Files

master 15b4a1de6a feat: Document completed tasks for KMS, Cryptography, and Plugin Libraries

- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys.
- Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations.
- Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.

2025-10-31 14:37:45 +02:00

3.6 KiB

Raw Blame History

Quickstart – First Scan in Five Minutes

Status: public α image ships late 2025 (registry.stella-ops.org/stella-ops/stella-ops:0.1.0-alpha). Commands below are ready the moment the tag lands.

0. Prerequisites (1 min)

Requirement	Minimum	Notes
OS	Ubuntu 22.04 LTS / Alma 9	x86‑64 or arm64
Docker	Engine 25 + Compose v2	`docker -v`
Resources	2 vCPU / 2 GiB RAM / 10 GiB SSD	Fits developer laptops
TLS trust	Built-in self-signed or your own certs	Replace `/certs` before production

Keep Redis and MongoDB bundled unless you already operate managed instances.

1. Download the signed bundles (1 min)

curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml
curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml.sig
curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml
curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml.sig

cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature docker-compose.infrastructure.yml.sig \
  docker-compose.infrastructure.yml

cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature docker-compose.stella-ops.yml.sig \
  docker-compose.stella-ops.yml

Air-gapped? The Offline Update Kit ships these files plus feeds and plug-ins.

2. Configure `.env` (1 min)

Create .env with the essentials:

STELLA_OPS_COMPANY_NAME="Acme Corp"
STELLA_OPS_DEFAULT_ADMIN_USERNAME="admin"
STELLA_OPS_DEFAULT_ADMIN_PASSWORD="change-me!"
MONGO_INITDB_ROOT_USERNAME=stella_admin
MONGO_INITDB_ROOT_PASSWORD=$(openssl rand -base64 18)
MONGO_URL=mongodb
REDIS_PASSWORD=$(openssl rand -base64 18)
REDIS_URL=redis

Use existing Redis/Mongo endpoints by setting MONGO_URL and REDIS_URL. Keep credentials scoped to Stella Ops; Redis counters enforce the transparent quota ({{ quota_token }} scans/day).

3. Launch services (1 min)

docker compose --env-file .env -f docker-compose.infrastructure.yml up -d
docker compose --env-file .env -f docker-compose.stella-ops.yml up -d

StellaOps.Authority issues short-lived OpToks for CLI/UI.
StellaOps.Scanner hosts /scan, queues work to Workers.
StellaOps.Policy.Engine and StellaOps.Concelier start with seeded policies, feeds sync in the background.

4. Run your first scan (1 min)

stella auth login --device-code
stella scan image \
  --image registry.stella-ops.org/demo/juice-shop:latest \
  --sbom-type cyclonedx-json

Expect <5 s warm scans once the Delta SBOM cache is primed.
CLI exits non-zero if lattice policy blocks the image; use stella policy explain --last for context.
Headers X-Stella-Quota-Remaining and the UI banner keep quota usage transparent.

5. Verify & explore (1 min)

Check the Console (https://localhost:8443) to view findings, VEX evidence, and deterministic replay manifests.
Export the DSSE bundle: stella export run --format dsse.
Capture evidence for audit: stella attest bundle --output demo.dsse.json.

Sovereign mode in one click

Import the Offline Update Kit (stella offline-kit import ./stella-ouk-2025-alpha.tar.gz) to replace every external feed.
Apply a CryptoProfile (stella authority crypto apply ./profiles/fips.yaml) to swap signing algorithms without rebuilding.

Next steps

Harden the deployment with 17_SECURITY_HARDENING_GUIDE.md.
Explore feature highlights in key-features.md.
Plan the rollout using the evaluation checklist.

3.6 KiB Raw Blame History Unescape Escape