76 lines
5.1 KiB
Markdown
76 lines
5.1 KiB
Markdown
# Stella Ops Suite — 2-Minute Overview
|
|
|
|
## What Stella Ops Suite Is
|
|
|
|
**Stella Ops Suite is a centralized, auditable release control plane for non-Kubernetes container estates.**
|
|
|
|
It sits between your CI and your runtime targets, governs promotion across environments, enforces security and policy gates, and produces verifiable evidence for every release decision—while remaining plug-in friendly to any SCM/CI/registry/secrets stack.
|
|
|
|
## The Problems We Solve
|
|
|
|
- **Release governance is fragmented:** CI tools run pipelines but lack central release authority; deployment tools promote but bolt on security as an afterthought.
|
|
- **Non-Kubernetes targets are second-class:** Docker hosts, Compose, ECS, and Nomad deployments lack the GitOps tooling that Kubernetes enjoys.
|
|
- **Security blocks releases without explanation:** Scanners find vulnerabilities but don't integrate with promotion workflows; teams bypass gates or ignore findings.
|
|
- **Audit trails are scattered:** Release decisions live in CI logs, approval emails, and Slack threads—not in a unified, cryptographically verifiable ledger.
|
|
- **Pricing punishes automation:** Per-project, per-seat, or per-deployment billing creates friction for teams that deploy frequently.
|
|
|
|
## What Stella Ops Suite Does
|
|
|
|
| Capability | Description |
|
|
|------------|-------------|
|
|
| **Release orchestration** | UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks; steps are hook-able with scripts and step providers |
|
|
| **Security decisioning as a gate** | Scan on build, evaluate on release, re-evaluate when vulnerability intelligence updates—without forcing re-scans |
|
|
| **OCI-digest-first releases** | A release is an immutable digest (or bundle of digests); track "what is deployed where" with integrity |
|
|
| **Toolchain-agnostic integrations** | Plug into any SCM, any CI, any registry, any secrets system; customers reuse their existing stack |
|
|
| **Auditability + standards** | Audit log + evidence packets (exportable), SBOM/VEX/attestation-friendly, standards-first approach |
|
|
|
|
## Core Strengths
|
|
|
|
| Strength | Why It Matters |
|
|
|----------|----------------|
|
|
| **Non-Kubernetes specialization** | Docker hosts, Compose, ECS, Nomad-style targets are first-class, not an afterthought |
|
|
| **Reproducibility** | Deterministic release decisions captured as evidence (inputs + policy hash + verdict + approvals) |
|
|
| **Attestability** | Produces and verifies release evidence/attestations (provenance, SBOM linkage, decision records) in standard formats |
|
|
| **Verity (integrity)** | Digest-based release identity; signature/provenance verification; tamper-evident audit trail |
|
|
| **Hybrid reachability** | Reachability-aware vulnerability prioritization (static + runtime signals) to reduce noise and focus on exploitable paths |
|
|
| **Cost that doesn't punish automation** | No per-project tax, no per-seat tax, no "deployments bill." Limits are only: (1) number of environments and (2) number of new digests analyzed per day |
|
|
|
|
## Who Benefits
|
|
|
|
| Persona | Outcome |
|
|
|---------|---------|
|
|
| **Release managers** | Central control plane for promotions; clear approval workflows; audit-ready evidence |
|
|
| **Security engineering** | Security gates integrated into release flow; reachability-aware prioritization; VEX support |
|
|
| **Platform / SRE** | Deploy to Docker/Compose/ECS/Nomad with agents or agentless; rollback with confidence |
|
|
| **Compliance & risk** | Every release decision is cryptographically signed and replayable; export compliance reports |
|
|
| **DevOps / CI owners** | Integrate via webhooks; keep existing CI/SCM/registry; add release governance without replacing tools |
|
|
|
|
## Platform Capabilities
|
|
|
|
### Operational Today
|
|
|
|
- **Vulnerability scanning** with SBOM-first approach and delta-layer caching
|
|
- **Advisory ingestion** from multiple sources with aggregation-not-merge semantics
|
|
- **VEX support** for exploitability decisioning (OpenVEX + SPDX 3.0.1 relationships)
|
|
- **Policy engine** with lattice logic for explainable, deterministic verdicts
|
|
- **Attestation and signing** (DSSE/in-toto) with optional Sigstore Rekor transparency
|
|
- **Offline operations** via Offline Kit bundles for air-gapped deployments
|
|
- **Sovereign crypto profiles** (eIDAS, FIPS, GOST, SM)
|
|
|
|
### Planned (Release Orchestration)
|
|
|
|
- **Environment management** — Define Dev/Stage/Prod environments with freeze windows and approval policies
|
|
- **Release bundles** — Compose releases from component digests with semantic versioning
|
|
- **Promotion workflows** — DAG-based workflow engine with approvals, gates, and hooks
|
|
- **Deployment execution** — Agents for Docker, Compose, ECS, Nomad; agentless via SSH/WinRM
|
|
- **Progressive delivery** — A/B releases, canary deployments, traffic routing
|
|
- **Plugin system** — Three-surface plugin model for integrations, steps, and agents
|
|
- **Version stickers** — Tamper-evident deployment records on targets for drift detection
|
|
|
|
## Where to Go Next
|
|
|
|
- Ready to try it? Head to [quickstart.md](quickstart.md)
|
|
- Want capability details? Browse [key-features.md](key-features.md)
|
|
- Understand the architecture? See [ARCHITECTURE_OVERVIEW.md](ARCHITECTURE_OVERVIEW.md)
|
|
- Review the roadmap? Check [ROADMAP.md](ROADMAP.md)
|