5.1 KiB
5.1 KiB
Stella Ops Suite — 2-Minute Overview
What Stella Ops Suite Is
Stella Ops Suite is a centralized, auditable release control plane for non-Kubernetes container estates.
It sits between your CI and your runtime targets, governs promotion across environments, enforces security and policy gates, and produces verifiable evidence for every release decision—while remaining plug-in friendly to any SCM/CI/registry/secrets stack.
The Problems We Solve
- Release governance is fragmented: CI tools run pipelines but lack central release authority; deployment tools promote but bolt on security as an afterthought.
- Non-Kubernetes targets are second-class: Docker hosts, Compose, ECS, and Nomad deployments lack the GitOps tooling that Kubernetes enjoys.
- Security blocks releases without explanation: Scanners find vulnerabilities but don't integrate with promotion workflows; teams bypass gates or ignore findings.
- Audit trails are scattered: Release decisions live in CI logs, approval emails, and Slack threads—not in a unified, cryptographically verifiable ledger.
- Pricing punishes automation: Per-project, per-seat, or per-deployment billing creates friction for teams that deploy frequently.
What Stella Ops Suite Does
| Capability | Description |
|---|---|
| Release orchestration | UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks; steps are hook-able with scripts and step providers |
| Security decisioning as a gate | Scan on build, evaluate on release, re-evaluate when vulnerability intelligence updates—without forcing re-scans |
| OCI-digest-first releases | A release is an immutable digest (or bundle of digests); track "what is deployed where" with integrity |
| Toolchain-agnostic integrations | Plug into any SCM, any CI, any registry, any secrets system; customers reuse their existing stack |
| Auditability + standards | Audit log + evidence packets (exportable), SBOM/VEX/attestation-friendly, standards-first approach |
Core Strengths
| Strength | Why It Matters |
|---|---|
| Non-Kubernetes specialization | Docker hosts, Compose, ECS, Nomad-style targets are first-class, not an afterthought |
| Reproducibility | Deterministic release decisions captured as evidence (inputs + policy hash + verdict + approvals) |
| Attestability | Produces and verifies release evidence/attestations (provenance, SBOM linkage, decision records) in standard formats |
| Verity (integrity) | Digest-based release identity; signature/provenance verification; tamper-evident audit trail |
| Hybrid reachability | Reachability-aware vulnerability prioritization (static + runtime signals) to reduce noise and focus on exploitable paths |
| Cost that doesn't punish automation | No per-project tax, no per-seat tax, no "deployments bill." Limits are only: (1) number of environments and (2) number of new digests analyzed per day |
Who Benefits
| Persona | Outcome |
|---|---|
| Release managers | Central control plane for promotions; clear approval workflows; audit-ready evidence |
| Security engineering | Security gates integrated into release flow; reachability-aware prioritization; VEX support |
| Platform / SRE | Deploy to Docker/Compose/ECS/Nomad with agents or agentless; rollback with confidence |
| Compliance & risk | Every release decision is cryptographically signed and replayable; export compliance reports |
| DevOps / CI owners | Integrate via webhooks; keep existing CI/SCM/registry; add release governance without replacing tools |
Platform Capabilities
Operational Today
- Vulnerability scanning with SBOM-first approach and delta-layer caching
- Advisory ingestion from multiple sources with aggregation-not-merge semantics
- VEX support for exploitability decisioning (OpenVEX + SPDX 3.0.1 relationships)
- Policy engine with lattice logic for explainable, deterministic verdicts
- Attestation and signing (DSSE/in-toto) with optional Sigstore Rekor transparency
- Offline operations via Offline Kit bundles for air-gapped deployments
- Sovereign crypto profiles (eIDAS, FIPS, GOST, SM)
Planned (Release Orchestration)
- Environment management — Define Dev/Stage/Prod environments with freeze windows and approval policies
- Release bundles — Compose releases from component digests with semantic versioning
- Promotion workflows — DAG-based workflow engine with approvals, gates, and hooks
- Deployment execution — Agents for Docker, Compose, ECS, Nomad; agentless via SSH/WinRM
- Progressive delivery — A/B releases, canary deployments, traffic routing
- Plugin system — Three-surface plugin model for integrations, steps, and agents
- Version stickers — Tamper-evident deployment records on targets for drift detection
Where to Go Next
- Ready to try it? Head to quickstart.md
- Want capability details? Browse key-features.md
- Understand the architecture? See ARCHITECTURE_OVERVIEW.md
- Review the roadmap? Check ROADMAP.md