Evidence Engine

Know which vulnerabilities actually matter

Generate SBOMs, analyze hybrid reachability, and produce signed evidence for every artifact.

Meaningful reduction in false positives through three-layer analysis

Request access Read docs

The reachability difference

Traditional scanners tell you a CVE exists. Stella proves whether your code actually calls the vulnerable function.

Static analysis

Call graph extraction from bytecode and source. Traces execution paths to vulnerable functions.

Manifest analysis

Import statements, dependency trees, package manifests. Identifies which code is actually included.

Runtime traces

Optional profiling data for higher confidence. Proves what code paths are actually executed. eBPFExtended Berkeley Packet Filter — a Linux kernel technology that runs sandboxed programs for high-performance observability and runtime analysis without kernel modules

Result: Significantly fewer false positives

Focus on reachable CVEs instead of hundreds of theoretical ones.

The real-world difference

Typical scanner output

Terminal
$ trivy image myapp:latest
Total: 487 vulnerabilities
  CRITICAL: 23
  HIGH: 89
  MEDIUM: 241
  LOW: 134

"Great. Which ones actually matter?"

Stella Ops with reachability

Terminal
$ stella scan myapp:latest --reachability
Total: 487 CVEs detected
Reachable: 12 CVEs
  CRITICAL: 2 (both in auth path)
  HIGH: 4 (3 in API handler)
  MEDIUM: 6

Focus on what matters. Ship with confidence.

SBOM capabilities

Generate, ingest, and diff SBOMs with full version history and lineage tracking.

Multi-format support

CycloneDX 1.7, SPDX 3.0, Trivy-JSON with auto-detection.

Delta-SBOM caching

Sub-second warm-path scans through intelligent caching.

SBOM lineage ledger

Full versioned history with traversal queries.

Layer-aware analysis

Per-layer SBOM extraction and base image detection.

Semantic SBOM diff

Material change detection between releases.

Bring your own SBOM

Ingest external SBOMs and add reachability analysis.

11 language analyzers

.NET/C#
Java
Go
Python
Node.js
Ruby
Bun
Deno
PHP
Rust
Native
+more

Plus OS package analyzers for apk, apt, yum, dnf, rpm, and pacman.

33+ advisory sources

Aggregate vulnerability intelligence from global, vendor, and regional sources with automatic sync and conflict detection.

Global databases

  • NVDNational Vulnerability Database - the U.S. government repository of standards-based vulnerability data (NIST), CVECommon Vulnerabilities and Exposures - a unique identifier for a publicly known security vulnerability (MITRE), OSVOpen Source Vulnerabilities - a distributed vulnerability database for open source projects, GHSAGitHub Security Advisories - security vulnerability database for packages on GitHub
  • Alpine, Debian, Ubuntu, RHEL, SUSE
  • CISACybersecurity and Infrastructure Security Agency - U.S. federal agency responsible for cybersecurity guidance and vulnerability catalogs KEVKnown Exploited Vulnerabilities - CISA's catalog of vulnerabilities actively exploited in the wild, EPSSExploit Prediction Scoring System - a probability score (0-100%) predicting how likely a vulnerability is to be exploited in the wild v4

Vendor PSIRTs

  • Microsoft MSRC, Cisco PSIRT, Oracle CPU
  • VMware, Adobe PSIRT, Apple Security
  • Chromium, Kaspersky ICS-CERT

National CERTs

  • CERT-FR, CERT-Bund (BSI), CERT-In
  • ACSC, CCCS, KISA, JVNJapan Vulnerability Notes - Japan's vulnerability database managed by JPCERT/CC and IPA
  • FSTEC BDU, NKCKI, Astra Linux

Custom feeds

  • Private advisory connectors
  • Advisory merge engine with conflict resolution
  • Connector health monitoring

All sources deduplicated with signed snapshots for deterministic replay

Built for speed

<1s

Warm-path scans

Delta-SBOM caching for repeated digests

70-90%

False positive reduction

Through hybrid reachability analysis

33+

Advisory sources

Aggregated with automatic sync

Evidence output

Every scan produces signed, exportable evidence.

SBOMSoftware Bill of Materials - a complete list of all packages and dependencies in your software snapshot (CycloneDXAn open standard format for software bill of materials (SBOM) used across the industry/SPDXSoftware Package Data Exchange - another open standard format for SBOMs, widely used in open source)
ReachabilityAnalysis that proves whether vulnerable code is actually called by your application — filtering out false positives from scanner noise graph with edge attestations
Advisory state at scan time
Path witness generation for audit
DSSEDead Simple Signing Envelope - a simple, flexible standard for signing arbitrary data with cryptographic signatures-signed evidence bundles
SARIF export for CI integration

Where it fits

Evidence engine only

Use Stella's scanning and reachability as a standalone evidence producer.

  • Generate SBOMSoftware Bill of Materials - a complete list of all packages and dependencies in your software + reachability for your CI pipeline
  • Export findings as SARIF, CycloneDXAn open standard format for software bill of materials (SBOM) used across the industry, or Decision Capsules
  • Integrate with your existing CD tool

Full release control

Add orchestration, policy gates, and deployment execution for end-to-end release governance.

  • Scan → Gate → Promote → Deploy → Prove
  • Digest-firstRelease identity based on immutable content hashes (SHA-256 digests) rather than mutable tags — ensuring byte-identical deployments versioning across environments
  • A/B, canary, rollback with evidence preservation

Ready to focus on what matters?

Start scanning with reachability analysis.

Request access Read docs

Release Orchestration · Security Decisioning · All features