3a2100aa78
- Implemented comprehensive unit tests for VexCandidateEmitter to validate candidate emission logic based on various scenarios including absent and present APIs, confidence thresholds, and rate limiting. - Added integration tests for SmartDiff PostgreSQL repositories, covering snapshot storage and retrieval, candidate storage, and material risk change handling. - Ensured tests validate correct behavior for storing, retrieving, and querying snapshots and candidates, including edge cases and expected outcomes.
62 lines
3.2 KiB
Markdown
Executable File
62 lines
3.2 KiB
Markdown
Executable File
# Stella Ops — Frequently Asked Questions (Matrix)
|
||
|
||
## Quick glance
|
||
|
||
| Question | Short answer |
|
||
|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||
| What is Stella Ops? | A lightning‑fast, SBOM‑first container‑security scanner written in **.NET {{ dotnet }}** with an **Angular {{ angular }}** web UI. |
|
||
| How fast is it? | Warm scans finish in **\< 5 s** on a 4‑vCPU runner; first scans stay **\< 30 s**. |
|
||
| Is it free? | Yes – **{{ quota_anon }} scans / day** anonymously. Requesting a free JWT lifts the limit to **{{ quota_token }}**. A gentle reminder shows at 200; exceeding the cap throttles speed but never blocks. |
|
||
| Does it run offline? | Yes — download the signed **Offline Update Kit**; see `/offline/`. |
|
||
| Can I extend it? | Yes — restart‑time plug‑ins (`ISbomMutator`, `IVulnerabilityProvider`, `IResultSink`, OPA Rego). Marketplace GA in v1.0. |
|
||
|
||
---
|
||
|
||
## Road‑map (authoritative link)
|
||
|
||
The full, always‑up‑to‑date roadmap lives at <https://stella‑ops.org/roadmap/>.
|
||
Snapshot:
|
||
|
||
| Version | Target date | Locked‑in scope (freeze at β) |
|
||
|---------|-------------|--------------------------------|
|
||
| **v0.1 α** | *Late 2025* | Δ‑SBOM engine, nightly re‑scan, Offline Kit v1, {{ quota_anon }}/ {{ quota_token }} quota |
|
||
| **v0.2 β** | Q1 2026 | *Zastava* forbidden‑image scanner, registry sweeper, SDK β |
|
||
| **v0.3 β** | Q2 2026 | YAML/Rego policy‑as‑code, SARIF output, OUK auto‑import |
|
||
| **v0.4 RC** | Q3 2026 | AI remediation advisor, LDAP/AD SSO, pluggable TLS providers |
|
||
| **v1.0 GA** | Q4 2026 | SLSA L3 provenance, signed plug‑in marketplace |
|
||
|
||
---
|
||
|
||
## Technical matrix
|
||
|
||
| Category | Detail |
|
||
|----------|--------|
|
||
| **Core runtime** | C# 14 on **.NET {{ dotnet }}** |
|
||
| **UI stack** | **Angular {{ angular }}** + TailwindCSS |
|
||
| **Container base** | Distroless glibc (x86‑64 & arm64) |
|
||
| **Data stores** | PostgreSQL 7 (SBOM + findings), Redis 7 (LRU cache + quota) |
|
||
| **Release integrity** | Cosign‑signed images & TGZ, reproducible build, SPDX 2.3 SBOM |
|
||
| **Extensibility** | Plug‑ins in any .NET language (restart load); OPA Rego policies |
|
||
| **Default quotas** | Anonymous **{{ quota_anon }} scans/day** · JWT **{{ quota_token }}** |
|
||
|
||
---
|
||
|
||
## Quota enforcement (overview)
|
||
|
||
* Counters live in Redis with 24 h keys: `quota:ip:<sha256>` or `quota:tid:<hash>`.
|
||
* Soft reminder banner at 200 daily scans.
|
||
* Past the limit: first 30 excess requests delayed 5 s; afterwards 60 s.
|
||
* Behaviour is identical online and offline (validation local).
|
||
|
||
For full flow see `docs/30_QUOTA_ENFORCEMENT_FLOW1.md`.
|
||
|
||
---
|
||
|
||
## Further reading
|
||
|
||
* **Install guide:** `/install/`
|
||
* **Offline mode:** `/offline/`
|
||
* **Security policy:** `/security/`
|
||
* **Governance:** `/governance/`
|
||
* **Community chat:** Matrix `#stellaops:libera.chat`
|