7.6 KiB
7.6 KiB
# 23 · FAQ Matrix — Stella Ops
# FAQ & Support Matrix
A living list of the questions we get every day, plus a compact matrix of what is Supported Now, In Preview, and On the Roadmap (TODO).
## 0 Quick Legend
| Mark | Meaning |
|---|---|
| ✅ | Fully supported in the current release |
| 🅿️ | Preview / opt‑in behind a feature flag |
| 🛠 | Planned in the ≤ 6 month roadmap (Feature Matrix “TODO”) |
| 🚧 | Longer‑term; 9‑12 month horizon or beyond |
## 1 General
| # | Question | Short Answer | Status |
|---|---|---|---|
| G‑1 | Why launch another DevSecOps product? | Existing scanners are either SaaS‑only, slow, or lack offline & Russian language feeds. Stella Ops focuses on speed (<5 s), modularity, air‑gap friendliness, and an AGPL code‑base that enterprises can extend in‑house. | ✅ |
| G‑2 | What tech stack? | Backend .NET 9 + Redis; runners are OCI images (Trivy, Syft, Grype). UI Angular 17. | ✅ |
| G‑3 | License? | AGPL v3 for all core repos; plugins inherit if linked. | ✅ |
| G‑4 | Where do I report bugs? | Open an issue in git.stella-ops.ru/stella/core or ping #stella-ops on Matrix. |
✅ |
## 2 Installation & Upgrades
| # | Question | Answer | Status |
|---|---|---|---|
| I‑1 | How do I pull agent images now? | All official images are in the anonymous read‑only registry registry.git.stella-ops.ru. No auth token required for pull. |
✅ (new) |
| I‑2 | Can I still use GHCR? | Images remain mirrored for convenience but are not signed; internal registry is the source of truth. | ✅ |
| I‑3 | How to upgrade from ≤ v0.8? | Re‑generate docker‑compose.yml with the bootstrap script; volumes remain intact. Import legacy mute‑rules via /policy/import. |
✅ |
| I‑4 | Helm charts? | K8s Helm chart is under deploy/helm; undefaulted (requires values.yaml). |
🅿️ |
## 3 SBOM & Scanning
| # | Question | Short Answer | Status |
|---|---|---|---|
| --- | ---------- | ------------- | -------- |
| S‑1 | Why exactly 333 scans? | Covers p95 workload of SMBs (~290 builds/day) while keeping infra costs <$5/mo per user and nudging larger orgs toward Plus/Pro. | ✅ |
| S‑2 | How is the limit technically enforced? | Each /scan request carries a Client‑JWT. The Quota plug‑in atomically increments quota:<token>:<date> in Redis. Soft (5 s) and hard (60 s) wait‑walls ensure fair use. |
✅ |
| S‑3 | What if my site is fully offline? | Every OUK tarball contains a fresh Client‑JWT valid 30 days. Uploading the OUK refreshes the token automatically; no Internet required. | ✅ |
| S‑4 | Can I pool multiple tokens? | Yes, but each token has its own 333/day budget. Use distinct tokens per CI line if you need more throughput. | ✅ |
| S‑5 | Does quota enforcement affect performance? | No. Legitimate scans still complete in < 5 s; blocked scans incur only their specified wait‑wall. | ✅ |
| S‑6 | Which SBOM formats does Stella emit? | Built‑in: trivy-json-v2, spdx-json, cyclonedx-json. |
✅ |
| S‑7 | What is Δ‑SBOM and how fast is it? | Uploads only new layers; P95 ≤ 1 s on cached bases. | ✅ |
| S‑8 | Windows container scanning? | Runner binaries compile on Windows, but layer‑unpack path is unoptimised; full support 🚧. | 🚧 |
## 4 Policy‑as‑Code
| # | Question | Answer | Status |
|---|---|---|---|
| P‑1 | How are mutes & blocks stored now? | Default: YAML (scan-policy.yaml) in Mongo (versioned). Import / export via /policy/{import,export} or Settings → Policies. |
✅ |
| P‑2 | Why YAML over OPA? | YAML lowers entry barrier; advanced users may embed Rego snippets. First‑class Rego evaluation is 🛠. | 🛠 |
| P‑3 | CLI enforcement? | Pass --policy-file path plus --enforce to fail builds on violations. Exit‑code reflects policy gate. |
✅ |
| P‑4 | Audit history? | Every policy change writes an immutable record (audit_policies collection) and appears in UI History tab. |
✅ |
## 5 Registry & Offline Use
| # | Question | Answer | Status |
|---|---|---|---|
| R‑1 | Is the internal registry mandatory? | No, but recommended for sovereignty & signature verification (cosign verify). |
✅ |
| R‑2 | How to mirror for OUK? | oras pull registry.git.stella-ops.ru/library/* --output ./ouk-bundle → import on the target via ctr images import. |
✅ |
| R‑3 | Does the backend fetch external feeds? | Only when --feeds.auto=1; OUK installs run fully offline with NVD packed in the tarball. |
✅ |
## 6 Performance
| # | Scenario | Target | Achieved (July 2025) |
|---|---|---|---|
Local SBOM scan (alpine) |
≤ 5 s | 4.2 s P95 | |
| Δ‑SBOM warm base | ≤ 1 s | 0.8 s P95 | |
| Image unpack (200 MB) | ≤ 10 s | 8.6 s P95 |
Numbers measured on 4 vCPU / 8 GB Ubuntu 22.04 runner.
## 7 Security & Compliance
| # | Question | Answer | Status |
|---|---|---|---|
| C‑1 | How are images signed? | Cosign signatures pushed alongside each tag (*.sig). Santech verifies on pull. |
✅ |
| C‑2 | Supply‑chain attestation (SLSA)? | SLSA‑gen at build time and verification in runner is 🛠 (≤ 6 months). | 🛠 |
| C‑3 | Rekor transparency log? | Local Rekor mirror for offline installs is 🚧 (9‑12 months). | 🚧 |
| C‑4 | TLS ciphers? | Default OpenSSL suites; plug‑in allows GOST/SM (via ITlsProvider). |
✅ |
## 8 Road‑map / Future Features
| Area | Feature | ETA | Notes |
|---|---|---|---|
| UI | Modular route plug‑ins | Q1‑2026 | Dynamic Angular module loader |
| SBOM | Multi‑arch Δ‑SBOM | Q1‑2026 | Layer digest per arch |
| Policy | Rego native engine | Q1‑2026 | opa eval in‑proc |
| Supply chain | SLSA provenance | Q1‑2026 | Level 3 target |
| Integrity | Rekor mirror | Q2‑2026 | Air‑gap friendly |
| Ecosystem | Community plugin market | Q2‑2026 | Curated index in UI |
| Scale | Redis Cluster auto‑shard | Q3‑2026 | Transparent fail‑over |
## 9 Troubleshooting
| Symptom | Likely Cause | Fix |
|---|---|---|
ER_BAD_SV error on scan |
SBOM format flag mismatch | Set correct --sbom-type or let auto‑detect. |
| Δ‑SBOM still uploads full SBOM | Cache cold or digest mismatch | Check docker history shows reused layers; bump builder version. |
| “Policy file invalid” | YAML schema error | Run /policy/validate endpoint; lint with VS Code schema. |
| Pull fails with 401 | Corporate proxy intercepts registry | Mirror to on‑premise Harbor; set --registry flag. |
## 10 Licensing & Community
| # | Question | Answer |
|---|---|---|
| L‑1 | Can I build a commercial fork? | AGPL allows commercial services but derivatives must remain AGPL if distributed. |
| L‑2 | Commercial support? | Community only today; paid support partners in discussion. |
| L‑3 | How to contribute a plugin? | Fork → implement DI contract (IScannerRunner, etc.) → PR + ADR. |
## 11 Change Log
| Date | Highlights |
|---|---|
| 2025‑07‑14 | Added internal registry, multi‑format SBOM, Δ‑SBOM, Policy‑as‑Code, updated roadmap (SLSA/Rekor) |
| 2025‑06‑30 | Initial public FAQ matrix |
(End of FAQ Matrix v2.0)