment records |
| Audit Export | ⏳ | ⏳ | ⏳ | Compliance reporting |
| **Integrations** | | | | |
| GitHub Integration | ⏳ | ⏳ | ⏳ | SCM + webhooks |
| GitLab Integration | ⏳ | ⏳ | ⏳ | SCM + webhooks |
| Harbor Integration | ⏳ | ⏳ | ⏳ | Registry + scanning |
| HashiCorp Vault | ⏳ | ⏳ | ⏳ | Secrets management |
| AWS Secrets Manager | ⏳ | ⏳ | ⏳ | Secrets management |
| **Plugin System** | | | | |
| Plugin Manifest | ⏳ | ⏳ | ⏳ | Static declarations |
| Connector Runtime | ⏳ | ⏳ | ⏳ | Dynamic execution |
| Step Providers | ⏳ | ⏳ | ⏳ | Custom workflow steps |
| Agent Types | ⏳ | ⏳ | ⏳ | Custom deployment targets |
---
## Plan Limits
| Limit | Free | Pro | Enterprise |
|-------|:----:|:---:|:----------:|
| **Environments** | 3 | 33 | Unlimited |
| **New Digests/Day** | 333 | 3,333 | Unlimited |
| **Deployments** | Fair use | Fair use | Fair use |
| **Targets per Environment** | 10 | 100 | Unlimited |
| **Agents** | 3 | 33 | Unlimited |
| **Integrations** | 5 | 50 | Unlimited |
---
## SBOM & Ingestion
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Trivy-JSON Ingestion | ✅ | ✅ | ✅ | |
| SPDX-JSON 3.0.1 Ingestion | ✅ | ✅ | ✅ | |
| CycloneDX 1.7 Ingestion (1.6 backward compatible) | ✅ | ✅ | ✅ | |
| Auto-format Detection | ✅ | ✅ | ✅ | |
| Delta-SBOM Cache | ✅ | ✅ | ✅ | Warm scans <1s |
| SBOM Generation (all formats) | | | | |
| Semantic SBOM Diff | | | | |
| BYOS (Bring-Your-Own-SBOM) | | | | |
| **SBOM Lineage Ledger** | | | | Full versioned history |
| **SBOM Lineage API** | | | | Traversal queries |
---
## Scanning & Detection
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVE Lookup via Local DB | | | | |
| Licence-Risk Detection | | | | Q4-2025 |
| **Automatic Detection (Class A)** | | | | Runs implicitly during scan |
| Secrets Detection | | | | API keys, tokens, passwords; results in findings (see [docs/modules/ui/components/findings-list.md](docs/modules/ui/components/findings-list.md)) |
| OS Package Analyzers | | | | apk, apt, yum, dnf, rpm, pacman; results in SBOM (see [docs/modules/cli/guides/commands/sbom.md](docs/modules/cli/guides/commands/sbom.md)) |
| **Language Analyzers (All 11)** | | | | |
| .NET/C#, Java, Go, Python | | | | |
| Node.js, Ruby, Bun, Deno | | | | |
| PHP, Rust, Native binaries | | | | |
| **Progressive Fidelity Modes** | | | | |
| Quick Mode | | | | |
| Standard Mode | | | | |
| Deep Mode | | | | Full analysis |
| Base Image Detection | | | | |
| Layer-Aware Analysis | | | | |
| **Concurrent Scan Workers** | 1 | 3 | Unlimited | |
---
## Reachability Analysis
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Static Call Graph | | | | |
| Entrypoint Detection | | | | 9+ framework types |
| BFS Reachability | | | | |
| Reachability Drift Detection | | | | |
| Binary Loader Resolution | | | | ELF/PE/Mach-O |
| Feature Flag/Config Gating | | | | Layer 3 analysis |
| Runtime Signal Correlation | | | | Zastava integration |
| Gate Detection (auth/admin) | | | | Enterprise policies |
| Path Witness Generation | | | | Audit evidence |
| Reachability Mini-Map API | | | | UI visualization |
| Runtime Timeline API | | | | Temporal analysis |
---
## Binary Analysis (BinaryIndex)
*Binary analysis capabilities are CLI-first (Class B). UI integration is minimal until user demand validates.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Binary Identity Extraction | | | | Build-ID, hashes |
| Build-ID Vulnerability Lookup | | | | |
| Debian/Ubuntu Corpus | | | | |
| RPM/RHEL Corpus | | | | |
| Patch-Aware Backport Detection | | | | |
| PE/Mach-O/ELF Parsers | | | | |
| **Binary Fingerprint Generation** | | | | CLI: `stella binary fingerprint export` |
| **Fingerprint Matching Engine** | | | | Similarity search |
| **Binary Diff** | | | | CLI: `stella binary diff <base> <candidate>` |
| **DWARF/Symbol Analysis** | | | | Debug symbols |
**CLI Commands (Class B):**
- `stella binary fingerprint export <artifact>` Export fingerprint data (function hashes, section hashes, symbol table)
- `stella binary diff <base> <candidate>` Compare binaries with function/symbol-level diff
- Output formats: `--format json|yaml|table`
- Usage and examples: [docs/modules/cli/guides/commands/binary.md](docs/modules/cli/guides/commands/binary.md)
---
## Advisory Sources (Concelier)
*Concelier provides 33+ vulnerability feed connectors with automatic sync, health monitoring, and conflict detection.*
| Source Category | Connectors | Free | Community | Enterprise | Notes |
|-----------------|-----------|:----:|:---------:|:----------:|-------|
| **National CVE Databases** | | | | | |
| NVD (NIST) | | | | | Primary CVE source |
| CVE (MITRE) | | | | | CVE Record format 5.0 |
| **OSS Ecosystems** | | | | | |
| OSV | | | | | Multi-ecosystem |
| GHSA | | | | | GitHub Security Advisories |
| **Linux Distributions** | | | | | |
| Alpine SecDB | | | | | |
| Debian Security Tracker | | | | | |
| Ubuntu USN | | | | | |
| RHEL/CentOS OVAL | | | | | |
| SUSE OVAL | | | | | |
| Astra Linux | | | | | Russian distro |
| **CERTs / National CSIRTs** | | | | | |
| CISA KEV | | | | | Known Exploited Vulns |
| CISA ICS-CERT | | | | | Industrial control systems |
| CERT-CC | | | | | Carnegie Mellon |
| CERT-FR | | | | | France |
| CERT-Bund (BSI) | | | | | Germany |
| CERT-In | | | | | India |
| ACSC | | | | | Australia |
| CCCS | | | | | Canada |
| KISA | | | | | South Korea |
| JVN | | | | | Japan |
| **Russian Federation Sources** | | | | | |
| FSTEC BDU | | | | | Russian vuln database |
| NKCKI | | | | | Critical infrastructure |
| **Vendor PSIRTs** | | | | | |
| Microsoft MSRC | | | | | |
| Cisco PSIRT | | | | | |
| Oracle CPU | | | | | |
| VMware | | | | | |
| Adobe PSIRT | | | | | |
| Apple Security | | | | | |
| Chromium | | | | | |
| **ICS/SCADA** | | | | | |
| Kaspersky ICS-CERT | | | | | Industrial security |
| **Risk Scoring** | | | | | |
| EPSS v4 | | | | | Exploit prediction |
| **Enterprise Features** | | | | | |
| Custom Advisory Connectors | | | | | Private feeds |
| Advisory Merge Engine | | | | | Conflict resolution |
| Connector Health CLI | | | | | `stella db connectors status` |
**Connector Operations Matrix (Status/Auth/Runbooks):**
| Connector | Status | Auth | Ops Runbook |
| --- | --- | --- | --- |
| NVD (NIST) | stable | api-key | [docs/modules/concelier/operations/connectors/nvd.md](docs/modules/concelier/operations/connectors/nvd.md) |
| CVE (MITRE) | stable | none | [docs/modules/concelier/operations/connectors/cve.md](docs/modules/concelier/operations/connectors/cve.md) |
| OSV | stable | none | [docs/modules/concelier/operations/connectors/osv.md](docs/modules/concelier/operations/connectors/osv.md) |
| GHSA | stable | api-token | [docs/modules/concelier/operations/connectors/ghsa.md](docs/modules/concelier/operations/connectors/ghsa.md) |
| Alpine SecDB | stable | none | [docs/modules/concelier/operations/connectors/alpine.md](docs/modules/concelier/operations/connectors/alpine.md) |
| Debian Security Tracker | stable | none | [docs/modules/concelier/operations/connectors/debian.md](docs/modules/concelier/operations/connectors/debian.md) |
| Ubuntu USN | stable | none | [docs/modules/concelier/operations/connectors/ubuntu.md](docs/modules/concelier/operations/connectors/ubuntu.md) |
| Red Hat OVAL/CSAF | stable | none | [docs/modules/concelier/operations/connectors/redhat.md](docs/modules/concelier/operations/connectors/redhat.md) |
| SUSE OVAL/CSAF | stable | none | [docs/modules/concelier/operations/connectors/suse.md](docs/modules/concelier/operations/connectors/suse.md) |
| Astra Linux | beta | none | [docs/modules/concelier/operations/connectors/astra.md](docs/modules/concelier/operations/connectors/astra.md) |
| CISA KEV | stable | none | [docs/modules/concelier/operations/connectors/cve-kev.md](docs/modules/concelier/operations/connectors/cve-kev.md) |
| CISA ICS-CERT | stable | none | [docs/modules/concelier/operations/connectors/ics-cisa.md](docs/modules/concelier/operations/connectors/ics-cisa.md) |
| CERT-CC | stable | none | [docs/modules/concelier/operations/connectors/cert-cc.md](docs/modules/concelier/operations/connectors/cert-cc.md) |
| CERT-FR | stable | none | [docs/modules/concelier/operations/connectors/cert-fr.md](docs/modules/concelier/operations/connectors/cert-fr.md) |
| CERT-Bund | stable | none | [docs/modules/concelier/operations/connectors/certbund.md](docs/modules/concelier/operations/connectors/certbund.md) |
| CERT-In | stable | none | [docs/modules/concelier/operations/connectors/cert-in.md](docs/modules/concelier/operations/connectors/cert-in.md) |
| ACSC | stable | none | [docs/modules/concelier/operations/connectors/acsc.md](docs/modules/concelier/operations/connectors/acsc.md) |
| CCCS | stable | none | [docs/modules/concelier/operations/connectors/cccs.md](docs/modules/concelier/operations/connectors/cccs.md) |
| KISA | stable | none | [docs/modules/concelier/operations/connectors/kisa.md](docs/modules/concelier/operations/connectors/kisa.md) |
| JVN | stable | none | [docs/modules/concelier/operations/connectors/jvn.md](docs/modules/concelier/operations/connectors/jvn.md) |
| FSTEC BDU | beta | none | [docs/modules/concelier/operations/connectors/fstec-bdu.md](docs/modules/concelier/operations/connectors/fstec-bdu.md) |
| NKCKI | beta | none | [docs/modules/concelier/operations/connectors/nkcki.md](docs/modules/concelier/operations/connectors/nkcki.md) |
| Microsoft MSRC | stable | none | [docs/modules/concelier/operations/connectors/msrc.md](docs/modules/concelier/operations/connectors/msrc.md) |
| Cisco PSIRT | stable | oauth | [docs/modules/concelier/operations/connectors/cisco.md](docs/modules/concelier/operations/connectors/cisco.md) |
| Oracle CPU | stable | none | [docs/modules/concelier/operations/connectors/oracle.md](docs/modules/concelier/operations/connectors/oracle.md) |
| VMware | stable | none | [docs/modules/concelier/operations/connectors/vmware.md](docs/modules/concelier/operations/connectors/vmware.md) |
| Adobe PSIRT | stable | none | [docs/modules/concelier/operations/connectors/adobe.md](docs/modules/concelier/operations/connectors/adobe.md) |
| Apple Security | stable | none | [docs/modules/concelier/operations/connectors/apple.md](docs/modules/concelier/operations/connectors/apple.md) |
| Chromium | stable | none | [docs/modules/concelier/operations/connectors/chromium.md](docs/modules/concelier/operations/connectors/chromium.md) |
| Kaspersky ICS-CERT | beta | none | [docs/modules/concelier/operations/connectors/kaspersky-ics.md](docs/modules/concelier/operations/connectors/kaspersky-ics.md) |
| EPSS v4 | stable | none | [docs/modules/concelier/operations/connectors/epss.md](docs/modules/concelier/operations/connectors/epss.md) |
---
## VEX Processing (Excititor/VexLens)
*VEX processing provides a full consensus engine with 5-state lattice, 9 trust factors, and conflict detection.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| OpenVEX Ingestion | | | | |
| CycloneDX VEX Ingestion | | | | |
| CSAF VEX Ingestion | | | | |
| **VEX Consensus Engine (5-state)** | | | | Lattice-based resolution |
| Trust Vector Scoring (P/C/R) | | | | |
| **Trust Weight Scoring (9 factors)** | | | | Issuer, age, specificity, etc. |
| Claim Strength Multipliers | | | | |
| Freshness Decay | | | | 14-day half-life |
| Conflict Detection & Penalty | | | | K4 lattice logic |
| VEX Conflict Studio UI | | | | Visual resolution |
| VEX Hub (Distribution) | | | | Internal VEX network |
| **VEX Webhook Distribution** | | | | Pub/sub notifications |
| **CSAF Provider Connectors (7)** | | | | RedHat, Ubuntu, Oracle, MSRC, Cisco, SUSE, VMware |
| **Issuer Trust Registry** | | | | Key lifecycle, trust overrides |
| **VEX from Drift Generation** | | | | `stella vex gen --from-drift` |
| **Trust Calibration Service** | | | | Org-specific tuning |
| **Consensus Rationale Export** | | | | Audit-grade explainability |
**CLI Commands:**
- `stella vex verify <statement>` Verify VEX statement signature and content
- `stella vex consensus <digest>` Show consensus status for digest
- `stella vex evidence export` Export VEX evidence for audit
- `stella vex webhooks list/add/remove` Manage VEX distribution
- `stella issuer keys list/create/rotate/revoke` Issuer key management
---
## Policy Engine
*Policy engine implements Belnap K4 four-valued logic with 10+ gate types and 6 risk providers.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| YAML Policy Rules | | | | Basic rules |
| **Belnap K4 Four-Valued Logic** | | | | True/False/Both/Neither |
| Security Atoms (6 types) | | | | |
| Disposition Selection (ECMA-424) | | | | |
| Minimum Confidence Gate | | | | |
| **10+ Policy Gate Types** | | | | Severity, reachability, age, etc. |
| **6 Risk Score Providers** | | | | CVSS, KEV, EPSS, FixChain, etc. |
| Unknowns Budget Gate | | | | |
| **Determinization System** | | | | Signal weights, decay, uncertainty |
| **Policy Simulation** | | | | `stella policy simulate` |
| Source Quota Gate | | | | 60% cap enforcement |
| Reachability Requirement Gate | | | | For criticals |
| **OPA/Rego Integration** | | | | Custom policies |
| **Exception Objects & Workflow** | | | | Approval chains |
| **Score Policy YAML** | | | | Full customization |
| **Configurable Scoring Profiles** | | | | Simple/Advanced |
| **Policy Version History** | | | | Audit trail |
| **Verdict Attestations** | | | | DSSE/Rekor signed verdicts |
**CLI Commands:**
- `stella policy list/show/create/update/delete` Policy CRUD
- `stella policy simulate <digest>` Simulate policy evaluation
- `stella policy validate <file>` Validate policy YAML
- `stella policy decisions list/show` View policy decisions
- `stella policy gates list` List available gate types
---
## Attestation & Signing
*Attestation supports 25+ predicate types with keyless signing, key rotation, and attestation chains.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| DSSE Envelope Signing | | | | |
| in-toto Statement Structure | | | | |
| **25+ Predicate Types** | | | | SBOM, VEX, verdict, etc. |
| SBOM Predicate | | | | |
| VEX Predicate | | | | |
| Reachability Predicate | | | | |
| Policy Decision Predicate | | | | |
| Verdict Manifest (signed) | | | | |
| Verdict Replay Verification | | | | |
| **Keyless Signing (Sigstore)** | | | | Fulcio-based OIDC |
| **Delta Attestations (4 types)** | | | | VEX/SBOM/Verdict/Reachability |
| **Attestation Chains** | | | | Linked attestation graphs |
| **Human Approval Predicate** | | | | Workflow attestation |
| **Boundary Predicate** | | | | Network exposure |
| **Key Rotation Service** | | | | Automated key lifecycle |
| **Trust Anchor Management** | | | | Root CA management |
| **SLSA Provenance v1.0** | | | | Supply chain |
| **Rekor Transparency Log** | | | | Public attestation |
| **Cosign Integration** | | | | Sigstore ecosystem |
**CLI Commands:**
- `stella attest sign <file>` Sign attestation
- `stella attest verify <envelope>` Verify attestation signature
- `stella attest predicates list` List supported predicate types
- `stella attest export <digest>` Export attestations for digest
- `stella keys list/create/rotate/revoke` Key management
---
## Regional Crypto (Sovereign Profiles)
*Sovereign crypto is core to the AGPL promise - no vendor lock-in on compliance. 8 signature profiles supported.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Default Crypto (Ed25519) | | | | |
| FIPS 140-2/3 Mode | | | | US Federal |
| eIDAS Signatures | | | | EU Compliance |
| GOST/CryptoPro | | | | Russia |
| SM National Standard | | | | China |
| Post-Quantum (Dilithium) | | | | Future-proof |
| Crypto Plugin Architecture | | | | Custom HSM |
| **Multi-Profile Signing** | | | | Sign with multiple algorithms |
| **SM Remote Service** | | | | Chinese market HSM integration |
| **HSM/PKCS#11 Integration** | | | | Hardware security modules |
**CLI Commands:**
- `stella crypto profiles list` List available crypto profiles
- `stella crypto verify --profile <name>` Verify with specific profile
- `stella crypto plugins list/status` Manage crypto plugins
---
## Determinism & Reproducibility
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Canonical JSON Serialization | | | | |
| Content-Addressed IDs | | | | SHA-256 |
| Replay Manifest (SRM) | | | | |
| `stella replay` CLI | | | | |
| Score Explanation Arrays | | | | |
| Evidence Freshness Multipliers | | | | |
| Proof Coverage Metrics | | | | |
| **Fidelity Metrics (BF/SF/PF)** | | | | Audit dashboards |
| **FN-Drift Rate Tracking** | | | | Quality monitoring |
| **Determinism Gate CI** | | | | Automated checks |
---
## Scoring & Risk Assessment
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVSS v4.0 Display | | | | |
| EPSS v4 Probability | | | | |
| Priority Band Classification | | | | |
| EPSS-at-Scan Immutability | | | | |
| Unified Confidence Model | | | | 5-factor |
| **Entropy-Based Scoring** | | | | Advanced |
| **Gate Multipliers** | | | | Reachability-aware |
| **Unknowns Pressure Factor** | | | | Risk budgets |
| **Custom Scoring Profiles** | | | | Org-specific |
---
## Evidence & Findings
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Findings List | | | | |
| Evidence Graph View | | | | Basic |
| Decision Capsules | | | | |
| **Findings Ledger (Immutable)** | | | | Audit trail |
| **Evidence Locker (Sealed)** | | | | Export/import |
| **Evidence TTL Policies** | | | | Retention rules |
| **Evidence Size Budgets** | | | | Storage governance |
| **Retention Tiers** | | | | Hot/Warm/Cold |
| **Privacy Controls** | | | | Redaction |
| **Audit Pack Export** | | | | Compliance bundles |
---
## CLI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Scanner Commands | | | | |
| SBOM Inspect & Diff | | | | |
| Deterministic Replay | | | | |
| Attestation Verify | | | | |
| Unknowns Budget Check | | | | |
| Evidence Export | | | | |
| **Audit Pack Operations** | | | | Full workflow |
| **Binary Match Inspection** | | | | Advanced |
| **Crypto Plugin Commands** | | | | Regional crypto |
| **Admin Utilities** | | | | Ops tooling |
---
## Web UI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Dark/Light Mode | | | | |
| Findings Row Component | | | | |
| Evidence Drawer | | | | |
| Proof Tab | | | | |
| Confidence Meter | | | | |
| Locale Support | | | | Cyrillic, etc. |
| Reproduce Verdict Button | | | | |
| **Audit Trail UI** | | | | Full history |
| **Trust Algebra Panel** | | | | P/C/R visualization |
| **Claim Comparison Table** | | | | Conflict view |
| **Policy Chips Display** | | | | Gate status |
| **Reachability Mini-Map** | | | | Path visualization |
| **Runtime Timeline** | | | | Temporal view |
| **Operator/Auditor Toggle** | | | | Role separation |
| **Knowledge Snapshot UI** | | | | Air-gap prep |
| **Keyboard Shortcuts** | | | | Power users |
---
## Quota & Operations
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| **Scans per Day** | **33** | **333** | **2,000+** | Soft limit |
| Usage API (`/quota`) | | | | |
| Client-JWT (Online) | 12h | 30d | Annual | Token duration |
| Rate Limiting | | | | |
| 429 Backpressure | | | | |
| Retry-After Headers | | | | |
| **Priority Queue** | | | | Guaranteed capacity |
| **Burst Allowance** | | | | 3× daily for 1hr |
| **Custom Quotas** | | | | Per contract |
---
## Offline & Air-Gap
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Offline Update Kits (OUK) | | Monthly | Weekly | Feed freshness |
| Offline Signature Verify | | | | |
| One-Command Replay | | | | |
| **Sealed Knowledge Snapshots** | | | | Full feed export |
| **Air-Gap Bundle Manifest** | | | | Transfer packages |
| **No-Egress Enforcement** | | | | Strict isolation |
| **Offline JWT (90d)** | | | | Extended tokens |
---
## Deployment
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Docker Compose | | | | Single-node |
| Helm Chart (K8s) | | | | |
| PostgreSQL 16+ | | | | |
| Valkey 8.0+ | | | | |
| RustFS (S3) | | | | |
| **High-Availability** | | | | Multi-replica |
| **Horizontal Scaling** | | | | Auto-scale |
| **Dedicated Capacity** | | | | Reserved resources |
---
## Access Control & Identity (Authority)
*Authority provides OAuth 2.1/OIDC with 75+ authorization scopes, DPoP, and device authorization.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Auth | | | | |
| API Keys | | | | With scopes and expiration |
| SSO/SAML Integration | | | | Okta, Azure AD |
| OIDC Support | | | | |
| Basic RBAC | | | | User/Admin |
| **75+ Authorization Scopes** | | | | Fine-grained permissions |
| **DPoP (Sender Constraints)** | | | | Token binding |
| **mTLS Client Certificates** | | | | Certificate auth |
| **Device Authorization Flow** | | | | CLI/IoT devices |
| **PAR Support** | | | | Pushed Authorization Requests |
| **User Federation (LDAP/SAML)** | | | | Directory integration |
| **Multi-Factor Authentication** | | | | TOTP/WebAuthn |
| **Advanced RBAC** | | | | Team-based scopes |
| **Multi-Tenant Management** | | | | Org hierarchy |
| **Audit Log Export** | | | | SIEM integration |
**CLI Commands:**
- `stella auth clients list/create/delete` OAuth client management
- `stella auth roles list/show/assign` Role management
- `stella auth scopes list` List available scopes
- `stella auth token introspect <token>` Token introspection
- `stella auth api-keys list/create/revoke` API key management
---
## Notifications & Integrations
*10 notification channel types with template engine, routing rules, and escalation.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| In-App Notifications | | | | |
| Email Notifications | | | | |
| EPSS Change Alerts | | | | |
| Slack Integration | | | | Basic |
| Teams Integration | | | | Basic |
| **Discord Integration** | | | | Webhook-based |
| **PagerDuty Integration** | | | | Incident management |
| **OpsGenie Integration** | | | | Alert routing |
| Zastava Registry Hooks | | | | Auto-scan on push |
| **Zastava K8s Admission** | | | | Validating/Mutating webhooks |
| **Template Engine** | | | | Customizable templates |
| **Channel Routing Rules** | | | | Severity/team routing |
| **Escalation Policies** | | | | Time-based escalation |
| **Notification Studio UI** | | | | Visual rule builder |
| **Custom Webhooks** | | | | Any endpoint |
| **CI/CD Gates** | | | | GitLab/GitHub/Jenkins |
| **SCM Integrations** | | | | PR comments, status checks |
| **Issue Tracker Integration** | | | | Jira, GitHub Issues |
| **Enterprise Connectors** | | | | Grid/Premium APIs |
**CLI Commands:**
- `stella notify channels list/test` Channel management
- `stella notify rules list/create` Routing rules
- `stella zastava install/configure/status` K8s webhook management
---
## Scheduling & Automation
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Manual Scans | | | | |
| **Scheduled Scans** | | | | Cron-based |
| **Task Pack Orchestration** | | | | Declarative workflows |
| **EPSS Daily Refresh** | | | | Auto-update |
| **Event-Driven Scanning** | | | | On registry push |
---
## Observability & Telemetry
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Metrics | | | | |
| Opt-In Telemetry | | | | |
| **OpenTelemetry Traces** | | | | Full tracing |
| **Prometheus Export** | | | | Custom dashboards |
| **Quality KPIs Dashboard** | | | | Triage metrics |
| **SLA Monitoring** | | | | Uptime tracking |
---
## Support & Services
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Documentation | | | | |
| Community Forums | | | | |
| GitHub Issues | | | | |
| **Email Support** | | | | Business hours |
| **Priority Support** | | | | 4hr response |
| **24/7 Critical Support** | | | | Add-on |
| **Dedicated CSM** | | | | Named contact |
| **Professional Services** | | | | Implementation |
| **Training & Certification** | | | | Team enablement |
| **SLA Guarantee** | | | | 99.9% uptime |
---
## Version Comparison
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| RPM (NEVRA) | | | | |
| Debian (EVR) | | | | |
| Alpine (APK) | | | | |
| SemVer | | | | |
| PURL Resolution | | | | |
---
## Summary by Tier
### Free Tier (33 scans/day)
**Target:** Individual developers, OSS contributors, evaluation
- All language analyzers (11 languages)
- All regional crypto (FIPS/eIDAS/GOST/SM/PQ)
- Full VEX processing + VEX Hub + Conflict Studio
- SSO/SAML/OIDC authentication
- Zastava registry webhooks
- Slack/Teams notifications
- Core determinism + replay
- Docker Compose deployment
- Community support
### Community Tier (333 scans/day)
**Target:** Startups, small teams (<25), active open source projects
Everything in Free, plus:
- 10× scan quota
- Deep analysis mode
- Binary analysis (backport detection)
- Advanced attestation predicates
- Helm/K8s deployment
- Email notifications + EPSS alerts
- Monthly Offline Update Kit access
**Registration required, 30-day token renewal**
### Enterprise Tier (2,000+ scans/day)
**Target:** Organizations 25+, compliance-driven, multi-team
Everything in Community, plus:
- **Scale**: HA, horizontal scaling, priority queue, burst allowance
- **Multi-Team**: Advanced RBAC (scopes), multi-tenant, org hierarchy
- **Advanced Detection**: Binary fingerprints, trust calibration
- **Compliance**: SLSA provenance, Rekor transparency, audit pack export
- **Air-Gap**: Sealed snapshots, 90-day offline tokens, no-egress mode
- **Automation**: CI/CD gates, custom webhooks, scheduled scans
- **Observability**: OpenTelemetry, Prometheus, KPI dashboards
- **Support**: SLA (99.9%), priority support (4hr), dedicated CSM
---
---
> **Legend:** ✅ = Included | — = Not available | ⏳ = Planned
---
*Last updated: 16 Jan 2026 (rev 5.1 - Documentation Sprint 024)*
Reference in New Issue View Git Blame Copy Permalink