Feature Matrix — Stella Ops Suite
(rev 5.1 · 16 Jan 2026)
Looking for a quick read? Check
key-features.mdfor the short capability cards; this matrix keeps full tier-by-tier detail.
Product Evolution
Stella Ops Suite is now a centralized, auditable release control plane for non-Kubernetes container estates. The platform combines release orchestration with security decisioning as a gate.
- Release orchestration — UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks
- Security decisioning as a gate — Scan on build, evaluate on release, re-evaluate on CVE updates
- OCI-digest-first releases — Immutable digest-based release identity
- Evidence packets — Every release decision is cryptographically signed and stored
Competitive Moat Features
These differentiators are available across all plans.
| Capability | Notes |
|---|---|
| Signed Replayable Risk Verdicts | Core differentiator |
| Decision Capsules | Audit-grade evidence bundles |
| VEX Decisioning Engine | Trust lattice + conflict resolution |
| Reachability with Portable Proofs | Three-layer analysis |
| Smart-Diff (Semantic Risk Delta) | Material change detection |
| Unknowns as First-Class State | Uncertainty budgets |
| Deterministic Replay | stella replay srm.yaml |
| Non-Kubernetes First-Class | Docker/Compose/ECS/Nomad targets |
| Digest-First Release Identity | Immutable releases |
Release Orchestration (Planned)
Release orchestration capabilities are planned for implementation.
| Capability | Notes | | Environment Management | | | Environment CRUD | ⏳ Dev/Stage/Prod definitions | | Freeze Windows | ⏳ Calendar-based blocking | | Approval Policies | ⏳ Per-environment rules | | Release Management | | | Component Registry | ⏳ Service → repository mapping | | Release Bundles | ⏳ Component → digest bundles | | Semantic Versioning | ⏳ SemVer release versions | | Tag → Digest Resolution | ⏳ Immutable digest pinning | | Promotion & Gates | | | Promotion Workflows | ⏳ Environment transitions | | Security Gate | ⏳ Scan verdict evaluation | | Approval Gate | ⏳ Human sign-off | | Freeze Window Gate | ⏳ Calendar enforcement | | Policy Gate (OPA/Rego) | ⏳ Custom rules | | Decision Records | ⏳ Evidence-linked decisions | | Deployment Execution | | | Docker Host Agent | ⏳ Direct container deployment | | Compose Host Agent | ⏳ Docker Compose deployment | | SSH Agentless | ⏳ Linux remote execution | | WinRM Agentless | ⏳ Windows remote execution | | ECS Agent | ⏳ AWS ECS deployment | | Nomad Agent | ⏳ HashiCorp Nomad deployment | | Rollback | ⏳ Previous version restore | | Progressive Delivery | | | A/B Releases | ⏳ Traffic splitting | | Canary Deployments | ⏳ Gradual rollout | | Blue-Green | ⏳ Zero-downtime switch | | Traffic Routing Plugins | ⏳ Nginx/HAProxy/Traefik/ALB | | Workflow Engine | | | DAG Workflow Execution | ⏳ Directed acyclic graphs | | Step Registry | ⏳ Built-in + custom steps | | Workflow Templates | ⏳ Reusable workflows | | Script Steps (Bash/C#) | ⏳ Custom automation | | Evidence & Audit | | | Evidence Packets | ⏳ Sealed decision bundles | | Version Stickers | ⏳ On-target deployment records | | Audit Export | ⏳ Compliance reporting | | Integrations | | | GitHub Integration | ⏳ SCM + webhooks | | GitLab Integration | ⏳ SCM + webhooks | | Harbor Integration | ⏳ Registry + scanning | | HashiCorp Vault | ⏳ Secrets management | | AWS Secrets Manager | ⏳ Secrets management | | Plugin System | | | Plugin Manifest | ⏳ Static declarations | | Connector Runtime | ⏳ Dynamic execution | | Step Providers | ⏳ Custom workflow steps | | Agent Types | ⏳ Custom deployment targets |
Plan Limits
| Limit | Free | Pro | Enterprise |
|---|---|---|---|
| Environments | 3 | 33 | Unlimited |
| New Digests/Day | 333 | 3,333 | Unlimited |
SBOM & Ingestion
| Capability | Notes |
|---|---|
| Trivy-JSON Ingestion | |
| SPDX-JSON 3.0.1 Ingestion | |
| CycloneDX 1.7 Ingestion (1.6 backward compatible) | |
| Auto-format Detection | |
| Delta-SBOM Cache | Warm scans <1s |
| SBOM Generation (all formats) | |
| Semantic SBOM Diff | |
| BYOS (Bring-Your-Own-SBOM) | |
| SBOM Lineage Ledger | Full versioned history |
| SBOM Lineage API | Traversal queries |
Scanning & Detection
| Capability | Notes |
|---|---|
| CVE Lookup via Local DB | |
| Licence-Risk Detection | ⏳ Q4-2025 |
| Automatic Detection (Class A) | Runs implicitly during scan |
| — Secrets Detection | API keys, tokens, passwords; results in findings (see docs/modules/ui/components/findings-list.md) |
| — OS Package Analyzers | apk, apt, yum, dnf, rpm, pacman; results in SBOM (see docs/modules/cli/guides/commands/sbom.md) |
| Language Analyzers (All 11) | |
| — .NET/C#, Java, Go, Python | |
| — Node.js, Ruby, Bun, Deno | |
| — PHP, Rust, Native binaries | |
| Progressive Fidelity Modes | |
| — Quick Mode | |
| — Standard Mode | |
| — Deep Mode | Full analysis |
| Base Image Detection | |
| Layer-Aware Analysis | |
| Concurrent Scan Workers | Configurable |
Reachability Analysis
| Capability | Notes |
|---|---|
| Static Call Graph | |
| Entrypoint Detection | 9+ framework types |
| BFS Reachability | |
| Reachability Drift Detection | |
| Binary Loader Resolution | ELF/PE/Mach-O |
| Feature Flag/Config Gating | Layer 3 analysis |
| Runtime Signal Correlation | Zastava integration |
| Gate Detection (auth/admin) | Enterprise policies |
| Path Witness Generation | Audit evidence |
| Reachability Mini-Map API | UI visualization |
| Runtime Timeline API | Temporal analysis |
Binary Analysis (BinaryIndex)
Binary analysis capabilities are CLI-first (Class B). UI integration is minimal until user demand validates.
| Capability | Notes |
|---|---|
| Binary Identity Extraction | Build-ID, hashes |
| Build-ID Vulnerability Lookup | |
| Debian/Ubuntu Corpus | |
| RPM/RHEL Corpus | |
| Patch-Aware Backport Detection | |
| PE/Mach-O/ELF Parsers | |
| Binary Fingerprint Generation | CLI: stella binary fingerprint export |
| Fingerprint Matching Engine | Similarity search |
| Binary Diff | CLI: stella binary diff <base> <candidate> |
| DWARF/Symbol Analysis | Debug symbols |
CLI Commands (Class B):
stella binary fingerprint export <artifact>— Export fingerprint data (function hashes, section hashes, symbol table)stella binary diff <base> <candidate>— Compare binaries with function/symbol-level diff- Output formats:
--format json|yaml|table - Usage and examples: docs/modules/cli/guides/commands/binary.md
Advisory Sources (Concelier)
Concelier provides 33+ vulnerability feed connectors with automatic sync, health monitoring, and conflict detection.
| Connector | Notes |
|---|---|
| National CVE Databases | |
| — NVD (NIST) | Primary CVE source |
| — CVE (MITRE) | CVE Record format 5.0 |
| OSS Ecosystems | |
| — OSV | Multi-ecosystem |
| — GHSA | GitHub Security Advisories |
| Linux Distributions | |
| — Alpine SecDB | |
| — Debian Security Tracker | |
| — Ubuntu USN | |
| — RHEL/CentOS OVAL | |
| — SUSE OVAL | |
| — Astra Linux | Russian distro |
| CERTs / National CSIRTs | |
| — CISA KEV | Known Exploited Vulns |
| — CISA ICS-CERT | Industrial control systems |
| — CERT-CC | Carnegie Mellon |
| — CERT-FR | France |
| — CERT-Bund (BSI) | Germany |
| — CERT-In | India |
| — ACSC | Australia |
| — CCCS | Canada |
| — KISA | South Korea |
| — JVN | Japan |
| Russian Federation Sources | |
| — FSTEC BDU | Russian vuln database |
| — NKCKI | Critical infrastructure |
| Vendor PSIRTs | |
| — Microsoft MSRC | |
| — Cisco PSIRT | |
| — Oracle CPU | |
| — VMware | |
| — Adobe PSIRT | |
| — Apple Security | |
| — Chromium | |
| ICS/SCADA | |
| — Kaspersky ICS-CERT | Industrial security |
| Risk Scoring | |
| — EPSS v4 | Exploit prediction |
| Additional Features | |
| Custom Advisory Connectors | Private feeds |
| Advisory Merge Engine | Conflict resolution |
| Connector Health CLI | stella db connectors status |
Connector Operations Matrix (Status/Auth/Runbooks):
VEX Processing (Excititor/VexLens)
VEX processing provides a full consensus engine with 5-state lattice, 9 trust factors, and conflict detection.
| Capability | Notes |
|---|---|
| OpenVEX Ingestion | |
| CycloneDX VEX Ingestion | |
| CSAF VEX Ingestion | |
| VEX Consensus Engine (5-state) | Lattice-based resolution |
| Trust Vector Scoring (P/C/R) | |
| Trust Weight Scoring (9 factors) | Issuer, age, specificity, etc. |
| Claim Strength Multipliers | |
| Freshness Decay | 14-day half-life |
| Conflict Detection & Penalty | K4 lattice logic |
| VEX Conflict Studio UI | Visual resolution |
| VEX Hub (Distribution) | Internal VEX network |
| VEX Webhook Distribution | Pub/sub notifications |
| CSAF Provider Connectors (7) | RedHat, Ubuntu, Oracle, MSRC, Cisco, SUSE, VMware |
| Issuer Trust Registry | Key lifecycle, trust overrides |
| VEX from Drift Generation | stella vex gen --from-drift |
| Trust Calibration Service | Org-specific tuning |
| Consensus Rationale Export | Audit-grade explainability |
CLI Commands:
stella vex verify <statement>— Verify VEX statement signature and contentstella vex consensus <digest>— Show consensus status for digeststella vex evidence export— Export VEX evidence for auditstella vex webhooks list/add/remove— Manage VEX distributionstella issuer keys list/create/rotate/revoke— Issuer key management
Policy Engine
Policy engine implements Belnap K4 four-valued logic with 10+ gate types and 6 risk providers.
| Capability | Notes |
|---|---|
| YAML Policy Rules | Basic rules |
| Belnap K4 Four-Valued Logic | True/False/Both/Neither |
| Security Atoms (6 types) | |
| Disposition Selection (ECMA-424) | |
| Minimum Confidence Gate | |
| 10+ Policy Gate Types | Severity, reachability, age, etc. |
| 6 Risk Score Providers | CVSS, KEV, EPSS, FixChain, etc. |
| Unknowns Budget Gate | |
| Determinization System | Signal weights, decay, uncertainty |
| Policy Simulation | stella policy simulate |
| Source Quota Gate | 60% cap enforcement |
| Reachability Requirement Gate | For criticals |
| OPA/Rego Integration | Custom policies |
| Exception Objects & Workflow | Approval chains |
| Score Policy YAML | Full customization |
| Configurable Scoring Profiles | Simple/Advanced |
| Policy Version History | Audit trail |
| Verdict Attestations | DSSE/Rekor signed verdicts |
CLI Commands:
stella policy list/show/create/update/delete— Policy CRUDstella policy simulate <digest>— Simulate policy evaluationstella policy validate <file>— Validate policy YAMLstella policy decisions list/show— View policy decisionsstella policy gates list— List available gate types
Attestation & Signing
Attestation supports 25+ predicate types with keyless signing, key rotation, and attestation chains.
| Capability | Notes |
|---|---|
| DSSE Envelope Signing | |
| in-toto Statement Structure | |
| 25+ Predicate Types | SBOM, VEX, verdict, etc. |
| SBOM Predicate | |
| VEX Predicate | |
| Reachability Predicate | |
| Policy Decision Predicate | |
| Verdict Manifest (signed) | |
| Verdict Replay Verification | |
| Keyless Signing (Sigstore) | Fulcio-based OIDC |
| Delta Attestations (4 types) | VEX/SBOM/Verdict/Reachability |
| Attestation Chains | Linked attestation graphs |
| Human Approval Predicate | Workflow attestation |
| Boundary Predicate | Network exposure |
| Key Rotation Service | Automated key lifecycle |
| Trust Anchor Management | Root CA management |
| SLSA Provenance v1.0 | Supply chain |
| Rekor Transparency Log | Public attestation |
| Cosign Integration | Sigstore ecosystem |
CLI Commands:
stella attest sign <file>— Sign attestationstella attest verify <envelope>— Verify attestation signaturestella attest predicates list— List supported predicate typesstella attest export <digest>— Export attestations for digeststella keys list/create/rotate/revoke— Key management
Regional Crypto (Sovereign Profiles)
Sovereign crypto is core to the open-source promise - no vendor lock-in on compliance. 8 signature profiles supported.
| Capability | Notes |
|---|---|
| Default Crypto (Ed25519) | |
| FIPS 140-2/3 Mode | US Federal |
| eIDAS Signatures | EU Compliance |
| GOST/CryptoPro | Russia |
| SM National Standard | China |
| Post-Quantum (Dilithium) | Future-proof |
| Crypto Plugin Architecture | Custom HSM |
| Multi-Profile Signing | Sign with multiple algorithms |
| SM Remote Service | Chinese market HSM integration |
| HSM/PKCS#11 Integration | Hardware security modules |
CLI Commands:
stella crypto profiles list— List available crypto profilesstella crypto verify --profile <name>— Verify with specific profilestella crypto plugins list/status— Manage crypto plugins
Determinism & Reproducibility
| Capability | Notes |
|---|---|
| Canonical JSON Serialization | |
| Content-Addressed IDs | SHA-256 |
| Replay Manifest (SRM) | |
stella replay CLI | |
| Score Explanation Arrays | |
| Evidence Freshness Multipliers | |
| Proof Coverage Metrics | |
| Fidelity Metrics (BF/SF/PF) | Audit dashboards |
| FN-Drift Rate Tracking | Quality monitoring |
| Determinism Gate CI | Automated checks |
Scoring & Risk Assessment
| Capability | Notes |
|---|---|
| CVSS v4.0 Display | |
| EPSS v4 Probability | |
| Priority Band Classification | |
| EPSS-at-Scan Immutability | |
| Unified Confidence Model | 5-factor |
| Entropy-Based Scoring | Advanced |
| Gate Multipliers | Reachability-aware |
| Unknowns Pressure Factor | Risk budgets |
| Custom Scoring Profiles | Org-specific |
Evidence & Findings
| Capability | Notes |
|---|---|
| Findings List | |
| Evidence Graph View | Basic |
| Decision Capsules | |
| Findings Ledger (Immutable) | Audit trail |
| Evidence Locker (Sealed) | Export/import |
| Evidence TTL Policies | Retention rules |
| Evidence Size Budgets | Storage governance |
| Retention Tiers | Hot/Warm/Cold |
| Privacy Controls | Redaction |
| Audit Pack Export | Compliance bundles |
CLI Capabilities
| Capability | Notes |
|---|---|
| Scanner Commands | |
| SBOM Inspect & Diff | |
| Deterministic Replay | |
| Attestation Verify | |
| Unknowns Budget Check | |
| Evidence Export | |
| Audit Pack Operations | Full workflow |
| Binary Match Inspection | Advanced |
| Crypto Plugin Commands | Regional crypto |
| Admin Utilities | Ops tooling |
Web UI Capabilities
| Capability | Notes |
|---|---|
| Dark/Light Mode | |
| Findings Row Component | |
| Evidence Drawer | |
| Proof Tab | |
| Confidence Meter | |
| Locale Support | Cyrillic, etc. |
| Reproduce Verdict Button | |
| Audit Trail UI | Full history |
| Trust Algebra Panel | P/C/R visualization |
| Claim Comparison Table | Conflict view |
| Policy Chips Display | Gate status |
| Reachability Mini-Map | Path visualization |
| Runtime Timeline | Temporal view |
| Operator/Auditor Toggle | Role separation |
| Knowledge Snapshot UI | Air-gap prep |
| Keyboard Shortcuts | Power users |
Quota & Operations
| Plan | Scans per Day |
|---|---|
| Free | 333 |
| Pro | 3,333 |
| Enterprise | Unlimited |
All other operational capabilities are available across all plans:
- Usage API (
/quota) - Client-JWT authentication
- Rate Limiting & 429 Backpressure
- Retry-After Headers
- Priority Queue
- Burst Allowance (configurable)
- Custom Quotas (configurable)
Offline & Air-Gap
| Capability | Notes |
|---|---|
| Offline Update Kits (OUK) | Available |
| Offline Signature Verify | |
| One-Command Replay | |
| Sealed Knowledge Snapshots | Full feed export |
| Air-Gap Bundle Manifest | Transfer packages |
| No-Egress Enforcement | Strict isolation |
| Offline JWT | Extended tokens |
Deployment
| Capability | Notes |
|---|---|
| Docker Compose | Single-node |
| Helm Chart (K8s) | |
| PostgreSQL 16+ | |
| Valkey 8.0+ | |
| RustFS (S3) | |
| High-Availability | Multi-replica |
| Horizontal Scaling | Auto-scale |
| Dedicated Capacity | Reserved resources |
Access Control & Identity (Authority)
Authority provides OAuth 2.1/OIDC with 75+ authorization scopes, DPoP, and device authorization.
| Capability | Notes |
|---|---|
| Basic Auth | |
| API Keys | With scopes and expiration |
| SSO/SAML Integration | Okta, Azure AD |
| OIDC Support | |
| Basic RBAC | User/Admin |
| 75+ Authorization Scopes | Fine-grained permissions |
| DPoP (Sender Constraints) | Token binding |
| mTLS Client Certificates | Certificate auth |
| Device Authorization Flow | CLI/IoT devices |
| PAR Support | Pushed Authorization Requests |
| User Federation (LDAP/SAML) | Directory integration |
| Multi-Factor Authentication | TOTP/WebAuthn |
| Advanced RBAC | Team-based scopes |
| Multi-Tenant Management | Org hierarchy |
| Audit Log Export | SIEM integration |
CLI Commands:
stella auth clients list/create/delete— OAuth client managementstella auth roles list/show/assign— Role managementstella auth scopes list— List available scopesstella auth token introspect <token>— Token introspectionstella auth api-keys list/create/revoke— API key management
Notifications & Integrations
10 notification channel types with template engine, routing rules, and escalation.
| Capability | Notes |
|---|---|
| In-App Notifications | |
| Email Notifications | |
| EPSS Change Alerts | |
| Slack Integration | |
| Teams Integration | |
| Discord Integration | Webhook-based |
| PagerDuty Integration | Incident management |
| OpsGenie Integration | Alert routing |
| Zastava Registry Hooks | Auto-scan on push |
| Zastava K8s Admission | Validating/Mutating webhooks |
| Template Engine | Customizable templates |
| Channel Routing Rules | Severity/team routing |
| Escalation Policies | Time-based escalation |
| Notification Studio UI | Visual rule builder |
| Custom Webhooks | Any endpoint |
| CI/CD Gates | GitLab/GitHub/Jenkins |
| SCM Integrations | PR comments, status checks |
| Issue Tracker Integration | Jira, GitHub Issues |
| Enterprise Connectors | Grid/Premium APIs |
CLI Commands:
stella notify channels list/test— Channel managementstella notify rules list/create— Routing rulesstella zastava install/configure/status— K8s webhook management
Scheduling & Automation
| Capability | Notes |
|---|---|
| Manual Scans | |
| Scheduled Scans | Cron-based |
| Task Pack Orchestration | Declarative workflows |
| EPSS Daily Refresh | Auto-update |
| Event-Driven Scanning | On registry push |
Observability & Telemetry
| Capability | Notes |
|---|---|
| Basic Metrics | |
| Opt-In Telemetry | |
| OpenTelemetry Traces | Full tracing |
| Prometheus Export | Custom dashboards |
| Quality KPIs Dashboard | Triage metrics |
| SLA Monitoring | Uptime tracking |
Support & Services
| Capability | Notes |
|---|---|
| Documentation | |
| Community Forums | |
| GitHub Issues | |
| Email Support | Business hours |
| Priority Support | 4hr response |
| 24/7 Critical Support | Add-on |
| Dedicated CSM | Named contact |
| Professional Services | Implementation |
| Training & Certification | Team enablement |
| SLA Guarantee | 99.9% uptime |
Version Comparison
| Capability | Notes |
|---|---|
| RPM (NEVRA) | |
| Debian (EVR) | |
| Alpine (APK) | |
| SemVer | |
| PURL Resolution |
Legend: ⏳ = Planned
Last updated: 17 Jan 2026 (rev 6.0 - All features available across all tiers)