stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
a743bb9a1d52b453227de5aab07a2d58b5e5bcd0
git.stella-ops.org/docs/FEATURE_MATRIX.md

26 KiB
Executable File
Raw Blame History

Feature Matrix — Stella Ops Suite

(rev 5.1 · 16 Jan 2026)

Looking for a quick read? Check key-features.md for the short capability cards; this matrix keeps full tier-by-tier detail.

Product Evolution

Stella Ops Suite is now a centralized, auditable release control plane for non-Kubernetes container estates. The platform combines release orchestration with security decisioning as a gate.

  • Release orchestration — UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks
  • Security decisioning as a gate — Scan on build, evaluate on release, re-evaluate on CVE updates
  • OCI-digest-first releases — Immutable digest-based release identity
  • Evidence packets — Every release decision is cryptographically signed and stored

Pricing Model

Principle: Pay for scale, not for features or automation. No per-seat, per-project, or per-deployment taxes.

Plan Price Environments New Digests/Day
Free $0/month 3 333
Pro $699/month 33 3,333
Enterprise $1,999/month Unlimited Unlimited

Key Principles:

  • All plans include all features (no feature gating)
  • Only limits are environments and new digests analyzed per day
  • All other capabilities are identical across all tiers

Competitive Moat Features

These differentiators are available across all plans.

Capability Notes
Signed Replayable Risk Verdicts Core differentiator
Decision Capsules Audit-grade evidence bundles
VEX Decisioning Engine Trust lattice + conflict resolution
Reachability with Portable Proofs Three-layer analysis
Smart-Diff (Semantic Risk Delta) Material change detection
Unknowns as First-Class State Uncertainty budgets
Deterministic Replay stella replay srm.yaml
Non-Kubernetes First-Class Docker/Compose/ECS/Nomad targets
Digest-First Release Identity Immutable releases

Release Orchestration (Planned)

Release orchestration capabilities are planned for implementation.

| Capability | Notes | | Environment Management | | | Environment CRUD | Dev/Stage/Prod definitions | | Freeze Windows | Calendar-based blocking | | Approval Policies | Per-environment rules | | Release Management | | | Component Registry | Service → repository mapping | | Release Bundles | Component → digest bundles | | Semantic Versioning | SemVer release versions | | Tag → Digest Resolution | Immutable digest pinning | | Promotion & Gates | | | Promotion Workflows | Environment transitions | | Security Gate | Scan verdict evaluation | | Approval Gate | Human sign-off | | Freeze Window Gate | Calendar enforcement | | Policy Gate (OPA/Rego) | Custom rules | | Decision Records | Evidence-linked decisions | | Deployment Execution | | | Docker Host Agent | Direct container deployment | | Compose Host Agent | Docker Compose deployment | | SSH Agentless | Linux remote execution | | WinRM Agentless | Windows remote execution | | ECS Agent | AWS ECS deployment | | Nomad Agent | HashiCorp Nomad deployment | | Rollback | Previous version restore | | Progressive Delivery | | | A/B Releases | Traffic splitting | | Canary Deployments | Gradual rollout | | Blue-Green | Zero-downtime switch | | Traffic Routing Plugins | Nginx/HAProxy/Traefik/ALB | | Workflow Engine | | | DAG Workflow Execution | Directed acyclic graphs | | Step Registry | Built-in + custom steps | | Workflow Templates | Reusable workflows | | Script Steps (Bash/C#) | Custom automation | | Evidence & Audit | | | Evidence Packets | Sealed decision bundles | | Version Stickers | On-target deployment records | | Audit Export | Compliance reporting | | Integrations | | | GitHub Integration | SCM + webhooks | | GitLab Integration | SCM + webhooks | | Harbor Integration | Registry + scanning | | HashiCorp Vault | Secrets management | | AWS Secrets Manager | Secrets management | | Plugin System | | | Plugin Manifest | Static declarations | | Connector Runtime | Dynamic execution | | Step Providers | Custom workflow steps | | Agent Types | Custom deployment targets |

Plan Limits

Limit Free Pro Enterprise
Environments 3 33 Unlimited
New Digests/Day 333 3,333 Unlimited

SBOM & Ingestion

Capability Notes
Trivy-JSON Ingestion
SPDX-JSON 3.0.1 Ingestion
CycloneDX 1.7 Ingestion (1.6 backward compatible)
Auto-format Detection
Delta-SBOM Cache Warm scans <1s
SBOM Generation (all formats)
Semantic SBOM Diff
BYOS (Bring-Your-Own-SBOM)
SBOM Lineage Ledger Full versioned history
SBOM Lineage API Traversal queries

Scanning & Detection

Capability Notes
CVE Lookup via Local DB
Licence-Risk Detection Q4-2025
Automatic Detection (Class A) Runs implicitly during scan
— Secrets Detection API keys, tokens, passwords; results in findings (see docs/modules/ui/components/findings-list.md)
— OS Package Analyzers apk, apt, yum, dnf, rpm, pacman; results in SBOM (see docs/modules/cli/guides/commands/sbom.md)
Language Analyzers (All 11)
— .NET/C#, Java, Go, Python
— Node.js, Ruby, Bun, Deno
— PHP, Rust, Native binaries
Progressive Fidelity Modes
— Quick Mode
— Standard Mode
— Deep Mode Full analysis
Base Image Detection
Layer-Aware Analysis
Concurrent Scan Workers Configurable

Reachability Analysis

Capability Notes
Static Call Graph
Entrypoint Detection 9+ framework types
BFS Reachability
Reachability Drift Detection
Binary Loader Resolution ELF/PE/Mach-O
Feature Flag/Config Gating Layer 3 analysis
Runtime Signal Correlation Zastava integration
Gate Detection (auth/admin) Enterprise policies
Path Witness Generation Audit evidence
Reachability Mini-Map API UI visualization
Runtime Timeline API Temporal analysis

Binary Analysis (BinaryIndex)

Binary analysis capabilities are CLI-first (Class B). UI integration is minimal until user demand validates.

Capability Notes
Binary Identity Extraction Build-ID, hashes
Build-ID Vulnerability Lookup
Debian/Ubuntu Corpus
RPM/RHEL Corpus
Patch-Aware Backport Detection
PE/Mach-O/ELF Parsers
Binary Fingerprint Generation CLI: stella binary fingerprint export
Fingerprint Matching Engine Similarity search
Binary Diff CLI: stella binary diff <base> <candidate>
DWARF/Symbol Analysis Debug symbols

CLI Commands (Class B):

  • stella binary fingerprint export <artifact> — Export fingerprint data (function hashes, section hashes, symbol table)
  • stella binary diff <base> <candidate> — Compare binaries with function/symbol-level diff
  • Output formats: --format json|yaml|table
  • Usage and examples: docs/modules/cli/guides/commands/binary.md

Advisory Sources (Concelier)

Concelier provides 33+ vulnerability feed connectors with automatic sync, health monitoring, and conflict detection.

Connector Notes
National CVE Databases
— NVD (NIST) Primary CVE source
— CVE (MITRE) CVE Record format 5.0
OSS Ecosystems
— OSV Multi-ecosystem
— GHSA GitHub Security Advisories
Linux Distributions
— Alpine SecDB
— Debian Security Tracker
— Ubuntu USN
— RHEL/CentOS OVAL
— SUSE OVAL
— Astra Linux Russian distro
CERTs / National CSIRTs
— CISA KEV Known Exploited Vulns
— CISA ICS-CERT Industrial control systems
— CERT-CC Carnegie Mellon
— CERT-FR France
— CERT-Bund (BSI) Germany
— CERT-In India
— ACSC Australia
— CCCS Canada
— KISA South Korea
— JVN Japan
Russian Federation Sources
— FSTEC BDU Russian vuln database
— NKCKI Critical infrastructure
Vendor PSIRTs
— Microsoft MSRC
— Cisco PSIRT
— Oracle CPU
— VMware
— Adobe PSIRT
— Apple Security
— Chromium
ICS/SCADA
— Kaspersky ICS-CERT Industrial security
Risk Scoring
— EPSS v4 Exploit prediction
Additional Features
Custom Advisory Connectors Private feeds
Advisory Merge Engine Conflict resolution
Connector Health CLI stella db connectors status

Connector Operations Matrix (Status/Auth/Runbooks):

Connector Status Auth Ops Runbook
NVD (NIST) stable api-key docs/modules/concelier/operations/connectors/nvd.md
CVE (MITRE) stable none docs/modules/concelier/operations/connectors/cve.md
OSV stable none docs/modules/concelier/operations/connectors/osv.md
GHSA stable api-token docs/modules/concelier/operations/connectors/ghsa.md
Alpine SecDB stable none docs/modules/concelier/operations/connectors/alpine.md
Debian Security Tracker stable none docs/modules/concelier/operations/connectors/debian.md
Ubuntu USN stable none docs/modules/concelier/operations/connectors/ubuntu.md
Red Hat OVAL/CSAF stable none docs/modules/concelier/operations/connectors/redhat.md
SUSE OVAL/CSAF stable none docs/modules/concelier/operations/connectors/suse.md
Astra Linux beta none docs/modules/concelier/operations/connectors/astra.md
CISA KEV stable none docs/modules/concelier/operations/connectors/cve-kev.md
CISA ICS-CERT stable none docs/modules/concelier/operations/connectors/ics-cisa.md
CERT-CC stable none docs/modules/concelier/operations/connectors/cert-cc.md
CERT-FR stable none docs/modules/concelier/operations/connectors/cert-fr.md
CERT-Bund stable none docs/modules/concelier/operations/connectors/certbund.md
CERT-In stable none docs/modules/concelier/operations/connectors/cert-in.md
ACSC stable none docs/modules/concelier/operations/connectors/acsc.md
CCCS stable none docs/modules/concelier/operations/connectors/cccs.md
KISA stable none docs/modules/concelier/operations/connectors/kisa.md
JVN stable none docs/modules/concelier/operations/connectors/jvn.md
FSTEC BDU beta none docs/modules/concelier/operations/connectors/fstec-bdu.md
NKCKI beta none docs/modules/concelier/operations/connectors/nkcki.md
Microsoft MSRC stable none docs/modules/concelier/operations/connectors/msrc.md
Cisco PSIRT stable oauth docs/modules/concelier/operations/connectors/cisco.md
Oracle CPU stable none docs/modules/concelier/operations/connectors/oracle.md
VMware stable none docs/modules/concelier/operations/connectors/vmware.md
Adobe PSIRT stable none docs/modules/concelier/operations/connectors/adobe.md
Apple Security stable none docs/modules/concelier/operations/connectors/apple.md
Chromium stable none docs/modules/concelier/operations/connectors/chromium.md
Kaspersky ICS-CERT beta none docs/modules/concelier/operations/connectors/kaspersky-ics.md
EPSS v4 stable none docs/modules/concelier/operations/connectors/epss.md

VEX Processing (Excititor/VexLens)

VEX processing provides a full consensus engine with 5-state lattice, 9 trust factors, and conflict detection.

Capability Notes
OpenVEX Ingestion
CycloneDX VEX Ingestion
CSAF VEX Ingestion
VEX Consensus Engine (5-state) Lattice-based resolution
Trust Vector Scoring (P/C/R)
Trust Weight Scoring (9 factors) Issuer, age, specificity, etc.
Claim Strength Multipliers
Freshness Decay 14-day half-life
Conflict Detection & Penalty K4 lattice logic
VEX Conflict Studio UI Visual resolution
VEX Hub (Distribution) Internal VEX network
VEX Webhook Distribution Pub/sub notifications
CSAF Provider Connectors (7) RedHat, Ubuntu, Oracle, MSRC, Cisco, SUSE, VMware
Issuer Trust Registry Key lifecycle, trust overrides
VEX from Drift Generation stella vex gen --from-drift
Trust Calibration Service Org-specific tuning
Consensus Rationale Export Audit-grade explainability

CLI Commands:

  • stella vex verify <statement> — Verify VEX statement signature and content
  • stella vex consensus <digest> — Show consensus status for digest
  • stella vex evidence export — Export VEX evidence for audit
  • stella vex webhooks list/add/remove — Manage VEX distribution
  • stella issuer keys list/create/rotate/revoke — Issuer key management

Policy Engine

Policy engine implements Belnap K4 four-valued logic with 10+ gate types and 6 risk providers.

Capability Notes
YAML Policy Rules Basic rules
Belnap K4 Four-Valued Logic True/False/Both/Neither
Security Atoms (6 types)
Disposition Selection (ECMA-424)
Minimum Confidence Gate
10+ Policy Gate Types Severity, reachability, age, etc.
6 Risk Score Providers CVSS, KEV, EPSS, FixChain, etc.
Unknowns Budget Gate
Determinization System Signal weights, decay, uncertainty
Policy Simulation stella policy simulate
Source Quota Gate 60% cap enforcement
Reachability Requirement Gate For criticals
OPA/Rego Integration Custom policies
Exception Objects & Workflow Approval chains
Score Policy YAML Full customization
Configurable Scoring Profiles Simple/Advanced
Policy Version History Audit trail
Verdict Attestations DSSE/Rekor signed verdicts

CLI Commands:

  • stella policy list/show/create/update/delete — Policy CRUD
  • stella policy simulate <digest> — Simulate policy evaluation
  • stella policy validate <file> — Validate policy YAML
  • stella policy decisions list/show — View policy decisions
  • stella policy gates list — List available gate types

Attestation & Signing

Attestation supports 25+ predicate types with keyless signing, key rotation, and attestation chains.

Capability Notes
DSSE Envelope Signing
in-toto Statement Structure
25+ Predicate Types SBOM, VEX, verdict, etc.
SBOM Predicate
VEX Predicate
Reachability Predicate
Policy Decision Predicate
Verdict Manifest (signed)
Verdict Replay Verification
Keyless Signing (Sigstore) Fulcio-based OIDC
Delta Attestations (4 types) VEX/SBOM/Verdict/Reachability
Attestation Chains Linked attestation graphs
Human Approval Predicate Workflow attestation
Boundary Predicate Network exposure
Key Rotation Service Automated key lifecycle
Trust Anchor Management Root CA management
SLSA Provenance v1.0 Supply chain
Rekor Transparency Log Public attestation
Cosign Integration Sigstore ecosystem

CLI Commands:

  • stella attest sign <file> — Sign attestation
  • stella attest verify <envelope> — Verify attestation signature
  • stella attest predicates list — List supported predicate types
  • stella attest export <digest> — Export attestations for digest
  • stella keys list/create/rotate/revoke — Key management

Regional Crypto (Sovereign Profiles)

Sovereign crypto is core to the open-source promise - no vendor lock-in on compliance. 8 signature profiles supported.

Capability Notes
Default Crypto (Ed25519)
FIPS 140-2/3 Mode US Federal
eIDAS Signatures EU Compliance
GOST/CryptoPro Russia
SM National Standard China
Post-Quantum (Dilithium) Future-proof
Crypto Plugin Architecture Custom HSM
Multi-Profile Signing Sign with multiple algorithms
SM Remote Service Chinese market HSM integration
HSM/PKCS#11 Integration Hardware security modules

CLI Commands:

  • stella crypto profiles list — List available crypto profiles
  • stella crypto verify --profile <name> — Verify with specific profile
  • stella crypto plugins list/status — Manage crypto plugins

Determinism & Reproducibility

Capability Notes
Canonical JSON Serialization
Content-Addressed IDs SHA-256
Replay Manifest (SRM)
stella replay CLI
Score Explanation Arrays
Evidence Freshness Multipliers
Proof Coverage Metrics
Fidelity Metrics (BF/SF/PF) Audit dashboards
FN-Drift Rate Tracking Quality monitoring
Determinism Gate CI Automated checks

Scoring & Risk Assessment

Capability Notes
CVSS v4.0 Display
EPSS v4 Probability
Priority Band Classification
EPSS-at-Scan Immutability
Unified Confidence Model 5-factor
Entropy-Based Scoring Advanced
Gate Multipliers Reachability-aware
Unknowns Pressure Factor Risk budgets
Custom Scoring Profiles Org-specific

Evidence & Findings

Capability Notes
Findings List
Evidence Graph View Basic
Decision Capsules
Findings Ledger (Immutable) Audit trail
Evidence Locker (Sealed) Export/import
Evidence TTL Policies Retention rules
Evidence Size Budgets Storage governance
Retention Tiers Hot/Warm/Cold
Privacy Controls Redaction
Audit Pack Export Compliance bundles

CLI Capabilities

Capability Notes
Scanner Commands
SBOM Inspect & Diff
Deterministic Replay
Attestation Verify
Unknowns Budget Check
Evidence Export
Audit Pack Operations Full workflow
Binary Match Inspection Advanced
Crypto Plugin Commands Regional crypto
Admin Utilities Ops tooling

Web UI Capabilities

Capability Notes
Dark/Light Mode
Findings Row Component
Evidence Drawer
Proof Tab
Confidence Meter
Locale Support Cyrillic, etc.
Reproduce Verdict Button
Audit Trail UI Full history
Trust Algebra Panel P/C/R visualization
Claim Comparison Table Conflict view
Policy Chips Display Gate status
Reachability Mini-Map Path visualization
Runtime Timeline Temporal view
Operator/Auditor Toggle Role separation
Knowledge Snapshot UI Air-gap prep
Keyboard Shortcuts Power users

Quota & Operations

Plan Scans per Day
Free 333
Pro 3,333
Enterprise Unlimited

All other operational capabilities are available across all plans:

  • Usage API (/quota)
  • Client-JWT authentication
  • Rate Limiting & 429 Backpressure
  • Retry-After Headers
  • Priority Queue
  • Burst Allowance (configurable)
  • Custom Quotas (configurable)

Offline & Air-Gap

Capability Notes
Offline Update Kits (OUK) Available
Offline Signature Verify
One-Command Replay
Sealed Knowledge Snapshots Full feed export
Air-Gap Bundle Manifest Transfer packages
No-Egress Enforcement Strict isolation
Offline JWT Extended tokens

Deployment

Capability Notes
Docker Compose Single-node
Helm Chart (K8s)
PostgreSQL 16+
Valkey 8.0+
RustFS (S3)
High-Availability Multi-replica
Horizontal Scaling Auto-scale
Dedicated Capacity Reserved resources

Access Control & Identity (Authority)

Authority provides OAuth 2.1/OIDC with 75+ authorization scopes, DPoP, and device authorization.

Capability Notes
Basic Auth
API Keys With scopes and expiration
SSO/SAML Integration Okta, Azure AD
OIDC Support
Basic RBAC User/Admin
75+ Authorization Scopes Fine-grained permissions
DPoP (Sender Constraints) Token binding
mTLS Client Certificates Certificate auth
Device Authorization Flow CLI/IoT devices
PAR Support Pushed Authorization Requests
User Federation (LDAP/SAML) Directory integration
Multi-Factor Authentication TOTP/WebAuthn
Advanced RBAC Team-based scopes
Multi-Tenant Management Org hierarchy
Audit Log Export SIEM integration

CLI Commands:

  • stella auth clients list/create/delete — OAuth client management
  • stella auth roles list/show/assign — Role management
  • stella auth scopes list — List available scopes
  • stella auth token introspect <token> — Token introspection
  • stella auth api-keys list/create/revoke — API key management

Notifications & Integrations

10 notification channel types with template engine, routing rules, and escalation.

Capability Notes
In-App Notifications
Email Notifications
EPSS Change Alerts
Slack Integration
Teams Integration
Discord Integration Webhook-based
PagerDuty Integration Incident management
OpsGenie Integration Alert routing
Zastava Registry Hooks Auto-scan on push
Zastava K8s Admission Validating/Mutating webhooks
Template Engine Customizable templates
Channel Routing Rules Severity/team routing
Escalation Policies Time-based escalation
Notification Studio UI Visual rule builder
Custom Webhooks Any endpoint
CI/CD Gates GitLab/GitHub/Jenkins
SCM Integrations PR comments, status checks
Issue Tracker Integration Jira, GitHub Issues
Enterprise Connectors Grid/Premium APIs

CLI Commands:

  • stella notify channels list/test — Channel management
  • stella notify rules list/create — Routing rules
  • stella zastava install/configure/status — K8s webhook management

Scheduling & Automation

Capability Notes
Manual Scans
Scheduled Scans Cron-based
Task Pack Orchestration Declarative workflows
EPSS Daily Refresh Auto-update
Event-Driven Scanning On registry push

Observability & Telemetry

Capability Notes
Basic Metrics
Opt-In Telemetry
OpenTelemetry Traces Full tracing
Prometheus Export Custom dashboards
Quality KPIs Dashboard Triage metrics
SLA Monitoring Uptime tracking

Support & Services

Capability Notes
Documentation
Community Forums
GitHub Issues
Email Support Business hours
Priority Support 4hr response
24/7 Critical Support Add-on
Dedicated CSM Named contact
Professional Services Implementation
Training & Certification Team enablement
SLA Guarantee 99.9% uptime

Version Comparison

Capability Notes
RPM (NEVRA)
Debian (EVR)
Alpine (APK)
SemVer
PURL Resolution

Legend: = Planned

Last updated: 17 Jan 2026 (rev 6.0 - All features available across all tiers)