stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity
Files
b04557a92333a134669d42e604457d085cbb4234
git.stella-ops.org/docs/01_WHAT_IS_IT.md
master b04557a923 Initial commit
2025-08-30 21:05:34 +00:00

5.3 KiB
Executable File
Raw Blame History

1 · WhatIs- StellaOps?

StellaOps is a selfhosted, SBOMfirst DevSecOps platform that gives engineering and security teams instant (<5s) feedback on container and artifact risk—even when they run completely offline.
It is built around five design pillars: modular, open, fast, local, and UIcontrollable.

1. What the Product Does — 7Point Snapshot

# Capability What It Means in Practice
1 SBOMCentric Scanning Generates and scans SoftwareBills of Materials (Trivy JSON, SPDXJSON, CycloneDXJSON); autodetects format and stores each SBOM as a blob.
2 DeltaSBOM Engine Uploads SBOM only for new layers; warmcache image rescans complete in <1s.
3 Anonymous Internal Registry Ships a builtin StellaOps.Registry so agents (Stella CLI, Zastava, SBOMbuilder) can be pulled inside airgapped networks without external credentials.
4 PolicyasCode Supports YAML rules today and OPA/Rego (StellaOps.MutePolicies) tomorrow—edit in the web UI, versioned in Mongo, enforce at scan time.
5 Pluggable Modules Every scanner, exporter, or attestor is a hotload .NET plugin (e.g., StellaOpsAttestor for SLSA/Rekor in the roadmap).
6 Horizontally Scalable Stateless API backed by Redis & Mongo; optional Kubernetes charts for multinode performance.
7 Sovereign & Localized Localized UI, optional connectors to regional catalogues, and zero telemetry by default—ready for highcompliance, airgapped deployments.

🆓 Free tier update (July2025) Every selfhosted instance now includes {{ quota_token }} scans per UTC day.
A yellow banner appears once you cross 200 scans (≈60% of quota).
Past {{ quota_token }} , /scan responds with soft 5s waits (graceful backoff), and may return 429 + RetryAfter (to UTC midnight) after repeated hits.

2. How It Works — EndtoEnd Flow (30sec tour)

  1. Build Phase
    sbombuilder container runs inside CI, pulls base layers metadata, and queries /layers/missing—receiving in ~20ms which layers still need SBOMs.
    • New layers ➟ SBOM generated ➟ *.sbom.<type> + *.sbom.type dropped next to image tarball.

  2. Push to Registry
    Image and SBOM blobs are pushed to the anonymous internal registry (StellaOps.Registry). Cosign tags are attached if enabled.

  3. Scan Phase
    Stella CLI agent pulls the SBOM blob, sends /scan?sbomType=spdx-json to backend. If flag is absent, backend autodetects.
    • Freetier tokens inherit the 333scan/day quota; response headers expose remaining scans and reset time.

  4. Policy & Risk Evaluation
    Backend hydrates CVE data, merges any cached layer scores, and calls the PolicyasCode engine:

    • YAML rules → builtin interpreter;
    • Rego policies (future) → embedded OPA.

  5. Attestation & Transparency (Roadmap)
    StellaOpsAttestor signs results with SLSA provenance and records them in a local Rekor mirror for tamperproof history.

  6. Feedback Loop
    • CLI exits with nonzero on policy block.
    • UI dashboard shows findings, quota banner, and pertoken scan counters; triagers can mute or set expiry dates directly.

3. Why Such a Product Is Needed

“Software supplychain attacks have increased 742% over the past three years.”  Sonatype 2024 State of the Software Supply Chain

Key Drivers & Regulations

Driver Detail & Obligation
Government SBOM Mandates USEO14028 & NISTSP800218 require suppliers to provide SBOMs.
• EU Cyber Resilience Act (CRA) will demand attestations of secure development by 2026.
SLSA & SSDF Frameworks Industry pushes toward SLSA v1.0 levels 23 and NIST SSDF1.1 controls, emphasising provenance and policy enforcement.
Transparency Logs Sigstore Rekor gains traction as a standard for tamperevident signatures—even for airgapped replicas.
Offline & Sovereign Deployments Criticalinfra operators (finance, telecom, defence) must run security tooling without Internet and with local language/VDB support.
Performance Expectations Modern CI/CD pipelines trigger hundreds of image builds daily; waiting 3060s per scan is no longer acceptable—and now must be achieved within a 333scan/day free quota.

Gap in Existing Tools

  • SaaSonly scanners cant run in regulated or disconnected environments.
  • Monolithic opensource scanners are hardwired to Trivy or Syft formats, lacking delta optimisation.
  • Few products expose PolicyasCode with full UI editing and history audit in a single package.
  • None address quotaaware throttling without hidden paywalls.

StellaOps fills this gap by combining speed, modular openness, sovereign readiness and transparent quota limits—making thorough supplychain security attainable for every team, not just cloudnative startups.

Last updated: 14 Jul 2025