Why pick Stella Ops?
Stella Ops signs every reachability graph, replays scans bit-for-bit from frozen feeds, provides explainable evidence-linked VEX decisions, and ships sovereign offline operation. Our 15-vendor comparison shows no competitor offers all four.
Four capabilities no competitor offers together
Signed reachability
Every reachability graph is sealed with DSSE; optional edge-bundle attestations for runtime/init/contested paths. Both static call-graph edges and runtime-derived edges can be attested—true hybrid reachability.
Deterministic replay
Scans run bit-for-bit identical from frozen feeds and analyzer manifests. A CVE found 6 months ago can be re-verified today by running stella replay srm.yaml—an audit trail no other scanner provides.
Explainable policy (Lattice VEX)
The lattice engine merges SBOM data, advisories, VEX statements, and waivers into a single verdict with human-readable justifications. Unlike yes/no approaches, we explicitly handle "Unknown" states—incomplete data never leads to false safety.
Sovereign + Offline operation
Stays inside your perimeter. Stella Ops runs fully offline—no external services—enabling sovereign control and compliance with regional crypto mandates. FIPS, eIDAS, GOST, SM, or PQC profiles are one-click toggles; air-gapped verification works by default.
And everything else you'd expect
Decision Capsules
Every scan result is sealed in a Decision Capsule—a content-addressed bundle containing SBOM, vuln feed snapshots, reachability evidence, policy version, derived VEX, and signatures. Auditors can re-run any capsule bit-for-bit.
VEX propagation
Generate vulnerability status attestations your downstream consumers can automatically trust and ingest—scalable VEX sharing across the supply chain.
Open & auditable
AGPL-licensed, reproducible builds, Cosign signatures, and DSSE replay manifests for every release.
Cartographer insights
Visual dependency maps expose which services share vulnerable components so teams fix what matters first.
Lightning-fast scans
Delta-SBOM warm path completes in seconds on a 4-vCPU runner; nightly auto re-scan keeps "green" images honest without slowing CI.
Free for most teams
33 scans per UTC day anonymously, 333 with a complimentary token — enough headroom for 90% of companies.