Finish scans before your coffee cools ☕️
Stella Ops completes a warm SBOM‑first scan in ≈ 5 s on a 4‑vCPU runner and keeps cold‑path “first run” images below 30 s. Less waiting, more shipping.
How we squeeze the seconds out
SBOM‑first fast‑path
If your build already emits an SPDX or CycloneDX SBOM, Stella Ops skips layer unpacking and jumps straight to CVE correlation.
Δ‑SBOM diff engine
Only what changed gets re‑analysed. A 10‑layer image with one updated library scans in ≈ 1 s.
Hot cache
Redis LRU keeps the last 2 048 SBOMs in RAM — 0.3 ms look‑up for repeat builds.
Parallel walkers
.NET 10 LTS async pipelines overlap layer de‑compression with vuln‑look‑ups.
Real‑world benchmarks (4 vCPU / 8 GiB VM)
| Image (public) | Scenario | Stella Ops v0.1‑α | Trivy 0.51 |
|---|---|---|---|
| nginx:1.26‑alpine | warm SBOM | 4.7 s | 12.4 s |
| python:3.12‑slim | cold (Δ‑SBOM off) | 18.9 s | 31.8 s |
| bank‑api:prod@sha256:… | Δ‑SBOM (1‑layer delta) | 1.2 s | 15.0 s |
Figures averaged over 20 runs; full methodology lives in the benchmarks repo.
5 s
Warm‑path average scan time
Do I need to ship an SBOM?
No — Stella Ops can generate one, but providing CycloneDX or SPDX during the build shaves 60 – 80 % off runtime.Read more
Do I need to ship an SBOM?
No — Stella Ops can generate one, but providing CycloneDX or SPDX during the build shaves 60 – 80 % off runtime.
Read moreNo — Stella Ops can generate one, but providing CycloneDX or SPDX during the build shaves 60 – 80 % off runtime.
How does Δ‑SBOM stay accurate?
Each layer digest is hashed; if any layer differs, Stella Ops falls back to a full scan to prevent false‑negatives, then caches the fresh SBOM.Read more
How does Δ‑SBOM stay accurate?
Each layer digest is hashed; if any layer differs, Stella Ops falls back to a full scan to prevent false‑negatives, then caches the fresh SBOM.
Read moreEach layer digest is hashed; if any layer differs, Stella Ops falls back to a full scan to prevent false‑negatives, then caches the fresh SBOM.