First-Class SBOM & VEX

Know What’s in Your Containers

Generate industry-standard SBOMs and apply VEX statements from multiple sources — with intelligent conflict resolution and offline verification built in.

Get started See all features

Industry-Standard Formats

Stella generates SBOMs in the formats your auditors and compliance teams expect, with full component metadata and provenance.

SPDX 3.0.1

The latest ISO/IEC 5962 standard with full supplier metadata and SPDX license expressions.

CycloneDX 1.7

OWASP CycloneDX with integrated VEX support and dependency graph extensions.

Generate, verify, and publish SBOMs from the CLI

Terminal
$ stella sbom generate --image myapp:v2.1.0 --format spdx-json
stella sbom verify --archive sbom.tar.gz --offline\nstella sbom publish --image myapp:v2.1.0 --overwrite

Why It Matters

SBOMs are becoming mandatory. Stella makes them practical.

Reproducible Results

Same image, same SBOM — every time. Auditors can verify your results independently.

Works Offline

Generate and verify SBOMs in air-gapped environments. No external calls required.

Compliance Ready

Meet EO 14028, EU CRA, and supply chain security requirements with signed, verifiable SBOMs.

Cryptographically Signed

Every SBOM is signed and tamper-evident. Evidence you can trust.

VEX: Context for Vulnerabilities

Not every CVE affects you. VEX (Vulnerability Exploitability eXchange) statements let vendors and your own analysis say which vulnerabilities actually matter for your specific deployment.

Affected

Not Affected

Fixed

Under Investigation

VEX cuts through the noise: a CVE in a library you don’t use isn’t your problem. Stella applies VEX statements automatically to focus your attention on what matters.

K4 Belnap Lattice: Smart Conflict Resolution

When multiple VEX sources disagree, Stella uses Belnap’s four-valued logic to compute the definitive state. Conflicts become visible, not hidden.

Unknown

No information yet. Default state before any VEX statement applies.

T

Affected

At least one issuer says this vulnerability affects you.

F

Not Affected

At least one issuer says you’re not affected.

Conflict

Multiple issuers disagree. Requires review or higher-authority override.

Vendor says “not affected” but your runtime probe saw the function called? Result: Conflict (⊤) — the disagreement is visible, not silently suppressed.

No silent suppression. No hidden assumptions. Uncertainty is tracked and surfaced.

Multi-Source VEX Consensus

Vendors, distributors, and your own security team may all publish VEX statements. Stella aggregates them with weighted consensus.

  • Ingest VEX from software vendors, Linux distributors, and internal sources
  • Sources are weighted by authority — your internal assessments can override external ones
  • Conflicts trigger review workflows rather than being silently resolved

One View of Truth

Instead of juggling spreadsheets and emails, get a single authoritative view of which vulnerabilities actually affect your release.

Ready for practical SBOM compliance?

Install Stella Ops and start generating auditor-ready SBOMs with multi-source VEX support.

Get started Read docs