From artifact digest to auditable promotion

Connect CI output and deployment targets, evaluate policy on digest-linked evidence, then promote with signed records. The result is fewer reachable CVEs in review, deterministic replay, and faster audit response.

Start verified trial Read technical docs

Proof anchors

Each claim links to inspectable evidence artifacts, replay workflow, and specification docs.

Proof and methodology links: Evidence and Audit | Decision Capsule spec | Operations and Deployment

After first setup, you can validate:

  • 1. Filter vulnerability backlog down to reachable-risk findings for a real artifact
  • 2. Export a signed Decision CapsuleA signed, exportable evidence bundle that seals every input and output of a release decision for offline audit and deterministic replay for each promotion decision
  • 3. Replay the same decision later with frozen inputs and matching verdict

Control-plane role in your toolchain

CI builds and tests artifacts. Stella evaluates promotion eligibility, deploys to non-Kubernetes targets (Compose, SSH/WinRM, ECS, Nomad), and preserves cryptographically verifiable decision records without replacing existing CI tooling.

Architecture path

Inputs from CI, registries, and advisory feeds are normalized into one decision path. Each gate adds signed evidence tied to the artifact digest.

Stella Ops Architecture Diagram
Self-hosted modules with plugin-based integration at each layer.

Release lifecycle summary

Each phase adds evidence and policy context. Final output is a signed Decision Capsule.

Release lifecycle diagramConnectAnalyzeGateDeployDecision CapsuleEvidence is bound to digest and policy state at every phase
1

Connect artifact, pipeline, and runtime targets

Register registries, CI sources, and deployment endpoints so every release maps to a digest-first ledger.

Build and artifact sources

  • → Docker Hub, Harbor, ECR, GCR, ACR
  • → GitHub, GitLab, Bitbucket webhooks
  • → Jenkins, GitHub Actions, GitLab CI

Execution and control dependencies

  • HashiCorp Vault for secrets
  • HashiCorp Consul for service registry
  • SSH/WinRM for remote targets (agentless by design)
2

Analyze release inputs as one promotion unit

Analyze digest, SBOM, and provenance once, then carry that frozen input set across environment boundaries.

  • CycloneDXAn open standard format for software bill of materials (SBOM) used across the industry / SPDXSoftware Package Data Exchange - another open standard format for SBOMs, widely used in open source SBOMSoftware Bill of Materials - a complete list of all packages and dependencies in your software generation
  • → Attested provenance snapshot for the exact digest
  • → Content-addressed identity (SHA-256) for deterministic replay
3

Evaluate gate policy with reachable-risk evidence

Promotion policy evaluates signed findings and reachable execution paths, not raw CVE counts.

Static path graph

Function-level call graph extraction

Manifest context

Dependency and import resolution

Runtime confirmation

Optional execution telemetry for higher confidence

Terminal
$ stella gate evaluate --env stage --artifact sha256:abc123...
 487 CVEs detected in dependencies
 475 marked NOT REACHABLE
! 12 REACHABLE evaluated by policy
Policy verdict: PASS
Gate evidence saved: evidence/gate-stage-2025-07-15.json

Outcome: analysts triage reachable findings first, reducing promotion delay.

4

Deploy and seal promotion evidence

Execute deployment on approved targets, then export a signed, replayable decision package.

Supported target patterns

  • → Docker Compose deployments
  • → AWS ECS / Fargate
  • → HashiCorp Nomad
  • → Scripted deployments (.NET 10)

Operational setup

  • SSH for Linux/Unix targets
  • WinRM for Windows targets
  • Vault for secret injection
  • Consul for service discovery

Decision Capsules are DSSE-signed and contain the full policy, evidence, and approval chain.

Impact of evidence-based gating

Without reachability

  • Hundreds of CVEs to triage
  • Slow release review cycles
  • Fragmented logs and screenshots
  • Exploitability assumptions
  • Manual exceptions

With Stella Ops

  • Reachable CVEs prioritized for action
  • Faster gate decisions with clearer risk context
  • Signed Decision CapsuleA signed, exportable evidence bundle that seals every input and output of a release decision for offline audit and deterministic replay export
  • Reachability-backed proof
  • Versioned promotion policy

What audit and compliance teams receive

Every Decision Capsule includes:

  • Exact artifact digest (SHA-256)
  • SBOMSoftware Bill of Materials - a complete list of all packages and dependencies in your software snapshot (CycloneDXAn open standard format for software bill of materials (SBOM) used across the industry/SPDXSoftware Package Data Exchange - another open standard format for SBOMs, widely used in open source)
  • ReachabilityAnalysis that proves whether vulnerable code is actually called by your application — filtering out false positives from scanner noise evidence (signed graphs)
  • Policy version + verdict
  • VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context state (lattice-resolved)
  • Signed approval records

Auditors can validate signatures and replay decisions offline with stella replay.

Run one release through the full evidence path

Start verified trial Read technical docs

See all features | Evidence & Audit | Documentation