78 lines
5.2 KiB
Markdown
78 lines
5.2 KiB
Markdown
# 1 · What Is - **Stella Ops**?
|
||
|
||
Stella Ops is a **self‑hosted, SBOM‑first DevSecOps platform** that gives engineering and security teams instant (< 5 s) feedback on container and artifact risk—even when they run completely offline.
|
||
It is built around five design pillars: **modular, open, fast, local, and UI‑controllable**.
|
||
|
||
---
|
||
|
||
## 1. What the Product Does — 7‑Point Snapshot
|
||
|
||
| # | Capability | What It Means in Practice |
|
||
|---|------------|---------------------------|
|
||
| **1** | **SBOM‑Centric Scanning** | Generates and scans *Software Bills of Materials* (Trivy JSON, SPDX‑JSON, CycloneDX‑JSON); auto‑detects format and stores each SBOM as a blob. |
|
||
| **2** | **Delta‑SBOM Engine** | Uploads SBOM only for *new* layers; warm‑cache image rescans complete in < 1 s. |
|
||
| **3** | **Anonymous Internal Registry** | Ships a built‑in `StellaOps.Registry` so agents (`SanTech`, `Zastava`, SBOM‑builder) can be pulled inside air‑gapped networks without external credentials. |
|
||
| **4** | **Policy‑as‑Code** | Supports YAML rules today and OPA/Rego (`StellaOps.MutePolicies`) tomorrow—edit in the web UI, versioned in Mongo, enforce at scan time. |
|
||
| **5** | **Pluggable Modules** | Every scanner, exporter, or attestor is a hot‑load .NET plug‑in (e.g., `StellaOpsAttestor` for SLSA/Rekor in the roadmap). |
|
||
| **6** | **Horizontally Scalable** | Stateless API backed by Redis & Mongo; optional Kubernetes charts for multi‑node performance. |
|
||
| **7** | **Sovereign & Localised** | Russian‑language UI, local vulnerability DB mirrors, and no telemetry by default—ready for ГОСТ/FSTEC‑sensitive deployments. |
|
||
|
||
> **🆓 Free tier update (July 2025)** – Every self‑hosted instance now includes **333 scans per UTC day**.
|
||
> A yellow banner appears once you cross **200 scans** (≈ 60 % of quota).
|
||
> Past 333, `/scan` responds with soft 5 s waits for 30 calls, then a hard **60 s wait‑wall** until the daily reset.
|
||
|
||
---
|
||
|
||
## 2. How It Works — End‑to‑End Flow (30 sec tour)
|
||
|
||
1. **Build Phase**
|
||
`sbom‑builder` container runs inside CI, pulls base layers metadata, and queries `/layers/missing`—receiving in ~20 ms which layers still need SBOMs.
|
||
• New layers ➟ SBOM generated ➟ `*.sbom.<type>` + `*.sbom.type` dropped next to image tarball.
|
||
|
||
2. **Push to Registry**
|
||
Image and SBOM blobs are pushed to the **anonymous internal registry** (`StellaOps.Registry`). Cosign tags are attached if enabled.
|
||
|
||
3. **Scan Phase**
|
||
`SanTech` agent pulls the SBOM blob, sends `/scan?sbomType=spdx-json` to backend. If flag is absent, backend auto‑detects.
|
||
• Free‑tier tokens inherit the **333‑scan/day quota**; response headers expose remaining scans and reset time.
|
||
|
||
4. **Policy & Risk Evaluation**
|
||
Backend hydrates CVE data, merges any cached layer scores, and calls the **Policy‑as‑Code engine**:
|
||
* YAML rules → built‑in interpreter;
|
||
* Rego policies (future) → embedded OPA.
|
||
|
||
5. **Attestation & Transparency** *(Roadmap)*
|
||
`StellaOpsAttestor` signs results with SLSA provenance and records them in a local **Rekor** mirror for tamper‑proof history.
|
||
|
||
6. **Feedback Loop**
|
||
• CLI exits with non‑zero on policy block.
|
||
• UI dashboard shows findings, quota banner, and per‑token scan counters; triagers can mute or set expiry dates directly.
|
||
|
||
---
|
||
|
||
## 3. Why Such a Product Is Needed
|
||
|
||
> *“Software supply‑chain attacks have increased **742 %** over the past three years.”* – Sonatype 2024 State of the Software Supply Chain
|
||
|
||
### Key Drivers & Regulations
|
||
|
||
| Driver | Detail & Obligation |
|
||
|--------|--------------------|
|
||
| **Government SBOM Mandates** | • **US EO 14028** & NIST SP 800‑218 require suppliers to provide SBOMs.<br>• EU **Cyber Resilience Act (CRA)** will demand attestations of secure development by 2026. |
|
||
| **SLSA & SSDF Frameworks** | Industry pushes toward **SLSA v1.0** levels 2‑3 and NIST **SSDF 1.1** controls, emphasising provenance and policy enforcement. |
|
||
| **Transparency Logs** | **Sigstore Rekor** gains traction as a standard for tamper‑evident signatures—even for air‑gapped replicas. |
|
||
| **Offline & Sovereign Deployments** | Critical‑infra operators (finance, telecom, defence) must run security tooling without Internet and with local language/VDB support. |
|
||
| **Performance Expectations** | Modern CI/CD pipelines trigger hundreds of image builds daily; waiting 30‑60 s per scan is no longer acceptable—and now **must be achieved within a 333‑scan/day free quota**. |
|
||
|
||
### Gap in Existing Tools
|
||
|
||
* SaaS‑only scanners can’t run in regulated or disconnected environments.
|
||
* Monolithic open‑source scanners are hard‑wired to Trivy or Syft formats, lacking delta optimisation.
|
||
* Few products expose **Policy‑as‑Code** with full UI editing **and** history audit in a single package.
|
||
* None address quota‑aware throttling without hidden paywalls.
|
||
|
||
**Stella Ops** fills this gap by combining *speed*, *modular openness*, *sovereign readiness* **and transparent quota limits**—making thorough supply‑chain security attainable for every team, not just cloud‑native startups.
|
||
|
||
---
|
||
*Last updated: 14 Jul 2025*
|