stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
42d9d2d860f82a18b1ac989986857d6851ba6d93
git.stella-ops.org/docs/01_WHAT_IS_IT.md

5.2 KiB
Raw Blame History

1 · WhatIs- StellaOps?

StellaOps is a selfhosted, SBOMfirst DevSecOps platform that gives engineering and security teams instant (<5s) feedback on container and artifact risk—even when they run completely offline.
It is built around five design pillars: modular, open, fast, local, and UIcontrollable.

1. What the Product Does — 7Point Snapshot

# Capability What It Means in Practice
1 SBOMCentric Scanning Generates and scans SoftwareBills of Materials (Trivy JSON, SPDXJSON, CycloneDXJSON); autodetects format and stores each SBOM as a blob.
2 DeltaSBOM Engine Uploads SBOM only for new layers; warmcache image rescans complete in <1s.
3 Anonymous Internal Registry Ships a builtin StellaOps.Registry so agents (SanTech, Zastava, SBOMbuilder) can be pulled inside airgapped networks without external credentials.
4 PolicyasCode Supports YAML rules today and OPA/Rego (StellaOps.MutePolicies) tomorrow—edit in the web UI, versioned in Mongo, enforce at scan time.
5 Pluggable Modules Every scanner, exporter, or attestor is a hotload .NET plugin (e.g., StellaOpsAttestor for SLSA/Rekor in the roadmap).
6 Horizontally Scalable Stateless API backed by Redis & Mongo; optional Kubernetes charts for multinode performance.
7 Sovereign & Localised Russianlanguage UI, local vulnerability DB mirrors, and no telemetry by default—ready for ГОСТ/FSTECsensitive deployments.

🆓 Free tier update (July2025) Every selfhosted instance now includes 333 scans per UTC day.
A yellow banner appears once you cross 200 scans (≈60% of quota).
Past 333, /scan responds with soft 5s waits for 30 calls, then a hard 60s waitwall until the daily reset.

2. How It Works — EndtoEnd Flow (30sec tour)

  1. Build Phase
    sbombuilder container runs inside CI, pulls base layers metadata, and queries /layers/missing—receiving in ~20ms which layers still need SBOMs.
    • New layers ➟ SBOM generated ➟ *.sbom.<type> + *.sbom.type dropped next to image tarball.

  2. Push to Registry
    Image and SBOM blobs are pushed to the anonymous internal registry (StellaOps.Registry). Cosign tags are attached if enabled.

  3. Scan Phase
    SanTech agent pulls the SBOM blob, sends /scan?sbomType=spdx-json to backend. If flag is absent, backend autodetects.
    • Freetier tokens inherit the 333scan/day quota; response headers expose remaining scans and reset time.

  4. Policy & Risk Evaluation
    Backend hydrates CVE data, merges any cached layer scores, and calls the PolicyasCode engine:

    • YAML rules → builtin interpreter;
    • Rego policies (future) → embedded OPA.

  5. Attestation & Transparency (Roadmap)
    StellaOpsAttestor signs results with SLSA provenance and records them in a local Rekor mirror for tamperproof history.

  6. Feedback Loop
    • CLI exits with nonzero on policy block.
    • UI dashboard shows findings, quota banner, and pertoken scan counters; triagers can mute or set expiry dates directly.

3. Why Such a Product Is Needed

“Software supplychain attacks have increased 742% over the past three years.”  Sonatype 2024 State of the Software Supply Chain

Key Drivers & Regulations

Driver Detail & Obligation
Government SBOM Mandates USEO14028 & NISTSP800218 require suppliers to provide SBOMs.
• EU Cyber Resilience Act (CRA) will demand attestations of secure development by 2026.
SLSA & SSDF Frameworks Industry pushes toward SLSA v1.0 levels 23 and NIST SSDF1.1 controls, emphasising provenance and policy enforcement.
Transparency Logs Sigstore Rekor gains traction as a standard for tamperevident signatures—even for airgapped replicas.
Offline & Sovereign Deployments Criticalinfra operators (finance, telecom, defence) must run security tooling without Internet and with local language/VDB support.
Performance Expectations Modern CI/CD pipelines trigger hundreds of image builds daily; waiting 3060s per scan is no longer acceptable—and now must be achieved within a 333scan/day free quota.

Gap in Existing Tools

  • SaaSonly scanners cant run in regulated or disconnected environments.
  • Monolithic opensource scanners are hardwired to Trivy or Syft formats, lacking delta optimisation.
  • Few products expose PolicyasCode with full UI editing and history audit in a single package.
  • None address quotaaware throttling without hidden paywalls.

StellaOps fills this gap by combining speed, modular openness, sovereign readiness and transparent quota limits—making thorough supplychain security attainable for every team, not just cloudnative startups.

Last updated: 14 Jul 2025