What is a container‑security scanner?
A container‑security scanner inspects every image layer before it ships. It fingerprints packages, libraries and configs, checks them against CVE feeds, secret‑leak patterns and licence data, then emits a cryptographically signed SBOM. Vulnerability detection Matches OS packages and language dependencies with OSV, GHSA, NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU, attaching CVE IDs, severities and safe upgrade hints. Secrets & keys sweep Scans files and env vars for API tokens, passwords or private keys — closing supply‑chain backdoors early. Licence & compliance audit Extracts SPDX IDs so legal teams avoid copyleft surprises and tick compliance check‑boxes automatically. Misconfiguration checks Flags dangerous Dockerfile habits (root users, latest tags, lax permissions). Provenance & attestation Produces signed SBOMs plus in‑toto / SLSA attestations so anyone can verify what ran and where it came from.Read more
What is a container‑security scanner?
A container‑security scanner inspects every image layer before it ships. It fingerprints packages, libraries and configs, checks them against CVE feeds, secret‑leak patterns and licence data, then emits a cryptographically signed SBOM.
Vulnerability detection
Matches OS packages and language dependencies with OSV, GHSA, NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU, attaching CVE IDs, severities and safe upgrade hints.
Secrets & keys sweep
Scans files and env vars for API tokens, passwords or private keys — closing supply‑chain backdoors early.
Licence & compliance audit
Extracts SPDX IDs so legal teams avoid copyleft surprises and tick compliance check‑boxes automatically.
Misconfiguration checks
Flags dangerous Dockerfile habits (root users, latest tags, lax permissions).
Provenance & attestation
Produces signed SBOMs plus in‑toto / SLSA attestations so anyone can verify what ran and where it came from.
What exactly is Stella Ops?
Stella Ops is an SBOM‑first container‑security toolkit. It inspects every image layer (or an existing CycloneDX / SPDX SBOM), enriches the data with vulnerability, licence and secret‑leak intel, then produces a signed report you can trace back to the build. Δ‑SBOM warm path Only changed layers are rescanned — warm runs finish in < 5 s. Nightly SBOM re‑check Passed images are re‑evaluated against fresh CVE data while you sleep. Policy enforcement Zastava “un‑allowed image” scanner and registry sweeps catch drift early (beta). Provenance & attestation SLSA attestation signed with cosign; SBOM ships inline.Read more
What exactly is Stella Ops?
Stella Ops is an SBOM‑first container‑security toolkit. It inspects every image layer (or an existing CycloneDX / SPDX SBOM), enriches the data with vulnerability, licence and secret‑leak intel, then produces a signed report you can trace back to the build.
Δ‑SBOM warm path
Only changed layers are rescanned — warm runs finish in < 5 s.
Nightly SBOM re‑check
Passed images are re‑evaluated against fresh CVE data while you sleep.
Policy enforcement
Zastava “un‑allowed image” scanner and registry sweeps catch drift early (beta).
Provenance & attestation
SLSA attestation signed with cosign; SBOM ships inline.
Why do developers pick Stella Ops?
Seconds not minutes. Warm scans in < 5 s; cold scans stay under 30 s on a 4‑vCPU runner. SaaS‑free by design. Runs on‑prem or fully air‑gapped — see Offline Kit. Transparent quota. 33 scans/day anonymous; e‑mail token raises to 333. At 90% daily scan quota you get a polite reminder; performance is throttled but never blocked. Compliance built‑in. SBOM, SLSA‑3 and EU CRA requirements mapped out on the public road‑map. Token requests store the sender’s IP & e‑mail for up to seven days for abuse checks, then are salted‑hash archived.Read more
Why do developers pick Stella Ops?
- Seconds not minutes. Warm scans in < 5 s; cold scans stay under 30 s on a 4‑vCPU runner.
- SaaS‑free by design. Runs on‑prem or fully air‑gapped — see Offline Kit.
- Transparent quota. 33 scans/day anonymous; e‑mail token raises to 333. At 90% daily scan quota you get a polite reminder; performance is throttled but never blocked.
- Compliance built‑in. SBOM, SLSA‑3 and EU CRA requirements mapped out on the public road‑map.
Token requests store the sender’s IP & e‑mail for up to seven days for abuse checks, then are salted‑hash archived.
Current & upcoming highlights
v0.1 α (2025): SBOM‑first engine, nightly re‑scan, Δ‑SBOM warm path. v0.2 β (Q1 2026): Zastava un‑allowed‑image scanner, bulk Docker‑registry sweeps. v0.3 β (Q2 2026): YAML/Rego policy‑as‑code, JSON & SARIF outputs. v0.4 RC (Q3 2026): AI remediation advisor, LDAP / AD SSO. v1.0 GA (Q4 2026): SLSA L3 provenance, signed plug‑in marketplace (loaded at start‑up).Read more
Current & upcoming highlights
- v0.1 α (2025): SBOM‑first engine, nightly re‑scan, Δ‑SBOM warm path.
- v0.2 β (Q1 2026): Zastava un‑allowed‑image scanner, bulk Docker‑registry sweeps.
- v0.3 β (Q2 2026): YAML/Rego policy‑as‑code, JSON & SARIF outputs.
- v0.4 RC (Q3 2026): AI remediation advisor, LDAP / AD SSO.
- v1.0 GA (Q4 2026): SLSA L3 provenance, signed plug‑in marketplace (loaded at start‑up).
Technology stack under the hood
Layer Tech Why it matters Back‑end .NET 10 LTS High‑perf async IO, single static binary. Front‑end Angular 20 Enterprise‑grade SPA with strict typing. Container base Distroless glibc Tiny attack surface, reproducible digests.Read more
Technology stack under the hood
| Layer | Tech | Why it matters |
|---|---|---|
| Back‑end | .NET 10 LTS | High‑perf async IO, single static binary. |
| Front‑end | Angular 20 | Enterprise‑grade SPA with strict typing. |
| Container base | Distroless glibc | Tiny attack surface, reproducible digests. |
What’s in the UI?
Dashboard — live counters & vulnerability trends. Reports — latest, personal and pipeline‑specific. Settings — theme and report preferences. Admin — vuln DB sync, Offline Kit import, JWT swap, pipeline mutes, users & roles.Read more
What’s in the UI?
- Dashboard — live counters & vulnerability trends.
- Reports — latest, personal and pipeline‑specific.
- Settings — theme and report preferences.
- Admin — vuln DB sync, Offline Kit import, JWT swap, pipeline mutes, users & roles.
Who builds Stella Ops?
Stella Ops is a public experiment: can one senior engineer, plus today’s AI tooling, ship a full‑featured scanner without VC funding? All design docs, commits and benchmarks are in the open. Early adopters steer the scope and keep the project honest. Join #stellaops on Matrix or file issues on our self‑hosted forge.Read more
Who builds Stella Ops?
Stella Ops is a public experiment: can one senior engineer, plus today’s AI tooling, ship a full‑featured scanner without VC funding?
All design docs, commits and benchmarks are in the open. Early adopters steer the scope and keep the project honest.
Join #stellaops on Matrix or file issues on our self‑hosted forge.