9e5e958d42
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys. - Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations. - Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.
2.8 KiB
2.8 KiB
Stella Ops – 2‑Minute Overview
The Problem We Solve
- Supply-chain attacks exploded 742 % in three years; regulated teams still need to scan hundreds of containers a day while disconnected from the public Internet.
- Existing scanners trade freedom for SaaS: no offline feeds, hidden quotas, noisy results that lack exploitability context.
- Audit fatigue is real: Policy decisions are opaque, replaying scans is guesswork, and trust hinges on external transparency logs you do not control.
The Promise
Stella Ops delivers deterministic, sovereign container security that works the same online or fully air-gapped:
- Deterministic replay manifests (SRM) prove every scan result, so auditors can rerun evidence and see the exact same outcome.
- Lattice policy engine + OpenVEX keeps findings explainable; exploitability, attestation, and waivers merge into one verdict.
- Sovereign crypto profiles let you anchor signatures to eIDAS, FIPS, GOST, or SM roots, mirror your feeds, and keep Sigstore-compatible transparency logs offline.
Core Capability Clusters
| Cluster | What you get | Why it matters |
|---|---|---|
| SBOM-first scanning | Delta-layer SBOM cache, sub‑5 s warm scans, Trivy/CycloneDX/SPDX ingestion + dependency cartographing | Speeds repeat scans 10× and keeps SBOMs the source of truth |
| Explainable policy | OpenVEX + lattice logic, policy engine for custom rule packs, waiver expirations | Reduces alert fatigue, supports alert muting beyond VEX, and shows why a finding blocks deploy |
| Attestation & provenance | DSSE bundles, optional Rekor mirror, DSSE → CLI/UI exports | Lets you prove integrity without relying on external services |
| Offline operations | Offline Update Kit bundles, mirrored feeds, quota tokens verified locally | Works for sovereign clouds, SCIFs, and heavily regulated sectors |
| Governance & observability | Structured audit trails, quota transparency, per-tenant metrics | Keeps compliance teams and operators in sync without extra tooling |
Who Benefits
| Persona | Outcome in week one |
|---|---|
| Security engineering | Deterministic replay + explain traces |
| Platform / SRE | Fast scans, local registry, no Internet dependency |
| Compliance & risk | Signed SBOMs, provable quotas, legal/attestation docs |
Where to Go Next
- Ready to pull the containers? Head to quickstart.md.
- Want the capability detail? Browse the five cards in key-features.md.
- Need to evaluate fit and build a rollout plan? Grab the evaluation checklist.