f98cea3bcf
- Introduced AuthorityAdvisoryAiOptions and related classes for managing advisory AI configurations, including remote inference options and tenant-specific settings. - Added AuthorityApiLifecycleOptions to control API lifecycle settings, including legacy OAuth endpoint configurations. - Implemented validation and normalization methods for both advisory AI and API lifecycle options to ensure proper configuration. - Created AuthorityNotificationsOptions and its related classes for managing notification settings, including ack tokens, webhooks, and escalation options. - Developed IssuerDirectoryClient and related models for interacting with the issuer directory service, including caching mechanisms and HTTP client configurations. - Added support for dependency injection through ServiceCollectionExtensions for the Issuer Directory Client. - Updated project file to include necessary package references for the new Issuer Directory Client library.
99 lines
3.8 KiB
Markdown
99 lines
3.8 KiB
Markdown
# Quickstart – First Scan in Five Minutes
|
||
|
||
> **Status:** public α image ships late 2025 (`registry.stella-ops.org/stella-ops/stella-ops:0.1.0-alpha`). Commands below are ready the moment the tag lands.
|
||
|
||
## 0. Prerequisites (1 min)
|
||
|
||
| Requirement | Minimum | Notes |
|
||
|-------------|---------|-------|
|
||
| OS | Ubuntu 22.04 LTS / Alma 9 | x86‑64 or arm64 |
|
||
| Docker | Engine 25 + Compose v2 | `docker -v` |
|
||
| Resources | 2 vCPU / 2 GiB RAM / 10 GiB SSD | Fits developer laptops |
|
||
| TLS trust | Built-in self-signed or your own certs | Replace `/certs` before production |
|
||
|
||
Keep Redis and MongoDB bundled unless you already operate managed instances.
|
||
|
||
## 1. Download the signed bundles (1 min)
|
||
|
||
```bash
|
||
curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml
|
||
curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml.sig
|
||
curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml
|
||
curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml.sig
|
||
|
||
cosign verify-blob \
|
||
--key https://stella-ops.org/keys/cosign.pub \
|
||
--signature docker-compose.infrastructure.yml.sig \
|
||
docker-compose.infrastructure.yml
|
||
|
||
cosign verify-blob \
|
||
--key https://stella-ops.org/keys/cosign.pub \
|
||
--signature docker-compose.stella-ops.yml.sig \
|
||
docker-compose.stella-ops.yml
|
||
```
|
||
|
||
*Air-gapped?* The [Offline Update Kit](24_OFFLINE_KIT.md) ships these files plus feeds and plug-ins.
|
||
|
||
## 2. Configure `.env` (1 min)
|
||
|
||
Create `.env` with the essentials:
|
||
|
||
```dotenv
|
||
STELLA_OPS_COMPANY_NAME="Acme Corp"
|
||
STELLA_OPS_DEFAULT_ADMIN_USERNAME="admin"
|
||
STELLA_OPS_DEFAULT_ADMIN_PASSWORD="change-me!"
|
||
MONGO_INITDB_ROOT_USERNAME=stella_admin
|
||
MONGO_INITDB_ROOT_PASSWORD=$(openssl rand -base64 18)
|
||
MONGO_URL=mongodb
|
||
REDIS_PASSWORD=$(openssl rand -base64 18)
|
||
REDIS_URL=redis
|
||
```
|
||
|
||
Use existing Redis/Mongo endpoints by setting `MONGO_URL` and `REDIS_URL`. Keep credentials scoped to Stella Ops; Redis counters enforce the transparent quota (`{{ quota_token }}` scans/day).
|
||
|
||
## 3. Launch services (1 min)
|
||
|
||
```bash
|
||
docker compose --env-file .env -f docker-compose.infrastructure.yml up -d
|
||
docker compose --env-file .env -f docker-compose.stella-ops.yml up -d
|
||
```
|
||
|
||
- `StellaOps.Authority` issues short-lived OpToks for CLI/UI.
|
||
- `StellaOps.Scanner` hosts `/scan`, queues work to Workers.
|
||
- `StellaOps.Policy.Engine` and `StellaOps.Concelier` start with seeded policies, feeds sync in the background.
|
||
|
||
## 4. Run your first scan (1 min)
|
||
|
||
```bash
|
||
stella auth login \
|
||
--device-code \
|
||
--audiences scanner,attestor \
|
||
--scopes attestor.verify,attestor.read
|
||
stella scan image \
|
||
--image registry.stella-ops.org/demo/juice-shop:latest \
|
||
--sbom-type cyclonedx-json
|
||
```
|
||
|
||
- Expect `<5 s` warm scans once the Delta SBOM cache is primed.
|
||
- CLI exits non-zero if lattice policy blocks the image; use `stella policy explain --last` for context.
|
||
- Headers `X-Stella-Quota-Remaining` and the UI banner keep quota usage transparent.
|
||
|
||
> Need to inspect attestations only? Swap `attestor.verify` for `attestor.read`. Submission endpoints still need `attestor.write`.
|
||
|
||
## 5. Verify & explore (1 min)
|
||
|
||
- Check the Console (`https://localhost:8443`) to view findings, VEX evidence, and deterministic replay manifests.
|
||
- Export the DSSE bundle: `stella export run --format dsse`.
|
||
- Capture evidence for audit: `stella attest bundle --output demo.dsse.json`.
|
||
|
||
### Sovereign mode in one click
|
||
|
||
- Import the Offline Update Kit (`stella offline-kit import ./stella-ouk-2025-alpha.tar.gz`) to replace every external feed.
|
||
- Apply a CryptoProfile (`stella authority crypto apply ./profiles/fips.yaml`) to swap signing algorithms without rebuilding.
|
||
|
||
### Next steps
|
||
|
||
- Harden the deployment with [`17_SECURITY_HARDENING_GUIDE.md`](17_SECURITY_HARDENING_GUIDE.md).
|
||
- Explore feature highlights in [`key-features.md`](key-features.md).
|
||
- Plan the rollout using the [evaluation checklist](evaluate/checklist.md).
|