Stella Ops
Self‑hosted, SBOM‑first DevSecOps platform – offline‑friendly, AGPL‑3.0, free up to {{ quota_token }} scans per UTC day (soft delay only, never blocks).
Stella Ops lets you discover container vulnerabilities in < 5 s without sending a single byte outside your network.
Everything here is open‑source and versioned — when you check out a git tag, the docs match the code you are running.
🚀 Start here (first 60 minutes)
| Step | What you will learn | Doc |
|---|---|---|
| 1 ️⃣ | 90‑second elevator pitch & pillars | What Is Stella Ops? |
| 2 ️⃣ | Pain points it solves | Why Does It Exist? |
| 3 ️⃣ | Install & run a scan in 10 min | Install Guide |
| 4 ️⃣ | Components & data‑flow | High‑Level Architecture |
| 5 ️⃣ | Integrate the CLI / REST API | API & CLI Reference |
| 6 ️⃣ | Vocabulary used throughout the docs | Glossary |
📚 Complete Table of Contents
Click to expand the full docs index
Overview
- 01 – What Is Stella Ops?
- 02 – Why Does It Exist?
- 03 – Vision & Road‑map
- 04 – Feature Matrix
Reference & concepts
- 05 – System Requirements Specification
- 07 – High‑Level Architecture
- 08 – Architecture Decision Records
- 08 – Module Architecture Dossiers
- 09 – API & CLI Reference
- 10 – Plug‑in SDK Guide
- 10 – Concelier CLI Quickstart
- 10 – BuildX Generator Quickstart
- 10 – Scanner Cache Configuration
- 30 – Excititor Connector Packaging Guide
- 31 – Aggregation-Only Contract Reference
- 31 – Advisory Observations & Linksets
- 31 – VEX Observations & Linksets
- 32 – Entry-Point Detection Playbook
- 30 – Developer Templates
- 11 – Authority Service
- 11 – Data Schemas
- 12 – Performance Workbook
- 13 – Release‑Engineering Playbook
- 20 – CLI AOC Commands Reference
- 20 – Console CLI Parity Matrix
- 60 – Policy Engine Overview
- 61 – Policy DSL Grammar
- 62 – Policy Lifecycle & Approvals
- 63 – Policy Runs & Orchestration
- 64 – Policy Exception Effects
- 65 – Policy Engine REST API
- 66 – Policy CLI Guide
- 67 – Policy Editor Workspace
- 68 – Policy Observability
- 69 – Console Observability
- 70 – Policy Governance & Least Privilege
- 70a – Policy Gateway
- 71 – Policy Examples
- 72 – Policy FAQ
- 73 – Policy Run DTOs
- 30 – Fixture Maintenance
- 74 – Export Center Overview
- 75 – Export Center Architecture
- 76 – Export Center Profiles
- 77 – Export Center API Reference
- 78 – Export Center CLI Guide
- 79 – Export Center Trivy Adapters
- 80 – Export Center Mirror Bundles
- 81 – Export Center Provenance & Signing
User & operator guides
- 14 – Glossary
- 15 – UI Guide
- 16 – Console AOC Dashboard
- 16 – Console Accessibility Guide
- 17 – Security Hardening Guide
- 17 – Console Security Posture
- 18 – Coding Standards
- 19 – Test‑Suite Overview
- 21 – Install Guide
- 21 – Docker Install Recipes
- 22 – CI/CD Recipes Library
- 23 – FAQ
- 24 – Offline Update Kit Admin Guide
- 25 – Mirror Operations Runbook
- 26 – Concelier Apple Connector Operations
- 27 – Authority Key Rotation Playbook
- 28 – Concelier CCCS Connector Operations
- 29 – Concelier CISA ICS Connector Operations
- 30 – Concelier CERT-Bund Connector Operations
- 31 – Concelier MSRC Connector – AAD Onboarding
- 36 – Launch Cutover Runbook
- 37 – Registry Token Service
- 37 – Deployment Upgrade & Rollback Runbook
- 38 – Policy Schema Export Automation
- 40 – Observability Guide (AOC)
- 41 – Telemetry Collector Deployment
- 42 – Telemetry Storage Deployment
- 43 – Authority Scopes & Tenancy
- 44 – Container Deployment (AOC)
- 45 – Export Center Operations Runbook
Notifications Studio
- 81 – Notifications Overview
- 82 – Notifications Architecture
- 83 – Notifications Rules
- 84 – Notifications Templates
- 85 – Notifications Digests
Legal & licence
- 32 – Legal & Quota FAQ
🧹 Backlog hygiene
Imposed rule: Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.
- Aggregation-Only Contract (AOC). Ingestion services aggregate and link facts only—derived precedence, severity, and safe-fix hints live in Policy overlays and dedicated explorers. Review
implplan/AGENTS.mdand the AOC guardrails inaoc/aoc-guardrails.md. - Cartographer owns graphs. SBOM Service emits projections/events; Cartographer (
CARTO-GRAPH-21-00x) builds graph storage, overlays, and tiles. Seemodules/concelier/architecture.md(Cartographer handshake section) for handoff boundaries. - Notifier replaces legacy Notify. Sprint‑15
StellaOps.Notify.*tasks are frozen; use the Notifications Studio/Notifier backlogs (NOTIFY-SVC-38..40,WEB-NOTIFY-3x-00x,CLI-NOTIFY-3x-00x). - Dedicated services for Vuln & Policy. Vuln Explorer work flows through
src/VulnExplorer/StellaOps.VulnExplorer.Api/Console/CLI (Sprint 29); gateway routes proxy only. Policy Engine remains the sole source for precedence/suppression overlays. - Cleanup log. The backlog consolidation summary lives in
backlog/2025-10-cleanup.md.
© 2025 Stella Ops contributors – licensed AGPL‑3.0‑or‑later