SBOM formats
CycloneDX 1.6 · SPDX 3.0.1
Deterministic, Evidence-Backed Vulnerability Decisions
Signed Reachability · Deterministic Replay · Sovereign Crypto
Stella Ops isn't just another scanner—it's deterministic, evidence-linked vulnerability decisions that survive auditors, regulators, and supply-chain propagation.
Hybrid static + runtime reachability proves whether a CVE can execute. Every verdict comes with an OpenVEX-based proof trail. Auditors replay any finding bit-for-bit—AGPL-licensed and fully open.
Prove every fix, audit every finding.
Built on open standards, fed by global + regional advisories
Bill-of-materials generation, vulnerability exchange, and signed attestations all use current, interoperable formats. Advisory mirrors pull from 30+ sources—national CERTs, distro trackers, vendor feeds, and global databases—as individual signed snapshots so your policy decides which sources to trust. See the full comparison.
VEX policy
OpenVEX · Versioned lattice engine
Attestation
in-toto DSSE · Sigstore Rekor
Reachability
Signed graphs · Edge-level DSSE
Decision Capsules
Signed, replayable evidence bundles