Evidence and Audit
Every promotion leaves a verifiable record
Decision Capsules capture the exact inputs, policy context, and signatures behind each release decision so audits are evidence driven, not narrative driven.
What this means for your business
Each promotion creates a signed evidence package that security, compliance, and engineering can verify independently. Replay reproduces the original verdict from frozen inputs, even in offline environments. Decision CapsuleA signed, exportable evidence bundle that seals every input and output of a release decision for offline audit and deterministic replay
Auditor view: what is inside
Exporting a Decision Capsule produces a signed, content addressed bundle with the same artifacts used during the original decision.
- The exact SBOM used at decision time
- Frozen vulnerability feed snapshots for reproducibility
- Reachability evidence from static and runtime analysis
- Policy bundle and rule versions used for gating
- Derived VEX statement and decision rationale
- DSSE signatures that protect bundle integrity
Source: Decision Capsules documentation
What is a Decision Capsule
Contents
A capsule includes SBOM data, vulnerability context, reachability outputs, policy inputs, approvals, and final verdict metadata.
Signing
DSSE and in toto style signatures make tampering visible. Crypto profile selection supports regional and regulatory requirements. CosignContainer signing tool from Sigstore project for signing and verifying container images and artifacts SigstoreOpen-source project providing free code signing and transparency log infrastructure for the software supply chain
Export
Export capsules at any promotion stage and retain them in your evidence store according to policy.
Replay
Use stella replay to re-run a historical decision with identical inputs and verify the same outcome.
Sample Capsule Structure
Every Decision Capsule is a self-contained directory with signed artifacts:
decision-capsule-20260126-prod-a1b2/ |- manifest.json # Capsule metadata + signatures |- sbom.cdx.json # CycloneDX 1.7 SBOM |- sbom.cdx.json.sig # DSSE signature |- reachability/ | |- analysis.json # Reachability verdicts | |- call-graph.json # Static analysis proof | `- analysis.json.sig # DSSE signature |- policy/ | |- rules.rego # Policy snapshot | `- verdict.json # Gate decision + rationale |- approvals/ | `- jsmith.sig # Human approval signature `- feeds/ `- snapshot.json # Frozen CVE/advisory state
Manifest structure (advanced)
The capsule manifest pins every input and output by digest so the decision can be replayed later. apiVersion: capsule.stellaops.dev/v1 metadata: id: "cap-2025-12-11-abc123" timestamp: "2025-12-11T14:30:00Z" scan_id: "scan-xyz789" inputs: sbom: format: "cyclonedx@1.6" digest: "sha256:..." feeds: - name: "nvd" snapshot: "2025-12-11" digest: "sha256:..." policy: version: "corp-policy@2025-12-01" digest: "sha256:..." outputs: vex: format: "openvex" digest: "sha256:..." signatures: - scheme: "DSSE" profile: "FIPS-aligned" signer: "build-ca@corp"Read more
Manifest structure (advanced)
The capsule manifest pins every input and output by digest so the decision can be replayed later.
apiVersion: capsule.stellaops.dev/v1
metadata:
id: "cap-2025-12-11-abc123"
timestamp: "2025-12-11T14:30:00Z"
scan_id: "scan-xyz789"
inputs:
sbom:
format: "cyclonedx@1.6"
digest: "sha256:..."
feeds:
- name: "nvd"
snapshot: "2025-12-11"
digest: "sha256:..."
policy:
version: "corp-policy@2025-12-01"
digest: "sha256:..."
outputs:
vex:
format: "openvex"
digest: "sha256:..."
signatures:
- scheme: "DSSE"
profile: "FIPS-aligned"
signer: "build-ca@corp" Verification commands (step-by-step)
Auditors can verify signatures, check integrity, and replay decisions independently — no Stella infrastructure required. 1 $ cosign verify-blob --key example-capsule.pub --signature example-capsule.sig example-capsule.tar.gz Verify the example capsule signature with cosign (demo key) 2 $ tar -xzf example-capsule.tar.gz && stella capsule verify ./decision-capsule-2026-01-20/ Extract the capsule and verify manifest digests 3 $ stella replay ./decision-capsule-2026-01-20/ --offline Replay the decision with frozen inputs All three commands work offline. Evidence travels with the capsule.Read more
Verification commands (step-by-step)
Auditors can verify signatures, check integrity, and replay decisions independently — no Stella infrastructure required.
- 1
$cosign verify-blob --key example-capsule.pub --signature example-capsule.sig example-capsule.tar.gzVerify the example capsule signature with cosign (demo key)
- 2
$tar -xzf example-capsule.tar.gz && stella capsule verify ./decision-capsule-2026-01-20/Extract the capsule and verify manifest digests
- 3
$stella replay ./decision-capsule-2026-01-20/ --offlineReplay the decision with frozen inputs
All three commands work offline. Evidence travels with the capsule.
Try It: Example Decision Capsule
Download a sanitized example capsule to explore the structure and run verification commands locally.
Contains: SBOM, reachability proof, policy snapshot, mock approvals. Signature + public key included for local verification.
Evidence Chain
What's in a Decision Capsule
Artifact Digest
SHA-256 content address
SBOM Snapshot
CycloneDX 1.7 / SPDX 3.0
Reachability Evidence
Graph + edge attestations
VEX State
Lattice-resolved verdict
Policy Version
Content-addressed Rego/DSL
Approvals
Signed approval records
Compliance Workflow
- 1
Auditor asks
"Show me proof this CVE was handled correctly in the January release."
- 2
Operator exports
stella capsule export jan-release-capsule.yaml --format audit-bundle - 3
Pack verifies
Auditor runs
stella capsule verify jan-release-capsule.yaml— signatures check, digests match. - 4
Replay reproduces
stella replay jan-release-capsule.yamlproduces identical verdict with frozen inputs.
Deterministic replay and verification
Months later, you can validate that the same policy, evidence, and artifact digest produce the same decision. This removes uncertainty during incident review and compliance checks.
- Verify signatures against pinned trust anchors.
- Confirm SBOM and feed snapshot digests against the manifest.
- Replay with the same policy bundle and reachability inputs.
- Export the resulting verdict and supporting evidence as an audit packet.
$ stella replay capsule.json --verify
Replaying decision from 2025-07-15T14:32:00Z...
Policy version: sha256:e5f6g7h8... (matches)
Feed snapshot: sha256:i9j0k1l2... (matches)
Verdict: ALLOW (identical to original)
Determinism check: PASSEDFormats and Interoperability
SBOM
CycloneDX 1.7 and SPDX 3.0.1. Import from Trivy, Grype, Syft, or generate natively.
VEX
OpenVEX and CSAF 2.0. Multi-issuer lattice resolution with conflict detection.
SARIF
Static Analysis Results Interchange Format export for IDE and CI integration.
Air-Gapped Verification
Auditors verify signatures, check digest integrity, and replay decisions without any network access. All cryptographic material travels with the capsule.
$ stella capsule verify decision-capsule.yaml --offline
Signature verification: PASSED (ECDSA-P256)
Digest match: PASSED (sha256:abc123...)
Policy version: VALID (v3.2.1)
Evidence integrity: ALL COMPONENTS SIGNED
Verdict: ALLOW — no network requiredIndependent trust artifacts status
Buyers evaluating production rollout usually ask for third-party validation in addition to first-party proofs. This section shows what is already public and what is still in-progress.
Public now
Verification keys, signed capsule examples, deterministic replay commands, and exportable evidence structures are publicly available.
In progress
Third-party assessment summaries and named pilot case studies are not yet published as public artifacts.
For due diligence
Security pack, architecture evidence, and pilot-reference discussions can be scoped during evaluation for teams with procurement gates.
Start with Verification Keys, Security Pack, and Contact to request enterprise review materials.
Ready to make release decisions provable
Read Decision Capsule specification · Explore platform features