stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
a872da765d5573eec6659d486d90af57dc59074b
git.stella-ops.org/docs/full-features-list.md
StellaOps Bot a872da765d refactor: inject TimeProvider/IGuidProvider across multiple modules - DET-006 to DET-010 
DET-006 Provenance module: Skipped - already uses TimeProvider in production code

DET-007 ReachGraph module:
- PostgresReachGraphRepository: Added TimeProvider for fallback timestamp in StoreAsync

DET-008 Registry module:
- RegistryTokenIssuer: Added IGuidProvider for JWT ID (jti) generation
- Added StellaOps.Determinism.Abstractions project reference

DET-009 Replay module:
- ReplayEngine: Added TimeProvider for ExecutedAt timestamp
- ReplayResult.Failed: Added optional executedAt parameter for determinism
- ReplayManifestExporter: Added TimeProvider constructor, replaced DateTimeOffset.UtcNow
- FeedSnapshotCoordinatorService: Updated GenerateSnapshotId to use injected TimeProvider
- ExportMetadataInfo: Made ExportedAt required (callers must provide explicitly)
- PolicySimulationInputLock: Made GeneratedAt required (callers must provide explicitly)

DET-010 RiskEngine module: Skipped - no determinism issues found

All changes maintain backward compatibility through optional parameters with system defaults.
2026-01-04 15:08:48 +02:00

1074 lines
32 KiB
Markdown
Raw Blame History

# Full Features List - Stella Ops
> **Comprehensive catalog of every capability in the Stella Ops platform.**
>
> For quick capability cards with competitive differentiation, see [`key-features.md`](key-features.md).
> For tier-based availability (Free/Community/Enterprise), see [`04_FEATURE_MATRIX.md`](04_FEATURE_MATRIX.md).
---
## How to Read This Document
- **Base Features**: Core functionality available to all users
- **Enhanced Features**: Advanced capabilities building on base features
- **Specialized Features**: Domain-specific or enterprise-grade capabilities
- **Control Method**: Indicates how each feature is accessed
- `CLI` - Command-line interface
- `Config` - YAML/JSON configuration files
- `UI` - Web user interface
- `API` - REST/gRPC API endpoints
---
## Table of Contents
### Part I: Foundational Capabilities
1. [Container Scanning](#1-container-scanning)
2. [Package Detection](#2-package-detection)
3. [Vulnerability Detection](#3-vulnerability-detection)
4. [Output & Reporting](#4-output--reporting)
### Part II: Enhanced Analysis
5. [SBOM Management](#5-sbom-management)
6. [VEX Processing](#6-vex-processing)
7. [Reachability Analysis](#7-reachability-analysis)
8. [Policy Engine](#8-policy-engine)
### Part III: Specialized Capabilities
9. [Determinism & Reproducibility](#9-determinism--reproducibility)
10. [Attestation & Signing](#10-attestation--signing)
11. [Offline Operations](#11-offline-operations)
12. [Risk Scoring](#12-risk-scoring)
### Part IV: Platform Features
13. [Authentication & Authorization](#13-authentication--authorization)
14. [Deployment & Operations](#14-deployment--operations)
15. [Integrations](#15-integrations)
16. [Observability](#16-observability)
### Appendices
- [A. CLI Command Reference](#appendix-a-cli-command-reference)
- [B. Configuration Reference](#appendix-b-configuration-reference)
- [C. API Reference](#appendix-c-api-reference)
---
# Part I: Foundational Capabilities
## 1. Container Scanning
Container scanning is the core capability of Stella Ops. All other features build upon this foundation.
### 1.1 Image Scanning (Base)
Scan container images for vulnerabilities and generate SBOMs.
| Feature | Description | Control |
|---------|-------------|---------|
| OCI image scanning | Scan OCI-compliant container images | `CLI` `API` |
| Docker image scanning | Scan Docker images from local daemon or registry | `CLI` `API` |
| Filesystem scanning | Scan extracted rootfs directories | `CLI` |
| Archive scanning | Scan .tar.gz container archives | `CLI` |
| Digest-based pull | Pull images by content-addressable digest | `CLI` |
**CLI Usage:**
```bash
stella scan --image <registry/image:tag>
stella scan --image <registry/image@sha256:...>
stella scan --rootfs /path/to/extracted
```
### 1.2 Registry Integration (Base)
Connect to container registries for scanning.
| Feature | Description | Control |
|---------|-------------|---------|
| Public registry | Scan images from public registries (Docker Hub, GHCR, etc.) | `CLI` |
| Private registry | Authenticate to private registries | `CLI` `Config` |
| Registry auth | Username/password, token, and keychain authentication | `Config` |
| Mirror support | Use registry mirrors for offline environments | `Config` |
**Configuration:**
```yaml
# etc/scanner.yaml
registry:
mirrors:
docker.io: "mirror.internal:5000"
credentials:
- registry: "private.registry.io"
username: "${REGISTRY_USER}"
password: "${REGISTRY_PASSWORD}"
```
### 1.3 Layer Analysis (Enhanced)
Analyze container layers for package changes.
| Feature | Description | Control |
|---------|-------------|---------|
| Per-layer detection | Identify which packages came from which layer | `CLI` |
| Base image detection | Automatically identify base image | `CLI` |
| Layer change tracking | Track package additions/removals per layer | `CLI` |
| Inherited vs added | Distinguish base image packages from application packages | `CLI` |
**CLI Usage:**
```bash
stella scan --image myapp:latest --show-layers
```
### 1.4 Scan Performance (Enhanced)
Performance optimizations for scanning at scale.
| Feature | Description | Control |
|---------|-------------|---------|
| Delta-SBOM cache | Cache layer SBOMs for sub-second warm scans | `Config` |
| Concurrent workers | Run multiple scan workers in parallel | `Config` |
| Content-addressed caching | Deduplicate layers by content hash | Automatic |
| Incremental analysis | Only analyze changed layers | Automatic |
**Performance Tiers:**
- **Free**: 1 concurrent scan worker
- **Community**: 3 concurrent scan workers
- **Enterprise**: Unlimited concurrent workers
---
## 2. Package Detection
### 2.1 OS Packages (Base)
Detect operating system packages and their vulnerabilities.
| Feature | Description | Control |
|---------|-------------|---------|
| Alpine APK | Detect Alpine Linux packages | Automatic |
| Debian/Ubuntu APT | Detect apt packages from dpkg database | Automatic |
| RHEL/CentOS/Fedora RPM | Detect RPM packages | Automatic |
| Arch Linux Pacman | Detect Arch packages | Automatic |
| SUSE Zypper | Detect SUSE packages | Automatic |
### 2.2 Language Ecosystems (Base)
Detect packages from application language ecosystems.
| Ecosystem | Package Manager | Manifest Files | Control |
|-----------|-----------------|----------------|---------|
| **JavaScript/Node.js** | npm, yarn, pnpm | package.json, package-lock.json, yarn.lock | Automatic |
| **Python** | pip, poetry, pipenv | requirements.txt, Pipfile.lock, pyproject.toml | Automatic |
| **Java** | Maven, Gradle | pom.xml, build.gradle, *.jar | Automatic |
| **Go** | Go Modules | go.mod, go.sum | Automatic |
| **.NET** | NuGet | *.csproj, packages.config, *.deps.json | Automatic |
| **Ruby** | Bundler | Gemfile, Gemfile.lock | Automatic |
| **Rust** | Cargo | Cargo.toml, Cargo.lock | Automatic |
| **PHP** | Composer | composer.json, composer.lock | Automatic |
| **Bun** | Bun | bun.lockb, package.json | Automatic |
| **Deno** | Deno | deno.json, import_map.json | Automatic |
| **Native/C/C++** | conan, vcpkg | conanfile.txt, vcpkg.json | Automatic |
### 2.3 Advanced Detection (Enhanced)
Enhanced package detection capabilities.
| Feature | Description | Control |
|---------|-------------|---------|
| Transitive dependency mapping | Map full dependency tree | Automatic |
| License detection | Detect package licenses | `CLI` |
| Binary fingerprinting | Identify packages from compiled binaries | `CLI` |
| Symbol extraction | Extract symbol tables for reachability | `CLI` |
---
## 3. Vulnerability Detection
### 3.1 Advisory Sources (Base)
Vulnerability data sources used for detection.
| Source | Description | Update Frequency | Control |
|--------|-------------|------------------|---------|
| NVD (NIST) | National Vulnerability Database | Hourly | `Config` |
| GitHub Security Advisories (GHSA) | GitHub ecosystem advisories | Real-time | `Config` |
| OSV | Open Source Vulnerabilities | Real-time | `Config` |
| Alpine SecDB | Alpine-specific advisories | Hourly | `Config` |
| Debian Tracker | Debian-specific advisories | Hourly | `Config` |
| RHEL/CentOS Errata | Red Hat security errata | Daily | `Config` |
| Ubuntu USN | Ubuntu Security Notices | Hourly | `Config` |
**Configuration:**
```yaml
# etc/concelier.yaml
concelier:
sources:
ghsa:
apiToken: "${GITHUB_PAT}"
pageSize: 50
nvd:
enabled: true
apiKey: "${NVD_API_KEY}"
```
### 3.2 Vulnerability Enrichment (Enhanced)
Additional metadata added to detected vulnerabilities.
| Feature | Description | Control |
|---------|-------------|---------|
| KEV (Known Exploited) | CISA Known Exploited Vulnerabilities flag | Automatic |
| EPSS | Exploit Prediction Scoring System percentile | Automatic |
| CVSS v4.0 | CVSS 4.0 scoring with environmental metrics | Automatic |
| Exploit maturity | Proof of concept, weaponized, in-the-wild | Automatic |
### 3.3 Backport Detection (Specialized)
Detect security patches backported by vendors.
| Feature | Description | Control |
|---------|-------------|---------|
| Binary backport detection | Identify backported patches in binaries | `CLI` |
| Changelog evidence | Match changelogs to security fixes | Automatic |
| Vendor VEX integration | Apply vendor-provided VEX statements | `Config` |
---
## 4. Output & Reporting
### 4.1 Output Formats (Base)
Standard output formats for scan results.
| Format | Description | Control |
|--------|-------------|---------|
| Table (human-readable) | Formatted table output for terminal | `CLI --output table` |
| JSON | Machine-readable JSON output | `CLI --output json` |
| SARIF | Static Analysis Results Interchange Format | `CLI --output sarif` |
| CycloneDX VEX | CycloneDX VEX format | `CLI --output cdx-vex` |
| OpenVEX | OpenVEX format | `CLI --output openvex` |
**CLI Usage:**
```bash
stella scan --image myapp:latest --output json > results.json
stella scan --image myapp:latest --output sarif > results.sarif
```
### 4.2 Filtering & Thresholds (Base)
Filter and threshold controls for scan results.
| Feature | Description | Control |
|---------|-------------|---------|
| Severity filter | Filter by CRITICAL, HIGH, MEDIUM, LOW | `CLI --severity` |
| Fix available | Show only vulnerabilities with fixes | `CLI --fixable` |
| Exit codes | Configurable exit codes for CI/CD | `CLI` |
| Ignore file | .stellaignore for suppression | `Config` |
**CLI Usage:**
```bash
stella scan --image myapp --severity HIGH,CRITICAL --fixable
stella scan --image myapp --exit-code-if-vuln 1
```
### 4.3 Export Center (Enhanced)
Batch export and report generation.
| Feature | Description | Control |
|---------|-------------|---------|
| Scheduled exports | Export scan results on schedule | `Config` `UI` |
| Multiple formats | Export to JSON, CSV, PDF, Excel | `API` |
| Template-based reports | Customizable report templates | `Config` |
| Compliance reports | Pre-built compliance report templates | `UI` |
---
# Part II: Enhanced Analysis
## 5. SBOM Management
### 5.1 SBOM Generation (Base)
Generate Software Bill of Materials.
| Format | Version | Description | Control |
|--------|---------|-------------|---------|
| CycloneDX | 1.7 | Primary output format | `CLI --sbom-format cyclonedx` |
| CycloneDX | 1.6 | Backward compatible | `CLI --sbom-format cyclonedx-1.6` |
| SPDX | 3.0.1 | SPDX 3.0.1 format | `CLI --sbom-format spdx` |
| SPDX-JSON | 2.3 | SPDX JSON format | `CLI --sbom-format spdx-json` |
**CLI Usage:**
```bash
stella scan --image myapp --sbom-out sbom.json --sbom-format cyclonedx
```
### 5.2 SBOM Ingestion (Base)
Import existing SBOMs.
| Feature | Description | Control |
|---------|-------------|---------|
| Auto-format detection | Automatically detect SBOM format | Automatic |
| BYOS (Bring Your Own SBOM) | Scan using provided SBOM | `CLI --sbom` |
| Third-party SBOM | Import SBOMs from external sources | `API` |
| Validation | Validate SBOM structure and content | `CLI` |
**CLI Usage:**
```bash
stella scan --sbom existing-sbom.json
```
### 5.3 SBOM Diff (Enhanced)
Compare SBOMs between versions.
| Feature | Description | Control |
|---------|-------------|---------|
| Package diff | Show added/removed packages | `CLI` |
| Version diff | Show version changes | `CLI` |
| License diff | Show license changes | `CLI` |
| Semantic diff | Understand meaning of changes | `CLI` |
**CLI Usage:**
```bash
stella compare sbom --a v1.0-sbom.json --b v2.0-sbom.json
```
### 5.4 SBOM Lineage Ledger (Enterprise)
Full version history and lineage tracking.
| Feature | Description | Control |
|---------|-------------|---------|
| Version history | Full SBOM version history | `API` `UI` |
| Lineage tracking | Track SBOM across builds | `API` |
| Traversal queries | Query SBOM lineage | `API` |
| Audit trail | Complete audit trail | `UI` |
---
## 6. VEX Processing
### 6.1 VEX Ingestion (Base)
Import VEX statements from multiple sources.
| Format | Description | Control |
|--------|-------------|---------|
| OpenVEX | OpenVEX JSON format | `CLI` `API` |
| CycloneDX VEX | CycloneDX VEX format | `CLI` `API` |
| CSAF | Common Security Advisory Framework | `CLI` `API` |
**CLI Usage:**
```bash
stella vex import --file vendor-vex.json
```
### 6.2 VEX Statuses (Base)
Standard VEX status types.
| Status | Description | Policy Effect |
|--------|-------------|---------------|
| `not_affected` | Component not affected by vulnerability | Suppresses finding |
| `affected` | Component is affected | Surfaces finding |
| `fixed` | Vulnerability has been fixed | Contextual |
| `under_investigation` | Investigation in progress | Marks as Unknown |
### 6.3 VEX Consensus Engine (Enhanced)
K4 lattice logic for VEX consensus.
| Feature | Description | Control |
|---------|-------------|---------|
| Multi-issuer consensus | Merge VEX from multiple issuers | `Config` |
| Trust weighting | Weight VEX by issuer trust level | `Config` |
| Conflict detection | Detect conflicting VEX statements | Automatic |
| K4 lattice logic | Belnap four-valued logic (Unknown, True, False, Conflict) | Automatic |
**K4 Lattice Values:**
- `Unknown` - No information available
- `True` - Positive assertion (affected)
- `False` - Negative assertion (not affected)
- `Conflict` - Contradictory assertions
### 6.4 Issuer Directory (Enhanced)
Manage trusted VEX issuers.
| Feature | Description | Control |
|---------|-------------|---------|
| Issuer registry | Register trusted VEX issuers | `Config` `UI` |
| Trust levels | Assign trust weights to issuers | `Config` |
| CSAF publisher discovery | Discover CSAF publishers | `Config` |
---
## 7. Reachability Analysis
### 7.1 Static Reachability (Enhanced)
Determine if vulnerable code is reachable.
| Feature | Description | Control |
|---------|-------------|---------|
| Call graph analysis | Build call graph from entrypoint | `CLI` |
| Reachable/Unreachable classification | Mark vulnerabilities by reachability | `CLI` |
| Path visualization | Show call paths to vulnerable code | `CLI` |
**CLI Usage:**
```bash
stella scan --image myapp --reachability
stella graph show --cve CVE-2024-1234 --artifact sha256:abc...
```
### 7.2 Three-Layer Proofs (Specialized)
Multi-layer reachability validation.
| Layer | What It Proves | Confidence |
|-------|---------------|------------|
| Static | Call graph shows path exists | Likely |
| Binary | Compiled binary contains symbol | Higher |
| Runtime | eBPF probe confirms execution | Confirmed |
**Confidence Tiers:**
- **Confirmed** - All three layers agree
- **Likely** - Static + binary agree; no runtime
- **Present** - Package present; no reachability evidence
- **Unreachable** - Static analysis proves no path
### 7.3 Signed Reachability (Specialized)
Cryptographic binding for reachability proofs.
| Feature | Description | Control |
|---------|-------------|---------|
| Graph-level DSSE | Sign entire reachability graph | `Config` |
| Edge-bundle attestation | Sign individual path edges | `Config` |
| Proof export | Export reachability proofs | `CLI` |
---
## 8. Policy Engine
### 8.1 Policy Packs (Base)
Pre-built and custom policy configurations.
| Feature | Description | Control |
|---------|-------------|---------|
| Built-in starter pack | Production-ready Day 1 policy | `CLI policy install starter-day1` |
| Custom policies | Define custom policy rules | `Config` |
| Policy validation | Validate policy YAML syntax | `CLI policy validate` |
**CLI Usage:**
```bash
stella policy install starter-day1
stella policy validate --path ./my-policy.yaml
stella policy list-packs
```
### 8.2 Policy Rules (Base)
Define rules for vulnerability handling.
| Rule Type | Description | Example |
|-----------|-------------|---------|
| Severity block | Block by severity level | Block CRITICAL reachable |
| Reachability gate | Gate based on reachability | Allow unreachable HIGH |
| VEX bypass | Allow VEX-suppressed findings | Allow with VEX:not_affected |
| Unknowns budget | Set unknowns threshold | Fail if unknowns > 5% |
**Policy Example:**
```yaml
apiVersion: policy.stellaops.io/v1
kind: PolicyPack
metadata:
name: production-gates
spec:
rules:
- name: block-reachable-critical
action: block
severity: [CRITICAL]
reachability: reachable
message: "Reachable critical vulnerabilities must be fixed"
- name: allow-unreachable
action: allow
reachability: unreachable
```
### 8.3 Policy Simulation (Enhanced)
Test policies before deployment.
| Feature | Description | Control |
|---------|-------------|---------|
| Simulate against scan | Test policy against historical scan | `CLI policy simulate` |
| Diff policies | Compare two policy outcomes | `CLI policy simulate --diff` |
| Dry-run | Preview policy effects | `CLI` |
**CLI Usage:**
```bash
stella policy simulate --policy ./new-policy.yaml --scan scan-id-123
stella policy simulate --policy ./new-policy.yaml --scan scan-id --diff ./old-policy.yaml
```
### 8.4 Policy Gates (Specialized)
Advanced policy evaluation gates.
| Gate | Description | Control |
|------|-------------|---------|
| Quality Gate | Block deploy based on thresholds | `Config` |
| Approval Gate | Require human approval | `Config` `UI` |
| Exception Gate | Manage temporary exceptions | `Config` `UI` |
| Stability Damping | Prevent gate flickering | `Config` |
### 8.5 Policy Distribution (Enhanced)
Distribute policies across environments.
| Feature | Description | Control |
|---------|-------------|---------|
| OCI registry push | Push policies to OCI registry | `CLI policy push` |
| OCI registry pull | Pull policies from registry | `CLI policy pull` |
| Offline bundle export | Export for air-gapped environments | `CLI policy export-bundle` |
| Environment overrides | Apply environment-specific overrides | `Config` |
**CLI Usage:**
```bash
stella policy push --policy ./policy.yaml --to registry.io/policies/prod:1.0
stella policy pull --from registry.io/policies/prod:1.0 --output ./
stella policy export-bundle --policy ./policy.yaml --output bundle.tar.gz
```
---
# Part III: Specialized Capabilities
## 9. Determinism & Reproducibility
### 9.1 Replay Manifests (Specialized)
Capture everything needed to reproduce a scan.
| Feature | Description | Control |
|---------|-------------|---------|
| SRM generation | Generate Scan Replay Manifest | `CLI --srm-out` |
| Replay execution | Replay scan from manifest | `CLI replay` |
| Determinism verification | Verify replay matches original | `CLI replay verify` |
**CLI Usage:**
```bash
# Generate replay manifest
stella scan --image myapp --srm-out manifest.yaml
# Replay later
stella replay --manifest manifest.yaml --assert-digest sha256:abc...
```
### 9.2 Knowledge Snapshots (Specialized)
Frozen point-in-time vulnerability knowledge.
| Feature | Description | Control |
|---------|-------------|---------|
| Snapshot export | Export frozen knowledge state | `CLI airgap export` |
| Snapshot import | Import knowledge snapshot | `CLI airgap import` |
| Snapshot diff | Compare two snapshots | `CLI airgap diff` |
| Staleness tracking | Track snapshot age | `CLI airgap status` |
**CLI Usage:**
```bash
stella airgap export --output knowledge-2024-01.tar.gz --sign
stella airgap import knowledge-2024-01.tar.gz --verify-only
stella airgap diff --base old.tar.gz --target new.tar.gz
stella airgap status
```
### 9.3 Verdict Replay (Specialized)
Replay policy decisions for audit.
| Feature | Description | Control |
|---------|-------------|---------|
| Snapshot replay | Replay using knowledge snapshot | `CLI replay snapshot` |
| Verdict comparison | Compare replayed vs original verdict | `CLI` |
| Drift detection | Detect verdict drift | `CLI` |
**CLI Usage:**
```bash
stella replay snapshot --verdict <id>
stella replay snapshot --artifact sha256:... --snapshot <snapshot-id>
```
---
## 10. Attestation & Signing
### 10.1 DSSE Attestation (Specialized)
in-toto DSSE attestations for evidence.
| Feature | Description | Control |
|---------|-------------|---------|
| SBOM attestation | Sign SBOMs with DSSE | `CLI attest` |
| Verdict attestation | Sign policy verdicts | `CLI` |
| Evidence bundles | Create signed evidence bundles | `CLI` |
### 10.2 Keyless Signing (Specialized)
Sigstore-compatible keyless signing.
| Feature | Description | Control |
|---------|-------------|---------|
| Keyless sign | Sign using OIDC identity | `CLI sign keyless` |
| Rekor upload | Upload to transparency log | `CLI sign keyless --rekor` |
| Verify keyless | Verify keyless signatures | `CLI sign verify-keyless` |
| Self-hosted Sigstore | Use self-hosted Fulcio/Rekor | `Config` |
**CLI Usage:**
```bash
stella sign keyless --input artifact.json --rekor
stella sign verify-keyless --input artifact.json --bundle artifact.sigstore
```
### 10.3 Regional Cryptography (Specialized)
Sovereign cryptography profiles.
| Profile | Algorithms | Use Case | Control |
|---------|------------|----------|---------|
| FIPS-140-3 | ECDSA P-256, RSA-PSS | US federal | `Config` |
| eIDAS | ETSI TS 119 312 | EU qualified | `Config` |
| GOST-2012 | GOST R 34.10-2012 | Russian Federation | `Config` |
| SM2 | GM/T 0003.2-2012 | PRC | `Config` |
| PQC | Dilithium, Falcon | Post-quantum | `Config` |
**Configuration:**
```yaml
# etc/appsettings.crypto.yaml
cryptography:
profile: "fips-140-3"
algorithms:
signing: "ES256"
hashing: "SHA256"
```
---
## 11. Offline Operations
### 11.1 Offline Update Kits (Specialized)
Bundle everything for air-gapped environments.
| Feature | Description | Control |
|---------|-------------|---------|
| Kit export | Export complete offline bundle | `CLI offline export` |
| Kit import | Import offline bundle | `CLI offline import` |
| Kit verification | Verify bundle integrity | `CLI` |
| Staleness policy | Configure max bundle age | `Config` |
**Configuration:**
```yaml
# etc/airgap.yaml
staleness:
maxAgeHours: 168 # 7 days
warnAgeHours: 72 # 3 days
staleAction: block # block or warn
import:
verifySignature: true
verifyMerkleRoot: true
enforceMonotonicity: true
```
### 11.2 Mirror Services (Specialized)
Local mirrors for vulnerability feeds.
| Feature | Description | Control |
|---------|-------------|---------|
| Feed mirror | Mirror advisory feeds locally | `Config` |
| Registry mirror | Mirror container registry | `Config` |
| Transparency mirror | Mirror Rekor transparency log | `Config` |
### 11.3 Egress Control (Specialized)
Network access control for sealed mode.
| Feature | Description | Control |
|---------|-------------|---------|
| Allowlist mode | Only allow specified hosts | `Config` |
| Denylist mode | Block specified hosts | `Config` |
| Localhost only | Fully sealed operation | `Config` |
**Configuration:**
```yaml
# etc/airgap.yaml
egressPolicy:
mode: allowlist
allowedHosts: []
allowLocalhost: true
```
---
## 12. Risk Scoring
### 12.1 CVSS Scoring (Enhanced)
CVSS-based risk assessment.
| Feature | Description | Control |
|---------|-------------|---------|
| CVSS v4.0 | Full CVSS 4.0 support | Automatic |
| Environmental metrics | Apply environmental context | `Config` |
| Temporal metrics | Apply temporal context | Automatic |
| CVSS receipts | Signed CVSS calculations | `CLI` |
**CLI Usage:**
```bash
stella cvss score --vuln CVE-2024-1234 --policy cvss-policy.json --vector "CVSS:4.0/..."
stella cvss show --receipt <receipt-id>
```
### 12.2 Risk Budgets (Enhanced)
Track risk across portfolios.
| Feature | Description | Control |
|---------|-------------|---------|
| Risk budget definition | Define acceptable risk levels | `Config` |
| Budget tracking | Track consumption over time | `UI` |
| Budget alerts | Alert when budget exceeded | `Config` |
### 12.3 Unknowns Tracking (Specialized)
Track and manage unknown components.
| Feature | Description | Control |
|---------|-------------|---------|
| Unknown detection | Detect unidentified components | Automatic |
| Unknown classification | Hot/Warm/Cold/Resolved bands | Automatic |
| Decay tracking | Track uncertainty over time | Automatic |
| Budget enforcement | Fail if unknowns exceed threshold | `Config` |
**CLI Usage:**
```bash
stella unknowns list
stella unknowns show --id <unknown-id>
```
---
# Part IV: Platform Features
## 13. Authentication & Authorization
### 13.1 Authentication Methods (Base)
User and service authentication.
| Method | Description | Control |
|--------|-------------|---------|
| OAuth 2.0 | Authorization code flow | `Config` |
| Client credentials | Service-to-service auth | `Config` |
| DPoP | Demonstrating Proof of Possession | `Config` |
| mTLS | Mutual TLS authentication | `Config` |
**Configuration:**
```yaml
# etc/authority.yaml
clients:
- clientId: "scanner-service"
grantTypes: ["client_credentials"]
scopes: ["scan:read", "scan:write"]
senderConstraint: "dpop"
```
### 13.2 Role-Based Access (Base)
Predefined roles and permissions.
| Role | Permissions |
|------|-------------|
| policy-author | Create and edit policies |
| policy-reviewer | Review policy changes |
| policy-approver | Approve policy promotion |
| export-viewer | View export results |
| export-operator | Trigger exports |
| airgap-operator | Import/export offline kits |
### 13.3 Service Accounts (Enhanced)
Automated service identities.
| Feature | Description | Control |
|---------|-------------|---------|
| Service accounts | Define service identities | `Config` |
| Delegated tokens | Issue delegated access tokens | `Config` |
| ABAC attributes | Attribute-based access control | `Config` |
---
## 14. Deployment & Operations
### 14.1 Deployment Options (Base)
Platform deployment configurations.
| Option | Description |
|--------|-------------|
| Docker Compose | Single-node development/test |
| Kubernetes/Helm | Production Kubernetes deployment |
| Air-gapped | Fully offline deployment |
| Multi-tenant | Isolated tenant deployments |
### 14.2 Storage (Base)
Data storage options.
| Backend | Use Case | Control |
|---------|----------|---------|
| PostgreSQL | Primary data store (16+) | `Config` |
| Valkey/Redis | Caching and rate limiting | `Config` |
**Configuration:**
```yaml
# etc/concelier.yaml
storage:
driver: postgres
connectionString: "Host=postgres;Database=stellaops..."
maxPoolSize: 100
autoMigrate: false
```
### 14.3 Scaling (Enterprise)
Horizontal scaling options.
| Feature | Description | Control |
|---------|-------------|---------|
| Worker pools | Scale scan workers | `Config` |
| Queue sharding | Distribute work across queues | `Config` |
| Read replicas | Scale read operations | `Config` |
---
## 15. Integrations
### 15.1 CI/CD Integration (Base)
Integrate with CI/CD pipelines.
| Feature | Description | Control |
|---------|-------------|---------|
| Exit codes | Configurable exit codes | `CLI` |
| SARIF output | GitHub/GitLab SARIF integration | `CLI --output sarif` |
| CI templates | GitHub Actions, GitLab CI templates | `CLI ci generate` |
**CLI Usage:**
```bash
stella ci generate --platform github > .github/workflows/scan.yml
stella ci generate --platform gitlab > .gitlab-ci.yml
```
### 15.2 Registry Webhooks (Enhanced)
React to registry events.
| Feature | Description | Control |
|---------|-------------|---------|
| Push webhook | Trigger scan on image push | `Config` |
| Admission control | Block deployment on failure | `Config` |
### 15.3 Notifications (Enhanced)
Alert and notification channels.
| Channel | Description | Control |
|---------|-------------|---------|
| Slack | Slack webhook integration | `Config` |
| Microsoft Teams | Teams webhook integration | `Config` |
| Email | SMTP email notifications | `Config` |
| Webhooks | Generic webhook integration | `Config` |
| PagerDuty | PagerDuty incident integration | `Config` |
---
## 16. Observability
### 16.1 Telemetry (Base)
OpenTelemetry-based observability.
| Feature | Description | Control |
|---------|-------------|---------|
| Structured logging | JSON structured logs | `Config` |
| Tracing | Distributed tracing via OTLP | `Config` |
| Metrics | Prometheus-compatible metrics | `Config` |
**Configuration:**
```yaml
# etc/concelier.yaml
telemetry:
enabled: true
enableTracing: true
enableMetrics: true
otlpEndpoint: "http://otel-collector:4317"
serviceName: "stellaops-scanner"
```
### 16.2 Timeline Indexer (Enhanced)
Historical event tracking.
| Feature | Description | Control |
|---------|-------------|---------|
| Event indexing | Index security events | Automatic |
| Timeline queries | Query event history | `API` `UI` |
| Audit trail | Complete audit log | `UI` |
### 16.3 Evidence Locker (Specialized)
Sealed evidence storage.
| Feature | Description | Control |
|---------|-------------|---------|
| Evidence sealing | Create tamper-evident evidence | `API` |
| Legal hold | Apply legal holds to evidence | `API` `UI` |
| Retention policies | Configure retention periods | `Config` |
---
# Appendices
## Appendix A: CLI Command Reference
### Top-Level Commands
| Command | Description |
|---------|-------------|
| `stella scan` | Scan container images for vulnerabilities |
| `stella replay` | Replay scans from manifests |
| `stella policy` | Policy management commands |
| `stella airgap` | Air-gap operations |
| `stella sign` | Signing operations |
| `stella verify` | Verification operations |
| `stella vex` | VEX management |
| `stella graph` | Reachability graph operations |
| `stella compare` | Comparison operations |
| `stella ci` | CI/CD integration |
| `stella unknowns` | Unknown component tracking |
| `stella cvss` | CVSS scoring operations |
### Scan Command Options
```bash
stella scan [options]
--image <reference> Container image to scan
--sbom <path> Use existing SBOM instead of image
--rootfs <path> Scan extracted filesystem
--output <format> Output format: table, json, sarif, cyclonedx
--severity <levels> Filter by severity: CRITICAL,HIGH,MEDIUM,LOW
--fixable Show only vulnerabilities with fixes
--reachability Enable reachability analysis
--sbom-out <path> Export SBOM to file
--srm-out <path> Export replay manifest
--exit-code-if-vuln <n> Exit code when vulnerabilities found
```
### Policy Command Options
```bash
stella policy <subcommand> [options]
validate --path <file> Validate policy YAML
install <pack> Install policy pack
list-packs List available policy packs
simulate --policy <path> --scan <id> Simulate policy
push --policy <path> --to <ref> Push to OCI registry
pull --from <ref> Pull from OCI registry
export-bundle --policy <path> --output <file>
import-bundle --bundle <file>
```
### Air-Gap Command Options
```bash
stella airgap <subcommand> [options]
export --output <path> Export knowledge snapshot
--include-advisories Include advisory feeds
--include-vex Include VEX statements
--include-policies Include policy bundles
--sign Sign the manifest
import <bundle> Import knowledge snapshot
--verify-only Verify without applying
--force Force import despite staleness
diff --base <a> --target <b> Compare snapshots
status Show staleness status
```
---
## Appendix B: Configuration Reference
### Configuration Files
| File | Purpose |
|------|---------|
| `etc/concelier.yaml` | Advisory ingestion configuration |
| `etc/authority.yaml` | Authentication and authorization |
| `etc/airgap.yaml` | Air-gap operations |
| `etc/scanner.yaml` | Scanner configuration |
| `etc/appsettings.crypto.*.yaml` | Cryptography profiles |
### Environment Variables
| Variable | Description |
|----------|-------------|
| `STELLAOPS_BACKEND_URL` | Backend API URL |
| `GITHUB_PAT` | GitHub Personal Access Token for GHSA |
| `NVD_API_KEY` | NVD API key for enhanced rate limits |
| `STELLAOPS_KMS_PASSPHRASE` | KMS key passphrase |
---
## Appendix C: API Reference
### REST API Endpoints
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/api/v1/scans` | POST | Trigger new scan |
| `/api/v1/scans/{id}` | GET | Get scan results |
| `/api/v1/sboms` | POST | Import SBOM |
| `/api/v1/sboms/{id}` | GET | Get SBOM |
| `/api/v1/vex` | POST | Import VEX statement |
| `/api/v1/policies` | POST | Create policy |
| `/api/v1/policies/{id}/evaluate` | POST | Evaluate policy |
| `/api/v1/evidence` | POST | Create evidence bundle |
### API Authentication
All API requests require authentication via:
- Bearer token (OAuth 2.0 access token)
- DPoP proof header for high-security operations
- mTLS client certificate for service-to-service
---
## Version Information
| Component | Version |
|-----------|---------|
| Document Version | 2.0.0 |
| Last Updated | 2026-01-04 |
| Platform Version | 2026.01 |
---
*For the latest information, see the online documentation at https://docs.stella-ops.org*
Reference in New Issue View Git Blame Copy Permalink