# Stella Ops – 2‑Minute Overview

## The Problem We Solve

- **Supply-chain attacks exploded 742 % in three years;** regulated teams still need to scan hundreds of containers a day while disconnected from the public Internet.
- **Existing scanners trade freedom for SaaS:** no offline feeds, hidden quotas, noisy results that lack exploitability context.
- **Audit fatigue is real:** Policy decisions are opaque, replaying scans is guesswork, and trust hinges on external transparency logs you do not control.

## The Promise

Stella Ops delivers **deterministic, sovereign container security** that works the same online or fully air-gapped:

1. **Deterministic replay manifests** (SRM) prove every scan result, so auditors can rerun evidence and see the exact same outcome.
2. **Lattice policy engine + OpenVEX** keeps findings explainable; exploitability, attestation, and waivers merge into one verdict.
3. **Sovereign crypto profiles** let you anchor signatures to eIDAS, FIPS, GOST, or SM roots, mirror your feeds, and keep Sigstore-compatible transparency logs offline.

## Core Capability Clusters

| Cluster | What you get | Why it matters |
|---------|--------------|----------------|
| **SBOM-first scanning** | Delta-layer SBOM cache, sub‑5 s warm scans, Trivy/CycloneDX/SPDX ingestion + dependency cartographing | Speeds repeat scans 10× and keeps SBOMs the source of truth |
| **Explainable policy** | OpenVEX + lattice logic, policy engine for custom rule packs, waiver expirations | Reduces alert fatigue, supports alert muting beyond VEX, and shows why a finding blocks deploy |
| **Attestation & provenance** | DSSE bundles, optional Rekor mirror, DSSE → CLI/UI exports | Lets you prove integrity without relying on external services |
| **Offline operations** | Offline Update Kit bundles, mirrored feeds, quota tokens verified locally | Works for sovereign clouds, SCIFs, and heavily regulated sectors |
| **Governance & observability** | Structured audit trails, quota transparency, per-tenant metrics | Keeps compliance teams and operators in sync without extra tooling |

## Who Benefits

| Persona | Outcome in week one |
|---------|--------------------|
| **Security engineering** | Deterministic replay + explain traces | cuts review time, keeps waivers honest |
| **Platform / SRE** | Fast scans, local registry, no Internet dependency | fits pipelines and air-gapped staging |
| **Compliance & risk** | Signed SBOMs, provable quotas, legal/attestation docs | supports audits without custom tooling |

## Where to Go Next

- Ready to pull the containers? Head to [quickstart.md](quickstart.md).
- Want the capability detail? Browse the five cards in [key-features.md](key-features.md).
- Need to evaluate fit and build a rollout plan? Grab the [evaluation checklist](evaluate/checklist.md).