Capabilities

The Scanner analyzes container images layer-by-layer, producing deterministic SBOM fragments and signed reports. Content-addressed caches per layer and ecosystem allow warm scans to complete in under one second.

• Deterministic Replay Manifest (SRM) captures exact analyzer inputs/outputs per layer
• Delta processing eliminates re-analysis of unchanged layers
• SBOM formats: CycloneDX 1.6 (JSON/XML), SPDX 3.0.1, Trivy-JSON
• Performance: warm scans <1s on 4-vCPU runner

Analyzers cover Node.js (npm/yarn/pnpm), Python (pip/pipenv/poetry), Java (gradle/maven), .NET, Ruby, Go, Rust, and OS packages. Lock-file validation via CLI companions surfaces missing or declared-only packages before images are built.

• CLI validators: stella node lock-validate, stella python lock-validate, stella java lock-validate
• OS packages: RPM, APT, APK
• Dynamic entrypoint-aware analysis for effective dependency graphs

The scanner accepts SBOMs in CycloneDX 1.6, SPDX-JSON, and Trivy-JSON formats. Auto-detection identifies format by content. Accepted SBOMs skip layer unpacking and proceed directly to policy evaluation.

• CycloneDX 1.6 — JSON/XML, preferred for new ingestion
• SPDX 3.0.1 — full relationship modeling and VEX interop
• Trivy-JSON — compatibility with existing Trivy pipelines

Concelier fetches and normalizes vulnerability advisories from dozens of sources, persisting observations and correlation linksets under the Aggregation-Only Contract (AOC). Each feed is preserved as a signed snapshot so policy decides which sources to trust.

Excititor ingests VEX documents from multiple formats, storing raw observations with full provenance. Conflicts and disagreements are preserved rather than making precedence decisions. Observations feed into VEX Lens for consensus computation.

• OpenVEX — exploitability statuses and justifications
• CSAF VEX — Common Security Advisory Framework
• CycloneDX VEX — embedded in SBOM format
• Issuer trust weighting with freshness decay

VEX Lens normalizes statements from Excititor and applies issuer weights, signature verification, freshness decay, and policy overrides to compute consensus for each (artifact, advisory) pair. Conflicts remain transparent for auditors.

• Issuer Directory with trust tiers
• Integrity hints from cosign/PGP provenance
• Conflict summaries exposed to Policy Engine and Console
• Consensus snapshots with DSSE attestations

The Policy Engine compiles Stella DSL rules into executable graphs, joining advisories, VEX evidence, and SBOM inventories to derive effective findings. VEX is treated as first-class input. Every decision includes a proof trail showing why a finding was muted, escalated, or remained open.

• YAML rule syntax with in-UI editor
• Lattice-based decision logic for VEX states
• Custom rule packs for muting, expirations, and non-VEX alert logic
• Simulation mode on sample SBOM/VEX before deployment

Findings from multiple sources merge using lattice mathematics where states form a partial order: unknown < under_investigation < affected || not_affected < fixed. Cross-cut with scope (runtime, build, optional) and confidence (low, med, high).

• Partial-order semantics for VEX state resolution
• Scope dimensions: runtime_path, build_path, optional_path
• Confidence dimensions: low, medium, high
• Explain traces showing full proof trails

When advisory feeds arrive, VEX statements change, or policy rules are updated, the Scheduler computes impact windows and triggers re-evaluations. SLA-aware retry logic ensures timely updates without overwhelming resources.

• Advisory delta detection triggers rescans
• Impact cursors determine affected artifacts
• DSSE-backed completion events for downstream consumers
• Policy-triggered rechecks for critical CVE discoveries

Every scan produces a Stella Replay Manifest capturing exact analyzer inputs/outputs per layer. Auditors can re-run historical scans with stella replay srm.yaml and trust the findings were not tampered with.

• SRM schema: scan id, timestamp, engine version, environment, image digest, layers, SBOM type, VEX sets, policy id, feed snapshots
• Fixed random seed and sorted inputs for determinism
• Bit-for-bit reproducibility across hosts
• CLI: stella replay srm.yaml --out replay.json --assert-digest <sha>

All evidence (SBOM, scan reports, policy decisions) is wrapped in DSSE envelopes with in-toto Statement v1 payloads, binding facts to artifacts via digest-based subjects. Supported predicates include BuildProvenance, SBOMAttestation, ScanResults, VEXAttestation, and PolicyEvaluation.

• Keyless signing via Fulcio
• Keyful signing via KMS/HSM
• Hardware-backed via FIDO2
• Dual-signing: FIPS ECDSA + GOST R 34.10

Attestor archives envelopes, signatures, and proofs so air-gapped deployments can replay verification without external services. Proofs include Merkle inclusion paths, checkpoint metadata, and cached verification verdicts.

• Rekor inclusion proofs with temporal evidence
• Verification policies for approved issuers and freshness windows
• WORM-like storage for immutability
• Offline-ready archives for air-gap support

Every reachability graph is sealed with a graph-level DSSE. Optional edge-bundle DSSEs protect runtime/init/contested edges. Operators can prove (or contest) exactly why a vulnerability is reachable.

• Graph-level DSSE mandatory per graph
• Edge-bundle DSSE selective for contested paths
• CAS layout: cas://reachability/graphs/{'{hash}'}
• Per-edge revocation for disputes
• Offline replayability without external calls

Zastava is a Kubernetes admission controller and daemonset observer that validates signatures, SBOM presence, and backend verdicts before allowing containers. Runtime posture drift triggers delta scans.

• Daemonset-based event collection
• Admission webhook enforcement
• Signature and SBOM validation at deploy time
• Event buffering for offline operation
• Drift detection triggering rescans

Zastava computes differential SBOMs reflecting effective dependencies for a specific ENTRYPOINT/CMD. Static slicing infers reachable packages; optional runtime slicing collects process tree and imports at startup.

• Entrypoint-aware static slicing
• Runtime signal collection for dynamic slicing
• dSBOM = SBOM ∩ (static_reachable ∪ runtime_observed)
• AI context weighting for exposure prioritization

CryptoProfile is an attached configuration specifying signing algorithms, hash functions, and trust anchors. Profiles include key policies (HSM required), time-stamping (TSA endpoints), and trust roots (from RootPack).

• FIPS-140-3 (US)
• GOST R 34.10-2012 (Russia)
• SM2/SM3 (China)
• eIDAS (EU)
• Post-quantum capable
• Dual-signing with guardrails (e.g., FIPS+GOST)
• HSM integration via PKCS#11

Mirrored feeds, container images, and verification assets packaged for offline deployment. Quota tokens verify locally using bundled public keys. All verification works without public egress.

• Mirrored advisory databases with local snapshots
• Bundled public keys for offline token verification
• Time-anchor scaffolds for deterministic clocks
• Container registry mirrors with OCI layout
• Compensating controls for transparency outages

Packages reproducible evidence bundles with provenance metadata and optional signing. Profiles include json (raw/policy), trivy (db/java-db), mirror (full/delta), and devportal (offline assets).

• Deterministic JSON/Trivy exports with manifests
• OCI-compatible mirror bundles
• Cosign signatures and TUF metadata
• DSSE-signed manifests for verification

Consumes SBOM snapshots, advisory/VEX events, policy overlays, and runtime signals to maintain a graph representation with deterministic node/edge identities. Powers blast-radius analysis and provenance timelines.

• Nodes: artifacts, packages, advisories, policies, runtime instances
• Edges: depends_on, vulnerable_to, fixed_by, evaluated_by, runs_as
• Saved-query automation with caching
• Offline NDJSON exports with DSSE manifests

Traverses artifact dependencies to identify affected services when a new CVE, VEX statement, or policy change arrives. Results include affected deployment counts and severity distribution.

• Dependency traversal for impact assessment
• SLA-aware re-evaluation windows
• Scheduler impact queues

Retrieval-augmented assistant synthesizing advisory and VEX evidence into operator-ready summaries. Explains conflicting statements using weights from VEX Lens. Proposes remediation hints aligned with Offline Kit staging.

• Policy-aware summaries with citations
• Conflict explanation with issuer weights
• Remediation hints tied to Offline Kit
• Guardrail enforcement on prompts and outputs
• Offline inference capability

Preserves cryptographically signed evidence bundles in content-addressed storage with write-once-read-many semantics. Stored artifacts include SBOMs, attestations, Rekor entries, SARIF, VEX, and policy decisions.

• Content-addressed storage (CAS)
• WORM semantics for immutability
• Compliance retention (≥18 months default)
• Audit-logged access

Records policy-evaluated findings alongside triage actions (suppressed, acknowledged, waived, remediated) with immutable timestamps and role-based access controls.

• Immutable records of triage decisions
• Role-based access via Authority scopes
• CSV/PDF exports with deterministic hashes
• Audit logging of all access

Exposes a trust lineage graph showing how artifacts, SBOMs, policies, and VEX statements are signed, witnessed, and verified. Metrics include trust_sli (fraction of pods with valid attestation chain).

• Trust SLO: ≥99.9% measured hourly
• Attestation latency: P50/P95 from build to verified
• Policy drift events: running policy ≠ signed policy
• OpenTelemetry/Prometheus metrics export

Unifies security posture across vendors in PDF (human-readable) and JSON (machine-readable) formats. DSSE-signed with multi-profile support. Integrates with ERP systems (Ariba, ServiceNow, Archer).

• Trust SLI metric (≥99.9%)
• Exception tracking with proof digests
• ERP field mapping for automated ingestion
• Deterministic generation (≤15s)

Exposes device-code, auth-code, and client-credential flows with DPoP or mTLS binding. OpToks are short-lived (12h online, 30d offline) and sender-constrained. Every call is audited.

• DPoP sender-constraint binding
• mTLS mutual authentication
• Plan-based quota enforcement
• Tenant isolation
• KMS/HSM key storage

Listens to policy evaluations, scan completions, advisory deltas, and VEX changes. Routes notifications based on rules authored in Policy Studio.

• Channels: email, Slack, webhooks, JIRA, ServiceNow
• Finding summaries with advisory context
• Remediation hints from Advisory AI
• Delivery audit logs

Native AOT .NET host with deterministic verbs: scan, diff, export, policy, offline, graph, and observability. Supports device-code and client-credential authentication.

• Deterministic JSON output for CI
• Offline kit verification and installation
• Policy DSL compiler with linting
• Graph traversal and diff verbs
• Restart-time plugin discovery

Angular 17 SPA with dashboards for ingestion, scanning, policy, and exports. Features policy editor with DSL syntax highlighting, SBOM graph explorer, advisory/VEX viewers, and admin workflows.

• Real-time SSE fan-out dashboards
• Policy editor with explain visualizations
• SBOM graph explorer with WebGL
• VEX conflict indicators
• Dark/light mode with OS detection