git.stella-ops.org/docs

Stella Ops

Stella Ops is the sovereign, SBOM‑first security platform that proves every container decision with deterministic scans, explainable policy verdicts, and offline‑ready provenance.

• Sovereign by design – bring your own trust roots, vulnerability advisory sources, VEX sources, regional crypto, and Offline Update Kits that never phone home.
• Deterministic + replayable – every scan can be reproduced bit‑for‑bit with DSSE + OpenVEX evidence.
• Actionable signal – lattice logic ranks exploitability, and the policy engine lets you tailor VEX handling, muting, and expiration rules for your environment.

Proof points: SBOM dependency and vulnerability dependency cartographing work, deterministic replay manifests, lattice policy UI with OpenVEX, and post‑quantum trust packs ready for regulated sectors.

Choose Your Path

If you want to…	Open this	Read time
Understand the promise and pain we solve	overview.md	≈ 2 min
Run a first scan and see the CLI	quickstart.md	≈ 5 min
Browse key capabilities at a glance	key-features.md	≈ 3 min
Check architecture, road to production, or evaluate fit	See “Dig deeper” below	≤ 30 min curated set

Explore the Essentials

1. Value in context – Overview compresses the “Why” + “What” stories and shows how Stella Ops stands apart.
2. Try it fast – Quickstart walks through fetching the signed bundles, configuring .env, and verifying the first scan.
3. Feature confidence – Key Features gives five capability cards covering Delta SBOM, VEX-first policy, Sovereign crypto, Deterministic replay, and Transparent quotas.
4. Up-next checkpoints – Evaluation checklist helps teams plan Day-0 to Day-30 adoption milestones.
5. Be dev-ready – Developer Quickstart (29-Nov-2025 advisory) walks through the core repos, determinism tests, attestations, and starter issues for a mid-level .NET engineer.

Key capabilities that define Stella Ops

Capability	What ships	Why it matters
Deterministic Δ‑SBOM & replay bundles	Layer-aware cache + replay manifests keep scans reproducible even months later.	Auditors can re-run any verdict with identical inputs, proving integrity without SaaS dependencies.
Pristine advisory mirrors	OSV, GHSA, NVD, CNVD, CNNVD, ENISA, JVN, BDU, etc. are mirrored as immutable, per-source snapshots—never merged.	Policy (via scanner.* / SCANNER__*) can trust, down-rank, or ignore sources without rewriting upstream data.
Lattice VEX engine	OpenVEX, waivers, mitigations, and configs flow through deterministic lattice logic.	Every block/allow decision is explainable, replayable, and environment-specific.
Context fabric	Static reachability now, optional runtime/eBPF probes at GA so build + runtime signals share one verdict.	Prioritisation spans first-party code, base images, and live telemetry.
Transparency log + trust credits	Cosign/DSSE bundles push to a Rekor-compatible log; the trust-credit ledger records who accepted a risk.	Compliance teams get provenance plus accountable ownership trails.
Sovereign crypto profiles	Swap in FIPS, eIDAS, GOST, SM, or PQ-ready providers without code changes.	Meets regional crypto rules while keeping attestations verifiable.
Offline-first operations	Offline Kit packages the pristine feeds, plug-ins, and configs; import CLI verifies everything locally.	Air-gapped clouds get the same security posture as connected sites.
Enterprise readiness	Transparent quotas, LDAP/AD SSO, restart-time plug-in SDK, generous free tier.	Large teams keep their workflows without surrendering control to SaaS platforms.

Where Stella Ops differs from incumbents

Vendor	Where they stop	Stella Ops difference
Trivy / Syft	SBOM generation as a CLI add-on; policy left to other products.	SBOM + VEX are the system of record with deterministic replay and signed evidence.
Snyk Container	Static reachability bounded to first-party code.	Lattice links code, base images, cluster policies, and optional runtime probes so the entire stack shares one score.
JFrog Xray	Contextual scoring lives behind a closed service.	Policies, DSSE bundles, and transparency logs are open, auditable, and portable.
Docker Scout	Provenance remains inside Docker’s ecosystem.	Any OCI provenance is ingested, signed with your crypto profile, and replayed offline.
Wiz / runtime sensors	Runtime telemetry is separate from build-time SBOM/VEX evidence.	Optional runtime probes feed the same deterministic lattice so build- and run-time context stay consistent.

Dig Deeper (curated reading)

• Install & operations: Installation guide, Offline Update Kit, Security hardening.
• Binary prerequisites & offline layout: Binary prereqs covering curated NuGet feed, manifests, and CI guards.
• Architecture & modules: High-level architecture, Module dossiers, Strategic differentiators.
• Advisory AI: Module dossier & deployment covering RAG pipeline, guardrails, offline bundle outputs, and operations.
• Policy & governance: Policy templates, Legal & quota FAQ, Governance charter.
• UI & glossary: Console guide, Accessibility, Glossary.
• Technical documentation: Full technical index for architecture, APIs, module dossiers, and operations playbooks.
• FAQs & readiness: FAQ matrix, Roadmap (external), Release engineering playbook.

Need more? The full documentation tree – ADRs, per‑module operations, schemas, developer references – stays untouched under the existing directories (modules/, api/, dev/, ops/), ready when you are.

Configuration note: Feature exposure stays governed by StellaOps.Scanner.WebService (scanner.* / SCANNER__*) settings. See modules/scanner/architecture.md and modules/scanner/design/surface-env.md for the authoritative schema; the docs remain pristine while configuration decides what surfaces for each deployment.

© 2025 Stella Ops contributors – AGPL‑3.0‑or‑later