9e5e958d42
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys. - Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations. - Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.
40 lines
2.8 KiB
Markdown
40 lines
2.8 KiB
Markdown
# Stella Ops – 2‑Minute Overview
|
||
|
||
## The Problem We Solve
|
||
|
||
- **Supply-chain attacks exploded 742 % in three years;** regulated teams still need to scan hundreds of containers a day while disconnected from the public Internet.
|
||
- **Existing scanners trade freedom for SaaS:** no offline feeds, hidden quotas, noisy results that lack exploitability context.
|
||
- **Audit fatigue is real:** Policy decisions are opaque, replaying scans is guesswork, and trust hinges on external transparency logs you do not control.
|
||
|
||
## The Promise
|
||
|
||
Stella Ops delivers **deterministic, sovereign container security** that works the same online or fully air-gapped:
|
||
|
||
1. **Deterministic replay manifests** (SRM) prove every scan result, so auditors can rerun evidence and see the exact same outcome.
|
||
2. **Lattice policy engine + OpenVEX** keeps findings explainable; exploitability, attestation, and waivers merge into one verdict.
|
||
3. **Sovereign crypto profiles** let you anchor signatures to eIDAS, FIPS, GOST, or SM roots, mirror your feeds, and keep Sigstore-compatible transparency logs offline.
|
||
|
||
## Core Capability Clusters
|
||
|
||
| Cluster | What you get | Why it matters |
|
||
|---------|--------------|----------------|
|
||
| **SBOM-first scanning** | Delta-layer SBOM cache, sub‑5 s warm scans, Trivy/CycloneDX/SPDX ingestion + dependency cartographing | Speeds repeat scans 10× and keeps SBOMs the source of truth |
|
||
| **Explainable policy** | OpenVEX + lattice logic, policy engine for custom rule packs, waiver expirations | Reduces alert fatigue, supports alert muting beyond VEX, and shows why a finding blocks deploy |
|
||
| **Attestation & provenance** | DSSE bundles, optional Rekor mirror, DSSE → CLI/UI exports | Lets you prove integrity without relying on external services |
|
||
| **Offline operations** | Offline Update Kit bundles, mirrored feeds, quota tokens verified locally | Works for sovereign clouds, SCIFs, and heavily regulated sectors |
|
||
| **Governance & observability** | Structured audit trails, quota transparency, per-tenant metrics | Keeps compliance teams and operators in sync without extra tooling |
|
||
|
||
## Who Benefits
|
||
|
||
| Persona | Outcome in week one |
|
||
|---------|--------------------|
|
||
| **Security engineering** | Deterministic replay + explain traces | cuts review time, keeps waivers honest |
|
||
| **Platform / SRE** | Fast scans, local registry, no Internet dependency | fits pipelines and air-gapped staging |
|
||
| **Compliance & risk** | Signed SBOMs, provable quotas, legal/attestation docs | supports audits without custom tooling |
|
||
|
||
## Where to Go Next
|
||
|
||
- Ready to pull the containers? Head to [quickstart.md](quickstart.md).
|
||
- Want the capability detail? Browse the five cards in [key-features.md](key-features.md).
|
||
- Need to evaluate fit and build a rollout plan? Grab the [evaluation checklist](evaluate/checklist.md).
|