stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9a08d10b89184ad2181fa33ec8244e34c22329f8
git.stella-ops.org/docs/04_FEATURE_MATRIX.md
StellaOps Bot 7503c19b8f Add determinism tests for verdict artifact generation and update SHA256 sums script 
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering.
- Created helper methods for generating sample verdict inputs and computing canonical hashes.
- Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics.
- Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
2025-12-24 02:17:34 +02:00

471 lines
18 KiB
Markdown
Executable File
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 4 · Feature Matrix — **Stella Ops**
*(rev 4.0 · 24 Dec 2025)*
> **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail.
---
## Pricing Tiers Overview
| Tier | Scans/Day | Registration | Token Refresh | Target User | Price |
|------|-----------|--------------|---------------|-------------|-------|
| **Free** | 33 | None | 12h auto | Individual developer | $0 |
| **Community** | 333 | Required | 30d manual | Startups, small teams (<25) | $0 |
| **Enterprise** | 2,000+ | SSO/Contract | Annual | Organizations (25+), regulated | Contact Sales |
**Key Differences:**
- **Free Community**: 10× quota, deep analysis, Helm/K8s, email alerts, requires registration
- **Community Enterprise**: Scale (HA), multi-team (RBAC scopes), automation (CI/CD), support (SLA)
---
## Competitive Moat Features
*These differentiators are available across all tiers to build brand and adoption.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Signed Replayable Risk Verdicts | | | | Core differentiator |
| Decision Capsules | | | | Audit-grade evidence bundles |
| VEX Decisioning Engine | | | | Trust lattice + conflict resolution |
| Reachability with Portable Proofs | | | | Three-layer analysis |
| Smart-Diff (Semantic Risk Delta) | | | | Material change detection |
| Unknowns as First-Class State | | | | Uncertainty budgets |
| Deterministic Replay | | | | `stella replay srm.yaml` |
---
## SBOM & Ingestion
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Trivy-JSON Ingestion | | | | |
| SPDX-JSON 3.0.1 Ingestion | | | | |
| CycloneDX 1.6/1.7 Ingestion | | | | |
| Auto-format Detection | | | | |
| Delta-SBOM Cache | | | | Warm scans <1s |
| SBOM Generation (all formats) | | | | |
| Semantic SBOM Diff | | | | |
| BYOS (Bring-Your-Own-SBOM) | | | | |
| **SBOM Lineage Ledger** | | | | Full versioned history |
| **SBOM Lineage API** | | | | Traversal queries |
---
## Scanning & Detection
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVE Lookup via Local DB | | | | |
| Licence-Risk Detection | | | | Q4-2025 |
| **Language Analyzers (All 8)** | | | | |
| .NET/C#, Java, Go, Python | | | | |
| Node.js, Ruby, Bun, Native | | | | |
| **Progressive Fidelity Modes** | | | | |
| Quick Mode | | | | |
| Standard Mode | | | | |
| Deep Mode | | | | Full analysis |
| Base Image Detection | | | | |
| Layer-Aware Analysis | | | | |
| **Concurrent Scan Workers** | 1 | 3 | Unlimited | |
---
## Reachability Analysis
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Static Call Graph | | | | |
| Entrypoint Detection | | | | 9+ framework types |
| BFS Reachability | | | | |
| Reachability Drift Detection | | | | |
| Binary Loader Resolution | | | | ELF/PE/Mach-O |
| Feature Flag/Config Gating | | | | Layer 3 analysis |
| Runtime Signal Correlation | | | | Zastava integration |
| Gate Detection (auth/admin) | | | | Enterprise policies |
| Path Witness Generation | | | | Audit evidence |
| Reachability Mini-Map API | | | | UI visualization |
| Runtime Timeline API | | | | Temporal analysis |
---
## Binary Analysis (BinaryIndex)
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Binary Identity Extraction | | | | Build-ID, hashes |
| Build-ID Vulnerability Lookup | | | | |
| Debian/Ubuntu Corpus | | | | |
| RPM/RHEL Corpus | | | | |
| Patch-Aware Backport Detection | | | | |
| PE/Mach-O/ELF Parsers | | | | |
| **Binary Fingerprint Generation** | | | | Advanced detection |
| **Fingerprint Matching Engine** | | | | Similarity search |
| **DWARF/Symbol Analysis** | | | | Debug symbols |
---
## Advisory Sources (Concelier)
| Source | Free | Community | Enterprise | Notes |
|--------|:----:|:---------:|:----------:|-------|
| NVD | | | | |
| GHSA | | | | |
| OSV | | | | |
| Alpine SecDB | | | | |
| Debian Security Tracker | | | | |
| Ubuntu USN | | | | |
| RHEL/CentOS OVAL | | | | |
| KEV (Exploited Vulns) | | | | |
| EPSS v4 | | | | |
| **Custom Advisory Connectors** | | | | Private feeds |
| **Advisory Merge Engine** | | | | Conflict resolution |
---
## VEX Processing (Excititor)
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| OpenVEX Ingestion | | | | |
| CycloneDX VEX Ingestion | | | | |
| CSAF VEX Ingestion | | | | |
| VEX Consensus Resolver | | | | |
| Trust Vector Scoring (P/C/R) | | | | |
| Claim Strength Multipliers | | | | |
| Freshness Decay | | | | |
| Conflict Detection & Penalty | | | | K4 lattice logic |
| VEX Conflict Studio UI | | | | Visual resolution |
| VEX Hub (Distribution) | | | | Internal VEX network |
| **Trust Calibration Service** | | | | Org-specific tuning |
---
## Policy Engine
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| YAML Policy Rules | | | | Basic rules |
| Belnap K4 Four-Valued Logic | | | | |
| Security Atoms (6 types) | | | | |
| Disposition Selection (ECMA-424) | | | | |
| Minimum Confidence Gate | | | | |
| Unknowns Budget Gate | | | | |
| Source Quota Gate | | | | 60% cap enforcement |
| Reachability Requirement Gate | | | | For criticals |
| **OPA/Rego Integration** | | | | Custom policies |
| **Exception Objects & Workflow** | | | | Approval chains |
| **Score Policy YAML** | | | | Full customization |
| **Configurable Scoring Profiles** | | | | Simple/Advanced |
| **Policy Version History** | | | | Audit trail |
---
## Attestation & Signing
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| DSSE Envelope Signing | | | | |
| in-toto Statement Structure | | | | |
| SBOM Predicate | | | | |
| VEX Predicate | | | | |
| Reachability Predicate | | | | |
| Policy Decision Predicate | | | | |
| Verdict Manifest (signed) | | | | |
| Verdict Replay Verification | | | | |
| **Human Approval Predicate** | | | | Workflow attestation |
| **Boundary Predicate** | | | | Network exposure |
| **Key Rotation Management** | | | | Enterprise key ops |
| **SLSA Provenance v1.0** | | | | Supply chain |
| **Rekor Transparency Log** | | | | Public attestation |
| **Cosign Integration** | | | | Sigstore ecosystem |
---
## Regional Crypto (Sovereign Profiles)
*Sovereign crypto is core to the AGPL promise - no vendor lock-in on compliance.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Default Crypto (Ed25519) | | | | |
| FIPS 140-2/3 Mode | | | | US Federal |
| eIDAS Signatures | | | | EU Compliance |
| GOST/CryptoPro | | | | Russia |
| SM National Standard | | | | China |
| Post-Quantum (Dilithium) | | | | Future-proof |
| Crypto Plugin Architecture | | | | Custom HSM |
---
## Determinism & Reproducibility
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Canonical JSON Serialization | | | | |
| Content-Addressed IDs | | | | SHA-256 |
| Replay Manifest (SRM) | | | | |
| `stella replay` CLI | | | | |
| Score Explanation Arrays | | | | |
| Evidence Freshness Multipliers | | | | |
| Proof Coverage Metrics | | | | |
| **Fidelity Metrics (BF/SF/PF)** | | | | Audit dashboards |
| **FN-Drift Rate Tracking** | | | | Quality monitoring |
| **Determinism Gate CI** | | | | Automated checks |
---
## Scoring & Risk Assessment
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVSS v4.0 Display | | | | |
| EPSS v4 Probability | | | | |
| Priority Band Classification | | | | |
| EPSS-at-Scan Immutability | | | | |
| Unified Confidence Model | | | | 5-factor |
| **Entropy-Based Scoring** | | | | Advanced |
| **Gate Multipliers** | | | | Reachability-aware |
| **Unknowns Pressure Factor** | | | | Risk budgets |
| **Custom Scoring Profiles** | | | | Org-specific |
---
## Evidence & Findings
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Findings List | | | | |
| Evidence Graph View | | | | Basic |
| Decision Capsules | | | | |
| **Findings Ledger (Immutable)** | | | | Audit trail |
| **Evidence Locker (Sealed)** | | | | Export/import |
| **Evidence TTL Policies** | | | | Retention rules |
| **Evidence Size Budgets** | | | | Storage governance |
| **Retention Tiers** | | | | Hot/Warm/Cold |
| **Privacy Controls** | | | | Redaction |
| **Audit Pack Export** | | | | Compliance bundles |
---
## CLI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Scanner Commands | | | | |
| SBOM Inspect & Diff | | | | |
| Deterministic Replay | | | | |
| Attestation Verify | | | | |
| Unknowns Budget Check | | | | |
| Evidence Export | | | | |
| **Audit Pack Operations** | | | | Full workflow |
| **Binary Match Inspection** | | | | Advanced |
| **Crypto Plugin Commands** | | | | Regional crypto |
| **Admin Utilities** | | | | Ops tooling |
---
## Web UI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Dark/Light Mode | | | | |
| Findings Row Component | | | | |
| Evidence Drawer | | | | |
| Proof Tab | | | | |
| Confidence Meter | | | | |
| Locale Support | | | | Cyrillic, etc. |
| Reproduce Verdict Button | | | | |
| **Audit Trail UI** | | | | Full history |
| **Trust Algebra Panel** | | | | P/C/R visualization |
| **Claim Comparison Table** | | | | Conflict view |
| **Policy Chips Display** | | | | Gate status |
| **Reachability Mini-Map** | | | | Path visualization |
| **Runtime Timeline** | | | | Temporal view |
| **Operator/Auditor Toggle** | | | | Role separation |
| **Knowledge Snapshot UI** | | | | Air-gap prep |
| **Keyboard Shortcuts** | | | | Power users |
---
## Quota & Operations
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| **Scans per Day** | **33** | **333** | **2,000+** | Soft limit |
| Usage API (`/quota`) | | | | |
| Client-JWT (Online) | 12h | 30d | Annual | Token duration |
| Rate Limiting | | | | |
| 429 Backpressure | | | | |
| Retry-After Headers | | | | |
| **Priority Queue** | | | | Guaranteed capacity |
| **Burst Allowance** | | | | 3× daily for 1hr |
| **Custom Quotas** | | | | Per contract |
---
## Offline & Air-Gap
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Offline Update Kits (OUK) | | Monthly | Weekly | Feed freshness |
| Offline Signature Verify | | | | |
| One-Command Replay | | | | |
| **Sealed Knowledge Snapshots** | | | | Full feed export |
| **Air-Gap Bundle Manifest** | | | | Transfer packages |
| **No-Egress Enforcement** | | | | Strict isolation |
| **Offline JWT (90d)** | | | | Extended tokens |
---
## Deployment
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Docker Compose | | | | Single-node |
| Helm Chart (K8s) | | | | |
| PostgreSQL 16+ | | | | |
| Valkey 8.0+ | | | | |
| RustFS (S3) | | | | |
| **High-Availability** | | | | Multi-replica |
| **Horizontal Scaling** | | | | Auto-scale |
| **Dedicated Capacity** | | | | Reserved resources |
---
## Access Control & Identity
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Auth | | | | |
| API Keys | | | | |
| SSO/SAML Integration | | | | Okta, Azure AD |
| OIDC Support | | | | |
| Basic RBAC | | | | User/Admin |
| **Advanced RBAC** | | | | Team-based scopes |
| **Multi-Tenant Management** | | | | Org hierarchy |
| **Audit Log Export** | | | | SIEM integration |
---
## Notifications & Integrations
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Email Notifications | | | | |
| In-App Notifications | | | | |
| EPSS Change Alerts | | | | |
| Slack Integration | | | | Basic |
| Teams Integration | | | | Basic |
| Zastava Registry Hooks | | | | Auto-scan on push |
| **Custom Webhooks** | | | | Any endpoint |
| **CI/CD Gates** | | | | GitLab/GitHub/Jenkins |
| **Enterprise Connectors** | | | | Grid/Premium APIs |
---
## Scheduling & Automation
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Manual Scans | | | | |
| **Scheduled Scans** | | | | Cron-based |
| **Task Pack Orchestration** | | | | Declarative workflows |
| **EPSS Daily Refresh** | | | | Auto-update |
| **Event-Driven Scanning** | | | | On registry push |
---
## Observability & Telemetry
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Metrics | | | | |
| Opt-In Telemetry | | | | |
| **OpenTelemetry Traces** | | | | Full tracing |
| **Prometheus Export** | | | | Custom dashboards |
| **Quality KPIs Dashboard** | | | | Triage metrics |
| **SLA Monitoring** | | | | Uptime tracking |
---
## Support & Services
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Documentation | | | | |
| Community Forums | | | | |
| GitHub Issues | | | | |
| **Email Support** | | | | Business hours |
| **Priority Support** | | | | 4hr response |
| **24/7 Critical Support** | | | | Add-on |
| **Dedicated CSM** | | | | Named contact |
| **Professional Services** | | | | Implementation |
| **Training & Certification** | | | | Team enablement |
| **SLA Guarantee** | | | | 99.9% uptime |
---
## Version Comparison
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| RPM (NEVRA) | | | | |
| Debian (EVR) | | | | |
| Alpine (APK) | | | | |
| SemVer | | | | |
| PURL Resolution | | | | |
---
## Summary by Tier
### Free Tier (33 scans/day)
**Target:** Individual developers, OSS contributors, evaluation
- All language analyzers (8 languages)
- All regional crypto (FIPS/eIDAS/GOST/SM/PQ)
- Full VEX processing + VEX Hub + Conflict Studio
- SSO/SAML/OIDC authentication
- Zastava registry webhooks
- Slack/Teams notifications
- Core determinism + replay
- Docker Compose deployment
- Community support
### Community Tier (333 scans/day)
**Target:** Startups, small teams (<25), active open source projects
Everything in Free, plus:
- 10× scan quota
- Deep analysis mode
- Binary analysis (backport detection)
- Advanced attestation predicates
- Helm/K8s deployment
- Email notifications + EPSS alerts
- Monthly Offline Update Kit access
**Registration required, 30-day token renewal**
### Enterprise Tier (2,000+ scans/day)
**Target:** Organizations 25+, compliance-driven, multi-team
Everything in Community, plus:
- **Scale**: HA, horizontal scaling, priority queue, burst allowance
- **Multi-Team**: Advanced RBAC (scopes), multi-tenant, org hierarchy
- **Advanced Detection**: Binary fingerprints, trust calibration
- **Compliance**: SLSA provenance, Rekor transparency, audit pack export
- **Air-Gap**: Sealed snapshots, 90-day offline tokens, no-egress mode
- **Automation**: CI/CD gates, custom webhooks, scheduled scans
- **Observability**: OpenTelemetry, Prometheus, KPI dashboards
- **Support**: SLA (99.9%), priority support (4hr), dedicated CSM
---
---
> **Legend:** ✅ = Included | — = Not available | ⏳ = Planned
---
*Last updated: 24 Dec 2025 (rev 4.0 - Tiered Commercial Model)*
Reference in New Issue View Git Blame Copy Permalink