Evidence & Audit

Prove every decision. Replay it months later.

Decision Capsules seal evidence so auditors can verify any release — offline, independently, bit-for-bit identical.

Get started Read the spec

Auditor's view: what you receive

Exporting a Decision Capsule produces a signed, content-addressed bundle with the exact inputs and outputs used for the release decision.

  • Exact SBOM used for the scan
  • Frozen vulnerability feed snapshots (NVD, OSV, vendor advisories)
  • Reachability evidence (static call-graph artifacts and runtime traces)
  • Policy version and lattice rules used for gating
  • Derived VEX statement with justifications
  • DSSE signatures covering the capsule contents

Source: Decision Capsules documentation

What is a Decision Capsule?

Contents

Each Decision Capsule bundles the exact SBOM, frozen vulnerability feeds, reachability graphs, policy version, derived VEX, and approval metadata.

Signing

DSSE/in-toto signatures make bundles tamper-evident. Choose FIPS-140-3, GOST R 34.10, SM2/SM3, or eIDAS crypto profiles.

Export

Export capsules at any promotion step. Store in Evidence Locker with WORM semantics for compliance retention periods.

Replay

Re-run any historical decision with stella replay. Same inputs yield same outputs, offline or online.

Sample Capsule Structure

Every Decision Capsule is a self-contained directory with signed artifacts:

decision-capsule-20260126-prod-a1b2/
├── manifest.json           # Capsule metadata + signatures
├── sbom.cdx.json           # CycloneDX 1.7 SBOM
├── sbom.cdx.json.sig       # DSSE signature
├── reachability/
│   ├── analysis.json       # Reachability verdicts
│   ├── call-graph.json     # Static analysis proof
│   └── analysis.json.sig   # DSSE signature
├── policy/
│   ├── rules.rego          # Policy snapshot
│   └── verdict.json        # Gate decision + rationale
├── approvals/
│   └── jsmith.sig          # Human approval signature
└── feeds/
    └── snapshot.json       # Frozen CVE/advisory state

Capsule manifest excerpt

The capsule manifest pins every input and output by digest so the decision can be replayed later.

apiVersion: capsule.stellaops.dev/v1
metadata:
  id: "cap-2025-12-11-abc123"
  timestamp: "2025-12-11T14:30:00Z"
  scan_id: "scan-xyz789"
inputs:
  sbom:
    format: "cyclonedx@1.6"
    digest: "sha256:..."
  feeds:
    - name: "nvd"
      snapshot: "2025-12-11"
      digest: "sha256:..."
  policy:
    version: "corp-policy@2025-12-01"
    digest: "sha256:..."
outputs:
  vex:
    format: "openvex"
    digest: "sha256:..."
signatures:
  - scheme: "DSSE"
    profile: "FIPS-140-3"
    signer: "build-ca@corp"

Evidence Chain

How evidence flows through Stella Ops
Evidence FlowImageSBOMReachabilityPolicy VerdictDSSE signedDSSE signedDSSE signed

What's in a Decision Capsule

Artifact Digest

SHA-256 content address

Signed

SBOM Snapshot

CycloneDX 1.7 / SPDX 3.0

Signed

Reachability Evidence

Graph + edge attestations

Signed

VEX State

Lattice-resolved verdict

Signed

Policy Version

Content-addressed Rego/DSL

Signed

Approvals

Signed approval records

Signed

Compliance Workflow

Auditors can replay decisions months later
Audit Replay FlowDecision Capsulefrom 6 months agostella replaySame Verdictbit-for-bit identical
  1. 1

    Auditor asks

    "Show me proof this CVE was handled correctly in the January release."

  2. 2

    Operator exports

    stella capsule export jan-release-capsule.yaml --format audit-bundle

  3. 3

    Pack verifies

    Auditor runs stella capsule verify jan-release-capsule.yaml — signatures check, digests match.

  4. 4

    Replay reproduces

    stella replay jan-release-capsule.yaml produces identical verdict with frozen inputs.

Deterministic Replay

Run the same decision 6 months later — same frozen inputs produce an identical verdict. No network required, no state drift, no ambiguity.

  • Verify capsule signatures with pinned keys.
  • Confirm SBOM and feed snapshot digests match the manifest.
  • Replay with the same policy bundle and reachability inputs.
  • Export the audit bundle with verdict, VEX, and proofs.
Terminal
$ stella replay capsule.json --verify
Replaying decision from 2025-07-15T14:32:00Z...
Policy version: sha256:e5f6g7h8... (matches)
Feed snapshot:  sha256:i9j0k1l2... (matches)
Verdict: ALLOW (identical to original)
Determinism check: PASSED

Formats and Interoperability

SBOM

CycloneDX 1.7 and SPDX 3.0.1. Import from Trivy, Grype, Syft, or generate natively.

VEX

OpenVEX and CSAF 2.0. Multi-issuer lattice resolution with conflict detection.

SARIF

Static Analysis Results Interchange Format export for IDE and CI integration.

Air-Gapped Verification

Auditors verify signatures, check digest integrity, and replay decisions without any network access. All cryptographic material travels with the capsule.

Terminal
$ stella capsule verify decision-capsule.yaml --offline
Signature verification: PASSED (ECDSA-P256)
Digest match:           PASSED (sha256:abc123...)
Policy version:         VALID (v3.2.1)
Evidence integrity:     ALL COMPONENTS SIGNED
Verdict:                ALLOW — no network required

Ready to make releases auditable?

Get started How it works

Read the Decision Capsule spec · See all features