- Supply-chain attacks exploded 742 % in three years; regulated teams still need to scan hundreds of containers a day while disconnected from the public Internet.
- Existing scanners trade freedom for SaaS: no offline feeds, hidden quotas, noisy results that lack exploitability context.
- Audit fatigue is real: Policy decisions are opaque, replaying scans is guesswork, and trust hinges on external transparency logs you do not control.
Stella Ops delivers deterministic, sovereign container security that works the same online or fully air-gapped:
- Deterministic replay manifests (SRM) prove every scan result, so auditors can rerun evidence and see the exact same outcome.
- Lattice policy engine + OpenVEX keeps findings explainable; exploitability, attestation, and waivers merge into one verdict.
- Sovereign crypto profiles let you anchor signatures to eIDAS, FIPS, GOST, or SM roots, mirror your feeds, and keep Sigstore-compatible transparency logs offline.
| Cluster | What you get | Why it matters |
|---|
| SBOM-first scanning | Delta-layer SBOM cache, sub‑5 s warm scans, Trivy/CycloneDX/SPDX ingestion + dependency cartographing | Speeds repeat scans 10× and keeps SBOMs the source of truth |
| Explainable policy | OpenVEX + lattice logic, policy engine for custom rule packs, waiver expirations | Reduces alert fatigue, supports alert muting beyond VEX, and shows why a finding blocks deploy |
| Attestation & provenance | DSSE bundles, optional Rekor mirror, DSSE → CLI/UI exports | Lets you prove integrity without relying on external services |
| Offline operations | Offline Update Kit bundles, mirrored feeds, quota tokens verified locally | Works for sovereign clouds, SCIFs, and heavily regulated sectors |
| Governance & observability | Structured audit trails, quota transparency, per-tenant metrics | Keeps compliance teams and operators in sync without extra tooling |
| Persona | Outcome in week one |
|---|
| Security engineering | Deterministic replay + explain traces |
| Platform / SRE | Fast scans, local registry, no Internet dependency |
| Compliance & risk | Signed SBOMs, provable quotas, legal/attestation docs |