stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
9e5e958d42ecddbe3e5a321ea0c0d31d1088ce20
git.stella-ops.org/docs/quickstart.md
master 9e5e958d42
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Document completed tasks for KMS, Cryptography, and Plugin Libraries 
- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys.
- Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations.
- Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.
2025-10-31 14:33:05 +02:00

94 lines
3.6 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Quickstart First Scan in Five Minutes
> **Status:** public α image ships late2025 (`registry.stella-ops.org/stella-ops/stella-ops:0.1.0-alpha`). Commands below are ready the moment the tag lands.
## 0. Prerequisites (1 min)
| Requirement | Minimum | Notes |
|-------------|---------|-------|
| OS | Ubuntu22.04 LTS / Alma9 | x8664 or arm64 |
| Docker | Engine25 + Composev2 | `docker -v` |
| Resources | 2vCPU / 2GiB RAM / 10GiB SSD | Fits developer laptops |
| TLS trust | Built-in self-signed or your own certs | Replace `/certs` before production |
Keep Redis and MongoDB bundled unless you already operate managed instances.
## 1. Download the signed bundles (1 min)
```bash
curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml
curl -LO https://get.stella-ops.org/docker-compose.infrastructure.yml.sig
curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml
curl -LO https://get.stella-ops.org/docker-compose.stella-ops.yml.sig
cosign verify-blob \
--key https://stella-ops.org/keys/cosign.pub \
--signature docker-compose.infrastructure.yml.sig \
docker-compose.infrastructure.yml
cosign verify-blob \
--key https://stella-ops.org/keys/cosign.pub \
--signature docker-compose.stella-ops.yml.sig \
docker-compose.stella-ops.yml
```
*Air-gapped?* The [Offline Update Kit](24_OFFLINE_KIT.md) ships these files plus feeds and plug-ins.
## 2. Configure `.env` (1 min)
Create `.env` with the essentials:
```dotenv
STELLA_OPS_COMPANY_NAME="Acme Corp"
STELLA_OPS_DEFAULT_ADMIN_USERNAME="admin"
STELLA_OPS_DEFAULT_ADMIN_PASSWORD="change-me!"
MONGO_INITDB_ROOT_USERNAME=stella_admin
MONGO_INITDB_ROOT_PASSWORD=$(openssl rand -base64 18)
MONGO_URL=mongodb
REDIS_PASSWORD=$(openssl rand -base64 18)
REDIS_URL=redis
```
Use existing Redis/Mongo endpoints by setting `MONGO_URL` and `REDIS_URL`. Keep credentials scoped to StellaOps; Redis counters enforce the transparent quota (`{{ quota_token }}` scans/day).
## 3. Launch services (1 min)
```bash
docker compose --env-file .env -f docker-compose.infrastructure.yml up -d
docker compose --env-file .env -f docker-compose.stella-ops.yml up -d
```
- `StellaOps.Authority` issues short-lived OpToks for CLI/UI.
- `StellaOps.Scanner` hosts `/scan`, queues work to Workers.
- `StellaOps.Policy.Engine` and `StellaOps.Concelier` start with seeded policies, feeds sync in the background.
## 4. Run your first scan (1 min)
```bash
stella auth login --device-code
stella scan image \
--image registry.stella-ops.org/demo/juice-shop:latest \
--sbom-type cyclonedx-json
```
- Expect `<5s` warm scans once the Delta SBOM cache is primed.
- CLI exits non-zero if lattice policy blocks the image; use `stella policy explain --last` for context.
- Headers `X-Stella-Quota-Remaining` and the UI banner keep quota usage transparent.
## 5. Verify & explore (1 min)
- Check the Console (`https://localhost:8443`) to view findings, VEX evidence, and deterministic replay manifests.
- Export the DSSE bundle: `stella export run --format dsse`.
- Capture evidence for audit: `stella attest bundle --output demo.dsse.json`.
### Sovereign mode in one click
- Import the Offline Update Kit (`stella offline-kit import ./stella-ouk-2025-alpha.tar.gz`) to replace every external feed.
- Apply a CryptoProfile (`stella authority crypto apply ./profiles/fips.yaml`) to swap signing algorithms without rebuilding.
### Next steps
- Harden the deployment with [`17_SECURITY_HARDENING_GUIDE.md`](17_SECURITY_HARDENING_GUIDE.md).
- Explore feature highlights in [`key-features.md`](key-features.md).
- Plan the rollout using the [evaluation checklist](evaluate/checklist.md).
Reference in New Issue View Git Blame Copy Permalink