691028fe69
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Added completed tasks documentation for Scheduler WebService, ImpactIndex, Models, Queue, Storage.Mongo, Worker, Signals, Signer, UI, Zastava.Observer, Zastava.Webhook, Zastava.Core, Cryptography.Kms, Cryptography, and Plugin. - Each task includes ID, status, owners, dependencies, descriptions, and exit criteria to ensure clarity and traceability. - Enhanced integration and unit testing coverage across various components to validate functionality and compliance with specifications.
3.6 KiB
3.6 KiB
Quickstart – First Scan in Five Minutes
Status: public α image ships late 2025 (
registry.stella-ops.org/stella-ops/stella-ops:0.1.0-alpha). Commands below are ready the moment the tag lands.
0. Prerequisites (1 min)
| Requirement | Minimum | Notes |
|---|---|---|
| OS | Ubuntu 22.04 LTS / Alma 9 | x86‑64 or arm64 |
| Docker | Engine 25 + Compose v2 | docker -v |
| Resources | 2 vCPU / 2 GiB RAM / 10 GiB SSD | Fits developer laptops |
| TLS trust | Built-in self-signed or your own certs | Replace /certs before production |
Keep Redis and MongoDB bundled unless you already operate managed instances.
1. Download the signed bundles (1 min)
curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml
curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml.sig
curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml
curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml.sig
cosign verify-blob \
--key https://stella-ops.org/keys/cosign.pub \
--signature docker-compose.infrastructure.yml.sig \
docker-compose.infrastructure.yml
cosign verify-blob \
--key https://stella-ops.org/keys/cosign.pub \
--signature docker-compose.stella-ops.yml.sig \
docker-compose.stella-ops.yml
Air-gapped? The Offline Update Kit ships these files plus feeds and plug-ins.
2. Configure .env (1 min)
Create .env with the essentials:
STELLA_OPS_COMPANY_NAME="Acme Corp"
STELLA_OPS_DEFAULT_ADMIN_USERNAME="admin"
STELLA_OPS_DEFAULT_ADMIN_PASSWORD="change-me!"
MONGO_INITDB_ROOT_USERNAME=stella_admin
MONGO_INITDB_ROOT_PASSWORD=$(openssl rand -base64 18)
MONGO_URL=mongodb
REDIS_PASSWORD=$(openssl rand -base64 18)
REDIS_URL=redis
Use existing Redis/Mongo endpoints by setting MONGO_URL and REDIS_URL. Keep credentials scoped to Stella Ops; Redis counters enforce the transparent quota ({{ quota_token }} scans/day).
3. Launch services (1 min)
docker compose --env-file .env -f docker-compose.infrastructure.yml up -d
docker compose --env-file .env -f docker-compose.stella-ops.yml up -d
StellaOps.Authorityissues short-lived OpToks for CLI/UI.StellaOps.Scannerhosts/scan, queues work to Workers.StellaOps.Policy.EngineandStellaOps.Concelierstart with seeded policies, feeds sync in the background.
4. Run your first scan (1 min)
stella auth login --device-code
stella scan image \
--image registry.stella-ops.org/demo/juice-shop:latest \
--sbom-type cyclonedx-json
- Expect
<5 swarm scans once the Delta SBOM cache is primed. - CLI exits non-zero if lattice policy blocks the image; use
stella policy explain --lastfor context. - Headers
X-Stella-Quota-Remainingand the UI banner keep quota usage transparent.
5. Verify & explore (1 min)
- Check the Console (
https://localhost:8443) to view findings, VEX evidence, and deterministic replay manifests. - Export the DSSE bundle:
stella export run --format dsse. - Capture evidence for audit:
stella attest bundle --output demo.dsse.json.
Sovereign mode in one click
- Import the Offline Update Kit (
stella offline-kit import ./stella-ouk-2025-alpha.tar.gz) to replace every external feed. - Apply a CryptoProfile (
stella authority crypto apply ./profiles/fips.yaml) to swap signing algorithms without rebuilding.
Next steps
- Harden the deployment with
17_SECURITY_HARDENING_GUIDE.md. - Explore feature highlights in
key-features.md. - Plan the rollout using the evaluation checklist.