48702191be
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
feat(sbomservice): Add placeholder for SHA256SUMS in LNM v1 fixtures docs(devportal): Create README for SDK archives in public directory build(devportal): Implement offline bundle build script test(devportal): Add link checker script for validating links in documentation test(devportal): Create performance check script for dist folder size test(devportal): Implement accessibility check script using Playwright and Axe docs(devportal): Add SDK quickstart guide with examples for Node.js, Python, and cURL feat(excititor): Implement MongoDB storage for airgap import records test(findings): Add unit tests for export filters hash determinism feat(findings): Define attestation contracts for ledger web service feat(graph): Add MongoDB options and service collection extensions for graph indexing test(graph): Implement integration tests for MongoDB provider and service collection extensions feat(zastava): Define configuration options for Zastava surface secrets build(tests): Create script to run Concelier linkset tests with TRX output
Stella Ops
Stella Ops is the sovereign, SBOM‑first security platform that proves every container decision with deterministic scans, explainable policy verdicts, and offline‑ready provenance.
- Sovereign by design – bring your own trust roots, vulnerability advisory sources, VEX sources, regional crypto, and Offline Update Kits that never phone home.
- Deterministic + replayable – every scan can be reproduced bit‑for‑bit with DSSE + OpenVEX evidence.
- Actionable signal – lattice logic ranks exploitability, and the policy engine lets you tailor VEX handling, muting, and expiration rules for your environment.
Proof points: SBOM dependency and vulnerability dependency cartographing work, deterministic replay manifests, lattice policy UI with OpenVEX, and post‑quantum trust packs ready for regulated sectors.
Choose Your Path
| If you want to… | Open this | Read time |
|---|---|---|
| Understand the promise and pain we solve | overview.md |
≈ 2 min |
| Run a first scan and see the CLI | quickstart.md |
≈ 5 min |
| Browse key capabilities at a glance | key-features.md |
≈ 3 min |
| Check architecture, road to production, or evaluate fit | See “Dig deeper” below | ≤ 30 min curated set |
Explore the Essentials
- Value in context – Overview compresses the “Why” + “What” stories and shows how Stella Ops stands apart.
- Try it fast – Quickstart walks through fetching the signed bundles, configuring
.env, and verifying the first scan. - Feature confidence – Key Features gives five capability cards covering Delta SBOM, VEX‑first policy, Sovereign crypto, Deterministic replay, and Transparent quotas.
- Up-next checkpoints – Evaluation checklist helps teams plan Day‑0 to Day‑30 adoption milestones.
Key capabilities that define Stella Ops
| Capability | What ships | Why it matters |
|---|---|---|
| Deterministic Δ‑SBOM & replay bundles | Layer-aware cache + replay manifests keep scans reproducible even months later. | Auditors can re-run any verdict with identical inputs, proving integrity without SaaS dependencies. |
| Pristine advisory mirrors | OSV, GHSA, NVD, CNVD, CNNVD, ENISA, JVN, BDU, etc. are mirrored as immutable, per-source snapshots—never merged. | Policy (via scanner.* / SCANNER__*) can trust, down-rank, or ignore sources without rewriting upstream data. |
| Lattice VEX engine | OpenVEX, waivers, mitigations, and configs flow through deterministic lattice logic. | Every block/allow decision is explainable, replayable, and environment-specific. |
| Context fabric | Static reachability now, optional runtime/eBPF probes at GA so build + runtime signals share one verdict. | Prioritisation spans first-party code, base images, and live telemetry. |
| Transparency log + trust credits | Cosign/DSSE bundles push to a Rekor-compatible log; the trust-credit ledger records who accepted a risk. | Compliance teams get provenance plus accountable ownership trails. |
| Sovereign crypto profiles | Swap in FIPS, eIDAS, GOST, SM, or PQ-ready providers without code changes. | Meets regional crypto rules while keeping attestations verifiable. |
| Offline-first operations | Offline Kit packages the pristine feeds, plug-ins, and configs; import CLI verifies everything locally. | Air-gapped clouds get the same security posture as connected sites. |
| Enterprise readiness | Transparent quotas, LDAP/AD SSO, restart-time plug-in SDK, generous free tier. | Large teams keep their workflows without surrendering control to SaaS platforms. |
Where Stella Ops differs from incumbents
| Vendor | Where they stop | Stella Ops difference |
|---|---|---|
| Trivy / Syft | SBOM generation as a CLI add-on; policy left to other products. | SBOM + VEX are the system of record with deterministic replay and signed evidence. |
| Snyk Container | Static reachability bounded to first-party code. | Lattice links code, base images, cluster policies, and optional runtime probes so the entire stack shares one score. |
| JFrog Xray | Contextual scoring lives behind a closed service. | Policies, DSSE bundles, and transparency logs are open, auditable, and portable. |
| Docker Scout | Provenance remains inside Docker’s ecosystem. | Any OCI provenance is ingested, signed with your crypto profile, and replayed offline. |
| Wiz / runtime sensors | Runtime telemetry is separate from build-time SBOM/VEX evidence. | Optional runtime probes feed the same deterministic lattice so build- and run-time context stay consistent. |
Dig Deeper (curated reading)
- Install & operations: Installation guide, Offline Update Kit, Security hardening.
- Binary prerequisites & offline layout: Binary prereqs covering curated NuGet feed, manifests, and CI guards.
- Architecture & modules: High-level architecture, Module dossiers, Strategic differentiators.
- Policy & governance: Policy templates, Legal & quota FAQ, Governance charter.
- UI & glossary: Console guide, Accessibility, Glossary.
- Technical documentation: Full technical index for architecture, APIs, module dossiers, and operations playbooks.
- FAQs & readiness: FAQ matrix, Roadmap (external), Release engineering playbook.
Need more? The full documentation tree – ADRs, per‑module operations, schemas, developer references – stays untouched under the existing directories (modules/, api/, dev/, ops/), ready when you are.
Configuration note: Feature exposure stays governed by
StellaOps.Scanner.WebService(scanner.*/SCANNER__*) settings. See modules/scanner/architecture.md and modules/scanner/design/surface-env.md for the authoritative schema; the docs remain pristine while configuration decides what surfaces for each deployment.
© 2025 Stella Ops contributors – AGPL‑3.0‑or‑later