About Stella Ops
Stella Ops is an open-source, SBOM-first toolkit for deterministic, evidence-linked vulnerability decisions. It focuses on replayability and verifiable evidence - not "scan everything" checklists.
Project mission
Build a security workflow where a vulnerability decision is something you can replay, verify, and explain - even months later, even offline. The short version: Stella Ops treats SBOMs and attestations as first-class inputs, produces signed evidence as first-class outputs, and makes "proof not promises" the default posture.Read more
Project mission
Build a security workflow where a vulnerability decision is something you can replay, verify, and explain - even months later, even offline.
The short version: Stella Ops treats SBOMs and attestations as first-class inputs, produces signed evidence as first-class outputs, and makes "proof not promises" the default posture.
What Stella Ops is (and what it isn't)
It is: Deterministic replay via SRM (Deterministic Replay Manifests) Signed reachability evidence (graphs/attestations) that can be verified independently Evidence-linked VEX decisions with explainable paths Offline-first operation and sovereign crypto profiles It is not: A broad "everything scanner" that claims secrets scanning, misconfiguration scanning, and license audit coverage by default A SaaS-only black box that requires external services to validate your results For a capability-by-capability breakdown (with sources), use /features/.Read more
What Stella Ops is (and what it isn't)
It is:
- Deterministic replay via SRM (Deterministic Replay Manifests)
- Signed reachability evidence (graphs/attestations) that can be verified independently
- Evidence-linked VEX decisions with explainable paths
- Offline-first operation and sovereign crypto profiles
It is not:
- A broad "everything scanner" that claims secrets scanning, misconfiguration scanning, and license audit coverage by default
- A SaaS-only black box that requires external services to validate your results
For a capability-by-capability breakdown (with sources), use /features/.
How to verify releases, keys, and evidence
Project keys are pinned at /keys/. When artifacts are published, verification is designed to work online or offline. Cosign public key: pgp.asc (SHA-256: 9BCF 5D1D 6EA9 8F99 24F4 6071 B618 ABAF 7D23 C65D 7A86 77E8 2DE3 7815 6126 F723) PGP public key: pgp.asc (SHA-256: 9BCF 5D1D 6EA9 8F99 24F4 6071 B618 ABAF 7D23 C65D 7A86 77E8 2DE3 7815 6126 F723) Security policy: /security/ Example (Cosign): cosign verify \ --key https://stella-ops.org/keys/cosign.pub \ registry.stella-ops.org/stella-ops/stella-ops:<VERSION>Read more
How to verify releases, keys, and evidence
Project keys are pinned at /keys/. When artifacts are published, verification is designed to work online or offline.
- Cosign public key:
pgp.asc(SHA-256:9BCF 5D1D 6EA9 8F99 24F4 6071 B618 ABAF 7D23 C65D 7A86 77E8 2DE3 7815 6126 F723) - PGP public key:
pgp.asc(SHA-256:9BCF 5D1D 6EA9 8F99 24F4 6071 B618 ABAF 7D23 C65D 7A86 77E8 2DE3 7815 6126 F723) - Security policy: /security/
Example (Cosign):
cosign verify \
--key https://stella-ops.org/keys/cosign.pub \
registry.stella-ops.org/stella-ops/stella-ops:<VERSION>Governance, licensing, and project status
License: AGPL-3.0-or-later (details) Governance: /governance/ Roadmap: /roadmap/ Community: /community/Read more
Governance, licensing, and project status
- License: AGPL-3.0-or-later (details)
- Governance: /governance/
- Roadmap: /roadmap/
- Community: /community/
Contact and responsible disclosure
For security-sensitive contact and vulnerability reporting, follow the process in /security/. Keys for signed mail and verification are pinned at /keys/. For general discussion and support channels, start at /community/.Read more
Contact and responsible disclosure
For security-sensitive contact and vulnerability reporting, follow the process in /security/. Keys for signed mail and verification are pinned at /keys/.
For general discussion and support channels, start at /community/.