Core Concepts

Understanding Technologies vs Components in Polaris

Overview

Polaris distinguishes between Technologies (governed strategic choices) and Components (actual software artifacts in use).

A Technology is a governed software entity that requires architectural approval, lifecycle management, and version constraint compliance.

Technology types use the CycloneDX ComponentType values:

application — Standalone software applications (e.g., Keycloak, Grafana)
framework — Application frameworks (e.g., React, Vue, Spring Boot, Express)
library — Reusable code libraries (e.g., Lodash, TypeScript)
container — Container runtimes and images (e.g., Docker)
platform — Runtimes, databases, and infrastructure platforms (e.g., Node.js, PostgreSQL, Redis, Kubernetes)
operating-system — Operating systems (e.g., Alpine Linux, Ubuntu)
device — Hardware devices
device-driver — Device drivers
firmware — Firmware
file — Standalone files
machine-learning-model — ML models
data — Data assets

Domains classify technologies by the architectural concern they serve:

foundational-runtime — Core execution environments (e.g., Node.js, JVM, .NET, Python)
framework — Application frameworks (e.g., React, Vue, Spring Boot, Express)
data-platform — Databases and data storage (e.g., PostgreSQL, Neo4j, Redis, MongoDB)
integration-platform — Messaging and integration (e.g., Kafka, RabbitMQ, GraphQL, gRPC)
security-identity — Authentication, authorization, and security (e.g., OAuth2, Keycloak, Vault)
infrastructure — Deployment and infrastructure (e.g., Docker, Kubernetes, Terraform)
observability — Monitoring and observability (e.g., Prometheus, Grafana, OpenTelemetry)
developer-tooling — Build tools, linters, and dev utilities (e.g., ESLint, Webpack, TypeScript)
other — Technologies that don't fit other domains

A Component is a software artifact discovered in systems through SBOM (Software Bill of Materials) scanning.

Aspect	Technology	Component
Definition	Governed strategic choice	Actual software artifact in use
Governance	Requires approval and oversight	Tracked for compliance
Scope	Enterprise-wide decision	System-specific dependency
Discovery	Defined by architecture teams	Discovered through SBOM scanning
Examples	"React" (framework choice)	"[email protected]" (npm package)
Lifecycle	Managed through version constraints	Discovered and monitored
Relationship	One-to-many with Components	Optional many-to-one with Technology

Governance Decision — Architecture team approves a Technology (e.g., React)
Team Approval — Individual teams approve the Technology for their use
Implementation — Developers use Components that implement that Technology (e.g., [email protected])
Discovery — SBOM scanning discovers Components in Systems
Compliance Check — Components are validated against approved Technologies
Violation Detection — Components without corresponding Technology approval are flagged

Technologies are strategic decisions — They require governance approval and have enterprise-wide impact
Components are implementation details — They are discovered through scanning and tracked for compliance
Not all components map to technologies — Transitive dependencies may not require governance
Compliance is automatic — The system validates components against approved technologies
Violations are actionable — Teams must either approve the technology or stop using it