3a2100aa78
- Implemented comprehensive unit tests for VexCandidateEmitter to validate candidate emission logic based on various scenarios including absent and present APIs, confidence thresholds, and rate limiting. - Added integration tests for SmartDiff PostgreSQL repositories, covering snapshot storage and retrieval, candidate storage, and material risk change handling. - Ensured tests validate correct behavior for storing, retrieving, and querying snapshots and candidates, including edge cases and expected outcomes.
3.8 KiB
3.8 KiB
Quickstart – First Scan in Five Minutes
Status: public α image ships late 2025 (
registry.stella-ops.org/stella-ops/stella-ops:0.1.0-alpha). Commands below are ready the moment the tag lands.
0. Prerequisites (1 min)
| Requirement | Minimum | Notes |
|---|---|---|
| OS | Ubuntu 22.04 LTS / Alma 9 | x86‑64 or arm64 |
| Docker | Engine 25 + Compose v2 | docker -v |
| Resources | 2 vCPU / 2 GiB RAM / 10 GiB SSD | Fits developer laptops |
| TLS trust | Built-in self-signed or your own certs | Replace /certs before production |
Keep Redis and PostgreSQL bundled unless you already operate managed instances.
1. Download the signed bundles (1 min)
curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml
curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml.sig
curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml
curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml.sig
cosign verify-blob \
--key https://stella-ops.org/keys/cosign.pub \
--signature docker-compose.infrastructure.yml.sig \
docker-compose.infrastructure.yml
cosign verify-blob \
--key https://stella-ops.org/keys/cosign.pub \
--signature docker-compose.stella-ops.yml.sig \
docker-compose.stella-ops.yml
Air-gapped? The Offline Update Kit ships these files plus feeds and plug-ins.
2. Configure .env (1 min)
Create .env with the essentials:
STELLA_OPS_COMPANY_NAME="Acme Corp"
STELLA_OPS_DEFAULT_ADMIN_USERNAME="admin"
STELLA_OPS_DEFAULT_ADMIN_PASSWORD="change-me!"
POSTGRES_USER=stella_admin
POSTGRES_PASSWORD=$(openssl rand -base64 18)
POSTGRES_HOST=postgres
REDIS_PASSWORD=$(openssl rand -base64 18)
REDIS_URL=redis
Use existing Redis/PostgreSQL endpoints by setting POSTGRES_HOST and REDIS_URL. Keep credentials scoped to Stella Ops; Redis counters enforce the transparent quota ({{ quota_token }} scans/day).
3. Launch services (1 min)
docker compose --env-file .env -f docker-compose.infrastructure.yml up -d
docker compose --env-file .env -f docker-compose.stella-ops.yml up -d
StellaOps.Authorityissues short-lived OpToks for CLI/UI.StellaOps.Scannerhosts/scan, queues work to Workers.StellaOps.Policy.EngineandStellaOps.Concelierstart with seeded policies, feeds sync in the background.
4. Run your first scan (1 min)
stella auth login \
--device-code \
--audiences scanner,attestor \
--scopes attestor.verify,attestor.read
stella scan image \
--image registry.stella-ops.org/demo/juice-shop:latest \
--sbom-type cyclonedx-json
- Expect
<5 swarm scans once the Delta SBOM cache is primed. - CLI exits non-zero if lattice policy blocks the image; use
stella policy explain --lastfor context. - Headers
X-Stella-Quota-Remainingand the UI banner keep quota usage transparent.
Need to inspect attestations only? Swap
attestor.verifyforattestor.read. Submission endpoints still needattestor.write.
5. Verify & explore (1 min)
- Check the Console (
https://localhost:8443) to view findings, VEX evidence, and deterministic replay manifests. - Export the DSSE bundle:
stella export run --format dsse. - Capture evidence for audit:
stella attest bundle --output demo.dsse.json.
Sovereign mode in one click
- Import the Offline Update Kit (
stella offline-kit import ./stella-ouk-2025-alpha.tar.gz) to replace every external feed. - Apply a CryptoProfile (
stella authority crypto apply ./profiles/fips.yaml) to swap signing algorithms without rebuilding.
Next steps
- Harden the deployment with
17_SECURITY_HARDENING_GUIDE.md. - Explore feature highlights in
key-features.md. - Plan the rollout using the evaluation checklist.