git.stella-ops.org/docs/key-features.md

Key Features – Capability Cards

Stella Ops isn't just another scanner—it's a different product category: deterministic, evidence-linked vulnerability decisions that survive auditors, regulators, and supply-chain propagation.

Each card below pairs the headline capability with the evidence that backs it and why it matters day to day.

0. Decision Capsules - Audit-Grade Evidence Bundles (2025-12)

• What it is: Every scan result is sealed in a Decision Capsule-a content-addressed bundle containing all inputs, outputs, and evidence needed to reproduce and verify the vulnerability decision.
• Evidence: Each capsule includes: exact SBOM (and source provenance if available), exact vuln feed snapshots (or IDs to frozen snapshots), reachability evidence (static artifacts + runtime traces if any), policy version + lattice rules, derived VEX statements, and signatures over all of the above.
• UX surface: Vulnerability triage is built around VEX-first decisions and one-click immutable audit bundles; reference docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md.
• Why it matters: Auditors can re-run any capsule bit-for-bit to verify the outcome. This is the heart of audit-grade assurance-every decision becomes a provable, replayable fact.

1. Delta SBOM Engine

• What it is: Layer-aware ingestion keeps the SBOM catalog content-addressed; rescans only fetch new layers and update dependency/vulnerability cartographs.
• Evidence: Deterministic Replay Manifest (SRM) captures the exact analyzer inputs/outputs per layer.
• Why it matters: Warm scans drop below one second, so CI/CD pipelines stay fast even under the free-tier quota.

2. Lattice Policy + OpenVEX (Evidence-Linked)

• What it is: Policy engine merges SBOM, advisories, VEX, and waivers through lattice logic that prioritises exploitability. Every VEX assertion includes pointers to an internal evidence graph.
• Evidence: OpenVEX is treated as first-class input; the policy UI renders explain traces with proof-linked decisions. Custom rule packs let teams automate muting, expirations, and non-VEX alert logic.
• Why it matters: Teams can distinguish exploitable risk from noise, tune the experience beyond VEX statements, and prove why a deployment was blocked or allowed. Unlike simplistic yes/no approaches, the lattice model explicitly handles an "Unknown" state, ensuring incomplete data doesn't lead to false safety.

3. Sovereign Crypto Profiles

• What it is: Bring-your-own trust bundles that switch signing algorithms (FIPS, eIDAS, GOST, SM) without code changes.
• Evidence: Crypto profiles travel with Offline Update Kits and post-quantum trust packs, keeping signatures verifiable in regulated sectors.
• Why it matters: You meet regional crypto requirements while keeping provenance attestations consistent across tenants.

4. Deterministic Replay & Evidence Bundles — The Heart of Audit-Grade Assurance

• What it is: Every scan produces a DSSE + SRM bundle that can be replayed with stella replay srm.yaml.
• Evidence: Replay manifests capture analyzer versions, lattice state, and attestations in content-addressed storage for audit trails.
• Why it matters: A CVE found 6 months ago can be re-verified today by running stella replay srm.yaml, yielding an identical result—an audit trail no other scanner provides. This is why Stella decisions survive auditors, regulators, and supply-chain propagation.

5. Transparent Quotas & Offline Operations

• What it is: Redis-backed counters surface {{ quota_token }} scans/day via headers, UI banners, and /quota API; Offline Update Kits mirror feeds.
• Evidence: Quota tokens verify locally using bundled public keys, and Offline Update Kits include mirrored advisories, SBOM feeds, and VEX sources.
• Why it matters: You stay within predictable limits, avoid surprise throttling, and operate entirely offline when needed.

6. Signed Reachability Proofs — Hybrid Static + Runtime Attestations

• What it is: Every reachability graph is sealed with a graph-level DSSE and optional edge-bundle DSSEs for runtime/init/contested edges; Rekor-backed when enabled. Both static call-graph edges and runtime-derived edges can be attested—true hybrid reachability.
• Evidence: CAS layout cas://reachability/graphs/{hash} + {hash}.dsse; edge bundles capped and sorted; quarantine/dispute uses per-edge revocation. See docs/reachability/hybrid-attestation.md.
• Why it matters: You can prove (or contest) exactly why a vuln is reachable, replay results offline, and avoid flooding transparency logs. Hybrid analysis combining static call-graph analysis with runtime process tracing provides confidence across build and runtime contexts.

7. Competitive Moats — Four Capabilities (2025-12 refresh)

• What it is: Four capabilities no competitor offers together: (1) Signed Reachability, (2) Deterministic Replay, (3) Explainable Policy (Lattice VEX), (4) Sovereign + Offline Operation. Plus Decision Capsules for audit-grade evidence bundles.
• Evidence: docs/market/competitive-landscape.md distils a 15-vendor comparison; 03_VISION.md lists moats; docs/reachability/lead.md details the reachability proof moat.
• Why it matters: Clear differentiation guides roadmap and sales; keeps us focused on replayable, sovereign, evidence-linked, and explainable security.

8. Semantic Smart-Diff (2025-12)

• What it is: Diff security meaning, not just artifacts. Compare reachability graphs, policy outcomes, and trust weights between releases.
• Evidence: Drift detection in src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/; DSSE-attested drift results.
• Why it matters: Outputs "This release reduces exploitability by 41% despite +2 CVEs" — no competitor quantifies semantic security deltas.

9. Unknowns as First-Class State (2025-12)

• What it is: Explicit modeling of Unknown-Reachable and Unknown-Unreachable states with risk scoring implications.
• Evidence: Unknowns Registry in Signals; unknowns_pressure factor in scoring; UI chips for unknowns.
• Why it matters: Uncertainty is risk. We don't hide it — we surface and score it. Critical for air-gapped and zero-day scenarios.

10. Call-Path Reachability Proofs (2025-12)

• What it is: Three-layer reachability: static call graph + binary resolution + runtime gating. All three must align for exploitability.
• Evidence: Vulnerability surfaces in src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/; confidence tiers (Confirmed/Likely/Present/Unreachable).
• Why it matters: Makes false positives structurally impossible, not heuristically reduced. Path witnesses are DSSE-signed.

11. Deterministic Task Packs (2025-11)

• What it is: TaskRunner executes declarative Task Packs with plan-hash binding, approvals, sealed-mode enforcement, and DSSE evidence bundles.
• Evidence: Product advisory docs/product-advisories/29-Nov-2025 - Task Pack Orchestration and Automation.md; architecture contract in docs/modules/taskrunner/architecture.md; runbook/spec in docs/task-packs/*.md.
• Why it matters: Security teams get auditable, air-gap-friendly automation with human approvals and provable provenance, reusing the same workflows online or offline.

Explore Further

• Walk the first deployment in quickstart.md.
• Dive into architectural flows in high-level-architecture.md.
• Need detailed matrices? The legacy feature matrix and vision remain available for deep dives.