15b4a1de6a
- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys. - Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations. - Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.
2.7 KiB
2.7 KiB
Key Features – Capability Cards
Each card is a fast read pairing the headline capability with the evidence that backs it and why it matters day to day.
1. Delta SBOM Engine
- What it is: Layer-aware ingestion keeps the SBOM catalog content-addressed; rescans only fetch new layers and update dependency/vulnerability cartographs.
- Evidence: Deterministic Replay Manifest (SRM) captures the exact analyzer inputs/outputs per layer.
- Why it matters: Warm scans drop below one second, so CI/CD pipelines stay fast even under the free-tier quota.
2. Lattice Policy + OpenVEX
- What it is: Policy engine merges SBOM, advisories, VEX, and waivers through lattice logic that prioritises exploitability.
- Evidence: OpenVEX is treated as first-class input; the policy UI renders explain traces, while custom rule packs let teams automate muting, expirations, and non-VEX alert logic.
- Why it matters: Teams can distinguish exploitable risk from noise, tune the experience beyond VEX statements, and prove why a deployment was blocked or allowed.
3. Sovereign Crypto Profiles
- What it is: Bring-your-own trust bundles that switch signing algorithms (FIPS, eIDAS, GOST, SM) without code changes.
- Evidence: Crypto profiles travel with Offline Update Kits and post-quantum trust packs, keeping signatures verifiable in regulated sectors.
- Why it matters: You meet regional crypto requirements while keeping provenance attestations consistent across tenants.
4. Deterministic Replay & Evidence Bundles
- What it is: Every scan produces a DSSE + SRM bundle that can be replayed with
stella replay. - Evidence: Replay manifests capture analyzer versions, lattice state, and attestations in content-addressed storage for audit trails.
- Why it matters: Auditors and incident responders can re-run a historical scan and trust the findings were not tampered with.
5. Transparent Quotas & Offline Operations
- What it is: Redis-backed counters surface
{{ quota_token }}scans/day via headers, UI banners, and/quotaAPI; Offline Update Kits mirror feeds. - Evidence: Quota tokens verify locally using bundled public keys, and Offline Update Kits include mirrored advisories, SBOM feeds, and VEX sources.
- Why it matters: You stay within predictable limits, avoid surprise throttling, and operate entirely offline when needed.
Explore Further
- Walk the first deployment in quickstart.md.
- Dive into architectural flows in high-level-architecture.md.
- Need detailed matrices? The legacy feature matrix and vision remain available for deep dives.