Supply Chain Security Tool Matrix (evidence from public docs)

Advisory date: 2026-02-19 Archived: 2026-02-19 Disposition: Archived -- claims verified against codebase; two caveats noted below.

SBOM support

Stella Ops: YES -- internal canonical CycloneDX JCS and SBOM ingest contracts (internal spec).
Trivy: YES -- generates and consumes CycloneDX/SPDX SBOM formats.
Grype: YES -- scans container images and SBOMs, accepts SBOM input.
Snyk: YES -- SBOM security checks and scanning/analysis.
JFrog Xray: YES -- scans artifacts and imports/analyses SBOMs (enterprise).
Docker Scout: YES -- generates/consumes SBOM attestations; Docker SBOM tooling exists.

VEX ingestion (OpenVEX / VEX docs)

Stella Ops: YES -- design includes deterministic VEX ingest (internal).
Trivy: YES/PARTIAL -- Rekor SBOM attestation scan supports VEX attestation via experimental plugins.
Grype: YES/PARTIAL -- supports OpenVEX ingestion for filtering/enrichment.
Snyk: UNKNOWN -- primary docs do not explicitly surface OpenVEX ingestion.
JFrog Xray: YES/PARTIAL -- evidence collection and enriched vulnerability annotations.
Docker Scout: YES -- Docker's VEX concepts documented for integration.

In-toto / DSSE / attestation ingestion

Stella Ops: YES -- DSSE/in-toto + articulated provenance anchors (internal).
Trivy: PARTIAL -- has experimental attestation retrieval via Rekor/Cosign.
Grype: PARTIAL -- linked tooling uses Cosign attestations via Syft workflows (public examples).
Snyk: UNKNOWN/PARTIAL -- primary docs focus on SBOM/scan; attestation ingestion not prominent.
JFrog Xray: YES/PARTIAL -- enterprise attestation/evidence documented.
Docker Scout: YES -- Docker Docs show attestation commands and retrieval.

Explainability depth (beyond package level)

Stella Ops: DEEP (function-level shipped; line-level CFG partial) -- function-level call-path witnesses with file/line/column context shipped; dedicated line-level CFG export not yet a shipped feature. [CAVEAT: advisory originally said "function->line"; qualified to "function-level with line context".]
Trivy: PARTIAL/NO -- reports package/component level; no public deep binary CFG explainability.
Grype: PARTIAL -- deep vulnerability metadata but not low-level CFG.
Snyk: PARTIAL -- contextual dev-focused explainability; no binary CFG.
JFrog Xray: PARTIAL -- rich reports but not per-frame CFG.
Docker Scout: PARTIAL -- good image composition context; no granular call-path explainability.

Smart diffing (semantic/structured)

Stella Ops: YES -- signed semantic diff predicates (internal).
Trivy: PARTIAL -- experimental compare features.
Grype: PARTIAL -- package diff workflows exist; not signed diff predicates.
Snyk: PARTIAL -- snapshot & delta tooling (e.g., snyk-delta).
JFrog Xray: PARTIAL -- enriched scan comparisons possible but not canonical diff predicates.
Docker Scout: PARTIAL -- docker scout compare CLI; not structured diff predicates.

Binary provenance

Stella Ops: YES -- symbol bundle + pinned build ID mappings.
Trivy: PARTIAL/UNKNOWN -- Rekor/SBOM attestations hint at provenance but not symbol bundle marketplace.
Grype: PARTIAL/UNKNOWN -- attestation via Syft/Cosign workflows but no signed symbol pack docs.
Snyk: UNKNOWN -- no primary proof of signed symbol handling.
JFrog Xray: PARTIAL -- evidence collection; no explicit signed symbol bundle.
Docker Scout: PARTIAL -- Docker Hardened Images provenance; not general marketplace.

Call-stack/micro-witness replay

Stella Ops: YES -- micro-witness replay design (internal).
Others: NO/UNKNOWN -- public docs do not show deterministic replayable micro-witness stack artifacts.

Deterministic signed scoring

Stella Ops: YES -- deterministic signed scores anchored to Rekor (internal).
Competitors: NO/UNKNOWN -- focus on heuristic scores; no published deterministic signed envelopes.

Explicit UNKNOWN-state handling

Stella Ops: YES -- canonical unknown state predicates.
Competitors: PARTIAL/UNKNOWN -- systems have 'not applicable' or suppressed states but no signed unknown predicate standard documents.

Reachability analysis (binary)

Stella Ops: YES -- integrated analysis by design.
Competitors: NO/UNKNOWN -- not visible in primary docs.

UI/UX evidence surfacing

Stella Ops: YES -- evidence ribbons & signed pointers (internal).
Trivy: PARTIAL -- CLI focus; some partner UIs exist.
Grype: PARTIAL -- CLI and partner UI capabilities.
Snyk: YES/PARTIAL -- strong developer UI; no DSSE/Rekor badges documented.
JFrog Xray: YES/PARTIAL -- enterprise UI for enriched evidence.
Docker Scout: YES -- CLI/UI attest list and VEX visibility.

CI/test parity

Stella Ops: YES (gate engine shipped; CI automation integration in progress) -- PolicyGateEvaluator with staged gates shipped; GitOps loop wiring under active development. [CAVEAT: advisory originally said "two-tier gating (fast signed + deep)"; qualified to note CI automation integration is in progress.]
Trivy: YES/PARTIAL -- CI integrations documented.
Grype: YES/PARTIAL -- CI workflows via Syft/Grype.
Snyk: YES -- solid CI/PR checks.
JFrog Xray: PARTIAL -- CI/CD integrations exist.
Docker Scout: PARTIAL -- CI CLI commands; no signed-score parity.

Archive review notes

Reviewed: 2026-02-19 by Product Manager role.

Outcome: All Stella Ops claims verified against codebase. No new sprint tasks required. Two qualification caveats applied inline (marked with [CAVEAT]):

Explainability depth -- function-level call-path witnesses shipped; line-level CFG export is architecturally supported but not a shipped feature. Softened from "function->line" to "function-level with line context."
CI/test parity -- gate engine (PolicyGateEvaluator) and CVE-aware gates shipped; CI/CD automation integration loop under active development. Qualified accordingly.

Competitive claims: Sourced from public vendor documentation. Not independently re-verified (web-tool policy). Cited sources appear credible.

6.3 KiB Raw Blame History