# Quickstart – First Scan in Five Minutes > **Status:** public α image ships late 2025 (`registry.stella-ops.org/stella-ops/stella-ops:0.1.0-alpha`). Commands below are ready the moment the tag lands. ## 0. Prerequisites (1 min) | Requirement | Minimum | Notes | |-------------|---------|-------| | OS | Ubuntu 22.04 LTS / Alma 9 | x86‑64 or arm64 | | Docker | Engine 25 + Compose v2 | `docker -v` | | Resources | 2 vCPU / 2 GiB RAM / 10 GiB SSD | Fits developer laptops | | TLS trust | Built-in self-signed or your own certs | Replace `/certs` before production | Keep Redis and MongoDB bundled unless you already operate managed instances. ## 1. Download the signed bundles (1 min) ```bash curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml.sig curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml.sig cosign verify-blob \ --key https://stella-ops.org/keys/cosign.pub \ --signature docker-compose.infrastructure.yml.sig \ docker-compose.infrastructure.yml cosign verify-blob \ --key https://stella-ops.org/keys/cosign.pub \ --signature docker-compose.stella-ops.yml.sig \ docker-compose.stella-ops.yml ``` *Air-gapped?* The [Offline Update Kit](24_OFFLINE_KIT.md) ships these files plus feeds and plug-ins. ## 2. Configure `.env` (1 min) Create `.env` with the essentials: ```dotenv STELLA_OPS_COMPANY_NAME="Acme Corp" STELLA_OPS_DEFAULT_ADMIN_USERNAME="admin" STELLA_OPS_DEFAULT_ADMIN_PASSWORD="change-me!" MONGO_INITDB_ROOT_USERNAME=stella_admin MONGO_INITDB_ROOT_PASSWORD=$(openssl rand -base64 18) MONGO_URL=mongodb REDIS_PASSWORD=$(openssl rand -base64 18) REDIS_URL=redis ``` Use existing Redis/Mongo endpoints by setting `MONGO_URL` and `REDIS_URL`. Keep credentials scoped to Stella Ops; Redis counters enforce the transparent quota (`{{ quota_token }}` scans/day). ## 3. Launch services (1 min) ```bash docker compose --env-file .env -f docker-compose.infrastructure.yml up -d docker compose --env-file .env -f docker-compose.stella-ops.yml up -d ``` - `StellaOps.Authority` issues short-lived OpToks for CLI/UI. - `StellaOps.Scanner` hosts `/scan`, queues work to Workers. - `StellaOps.Policy.Engine` and `StellaOps.Concelier` start with seeded policies, feeds sync in the background. ## 4. Run your first scan (1 min) ```bash stella auth login --device-code stella scan image \ --image registry.stella-ops.org/demo/juice-shop:latest \ --sbom-type cyclonedx-json ``` - Expect `<5 s` warm scans once the Delta SBOM cache is primed. - CLI exits non-zero if lattice policy blocks the image; use `stella policy explain --last` for context. - Headers `X-Stella-Quota-Remaining` and the UI banner keep quota usage transparent. ## 5. Verify & explore (1 min) - Check the Console (`https://localhost:8443`) to view findings, VEX evidence, and deterministic replay manifests. - Export the DSSE bundle: `stella export run --format dsse`. - Capture evidence for audit: `stella attest bundle --output demo.dsse.json`. ### Sovereign mode in one click - Import the Offline Update Kit (`stella offline-kit import ./stella-ouk-2025-alpha.tar.gz`) to replace every external feed. - Apply a CryptoProfile (`stella authority crypto apply ./profiles/fips.yaml`) to swap signing algorithms without rebuilding. ### Next steps - Harden the deployment with [`17_SECURITY_HARDENING_GUIDE.md`](17_SECURITY_HARDENING_GUIDE.md). - Explore feature highlights in [`key-features.md`](key-features.md). - Plan the rollout using the [evaluation checklist](evaluate/checklist.md).