stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
18b1922f60ba5450f066dc4795a998928156a3c6
git.stella-ops.org/docs/02_WHY.md

122 lines
6.9 KiB
Markdown
Executable File
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 2 · WHYWhyStellaOps Exists
> Explaining the concrete pain we solve, why the world needs **one more** DevSecOps
> platform, and the success signals that prove we are on the right track.
Softwaresupplychain attacks, licencerisk, and incomplete SBOM coverage slow
teams and compliance audits to a crawl. Most existing scanners:
* **Assume Internet** access for CVE feeds or SaaS backends.
* **Parse an entire image** every build (no layerdelta optimisation).
* **Accept a single SBOM format** (usually Trivy JSON) and choke on anything else.
* Offer **no builtin policy history / audit trail**.
* Require 3060s walltime per scan, an order of magnitude slower than modern CI
expectations.
* **Hide quota limits** or throttle without warning once you move past free trials.
---
# 1 FreeTier Quota  Why **{{ quota_token }} **?
The limit of **{{ quota_token }} SBOM scans per UTC day** was not chosen at random.
| Constraint | Analysis | Outcome |
|------------|----------|---------|
| **SMB workload** | Internal survey across 37 SMBs shows median **210** container builds/day (p95 ≈290). | {{ quota_token }} gives 1.6× headroom without forcing a paid tier. |
| **Cost of feeds** | Hosting, Trivy DB mirrors & CVE merge traffic average **≈ $14/1000 scans**. | {{ quota_token }} /day yields <$5 infra cost per user — sustainable for an OSS project. |
| **Incentive to upgrade** | Larger orgs (> 300 builds/day) gain ROI from Plus/Pro tiers anyway. | Clear upsell path without hurting hobbyists. |
> **In one sentence:**  *{{ quota_token }} scans cover the daily needs of a typical small /
> medium business, keep free usage genuinely useful and still leave a financial
> runway for future development*.
## 1.1 How the Quota Is Enforced (1minute view)
* Backend loads the **Quota plugin** at startup.
* Every `/scan` call passes the callers **ClientJWT** to the plugin.
* The plugin **increments a counter in Redis** under
`quota:<token>:<yyyymmdd>` (expires at UTC midnight).
* Soft waitwall (5s) after limit; hard waitwall (60s) after 30 blocked calls.
* For **offline installs**, a *1month validity ClientJWT* ships inside every
**Offline Update Kit (OUK)** tarball. Uploading the OUK refreshes the token
automatically.
Detailed sequence living in **30_QUOTA_ENFORCEMENT_FLOW.md**.
---
## 2 · Why *Another* DevSecOps Product?  Macro Drivers
| Driver | Evidence | Implication for Tooling |
|--------|----------|-------------------------|
| **Exploding supplychain attacks** | Sonatype2024 report shows **742%** growth since2020. | SBOMs & provenance checks must be default, not “bestpractice”. |
| **Regulation tsunami** | • USEO14028 & NISTSP800218<br>• EUCyberResilienceAct (CRA) in force 2026<br>• Local criticalinfrastructure rules in some jurisdictions | Vendors must *attest* build provenance (SLSA) and store tamperproof SBOMs. |
| **Runtimecost intolerance** | Pipelines build hundreds of images/day; waiting >10s per scan breaks SLA. | Need **deltaaware** engines that reuse layer analyses (<1s warm scans). |
| **Airgap & sovereignty demands** | Finance/defence prohibit outbound traffic; data must stay onprem. | Ship **selfcontained registry + CVE DB** and run offline. |
| **Predictable freetier limits** | Teams want clarity, not surprise throttling. | Provide **transparent {{ quota_token }} scans/day quota**, early banner & graceful waitwall. |
> **Therefore:** The market demands a **modular, SBOMfirst, sub5s, 100% selfhosted**
> platform **with a transparent freetier quota**—precisely the niche StellaOps targets.
---
## 3 · Gap in Current Tooling
* Trivy / Syft create SBOMs but reanalyse **every** layer wasted minutes/day.
* Policy engines (OPA/Rego) are separate binaries, with no UI or change history.
* No mainstream OSS bundle ships an **anonymous internal registry** for airgapped pulls.
* Provenance attestation (SLSA) and Rekor transparency logs remain bringyourown”.
* Free tiers either stop at 100 scans **or** silently throttle; none announce a **clear {{ quota_token }} /day allowance**.
---
## 4 · WhyStellaOps Can Win
1. **Speed First**  DeltaSBOM flow uses cached layers to hit `<1s` warm scans.
2. **MultiFormat Ready**  Autodetects TrivyJSON, SPDXJSON, CycloneDXJSON; UI
lets teams choose perproject defaults.
3. **Offline by Default**  Ships an **anonymous internal Docker registry**
(`StellaOps.Registry`) plus Redis, Mongo, CVE DB, and UI in a single compose up.
4. **Open & Modular**  .NET hotload plugins (`StellaOpsAttestor`, future scanners)
under AGPL; anyone can extend.
5. **Policy as Code**  YAML rules today, upgrade path to OPA/Rego with history stored
in Mongo via `StellaOps.MutePolicies`.
6. **SovereignReady**  Russianlanguage UI, local vulnerability mirrors, zero
telemetry by default.
7. **Honest Freetier Boundaries**  Clear **{{ quota_token }} scans/day** limit, early banner at 200 and predictable waitwallno hidden throttling.
---
## 5 · Success Criteria Signals We Solve the Problem
* **Performance:** P95 scan <5s on first pass; `<1s` for warm delta scans.
* **Compatibility:** SBOMs in at least three formats consumed by 3 downstream tools.
* **Adoption:** 1000 reported installs & 2000 binary downloads by Q22026.
* **Compliance:** Positive audits referencing CRA / NIST / SLSA readiness.
* **Community:** 15 firsttime contributors merged per quarter by 2026.
* **Transparency:** 0 support tickets complaining about mystery throttling”.
---
## 6 · NonGoals (20252027)
* Multitenant SaaS offering.
* Automatic fixPR generation (left to ecosystem).
* Windows container **scanning** (Windows *agents* are on the 12month roadmap).
---
## 7 · Stakeholder PainPoint Recap
| Persona | Pain Today | StellaOps Solution |
|---------|------------|---------------------|
| **Dev** | My CI fails for 45s on every push.” | <5s initial, <1s warm scans. |
| **SecOps** | Separate tools for SBOM, policy, and audit. | Unified UI + YAML / Rego policies with history. |
| **Infra** | Internetblocked site; no public pulls allowed. | Offline compose bundle + internal registry. |
| **Compliance** | Need CRAready provenance by 2026. | Future `StellaOpsAttestor` SLSA + Rekor integration. |
| **Budget owner** | Fears hidden overage charges in free tiers. | Transparent {{ quota_token }} scans/day limit, visible in UI/API. |
---
*Last updated: 14Jul2025 (sync with freetier quota rev2.0).*
Reference in New Issue View Git Blame Copy Permalink