Getting Started

Installation Guide

Stella Ops Suite supports two ways to get started: a Docker Compose setup for connected hosts and a fully offline path for sovereign networks.

What you will achieve

After following these steps you will have Stella Ops running, your first image scanned for vulnerabilities with reachability filtering, and a signed Decision Capsule exported as audit evidence.

Available now: Build from source with the free tier (3 environments, 999 scans/month). Pre-built signed images and Offline Kit bundles are available to early-access applicants. Production use requires a paid plan (Plus or Pro). Build from source →

1 · Checklist before you begin

Platform

Ubuntu 22.04 LTS or Alma 9 (x86‑64/arm64).

Resources

2 vCPU, 2 GiB RAM, 10 GiB SSD for the cache and evidence store.

Docker

Engine 25 with Compose v2. Run docker -v to verify.

Verification keys

Import the Cosign/PGP keys from /keys/.

Option A: Connected install (Docker Compose)

  1. 1

    Download compose files

    Fetch the signed Compose files and example .env from https://get.stella-ops.org/releases/latest/.

  2. 2

    Verify signatures

    Verify each file with Cosign using the public key at /keys/cosign.pub.

  3. 3

    Configure and launch

    Copy .env.example to .env, set admin credentials, then run the infrastructure and suite stacks.

  4. 4

    Access the console

    Open https://<host>:8443 (self-signed cert). Default login: admin/changeme.

See the Quickstart for the exact commands.

Option B: Offline install

Every release ships a signed bundle that mirrors feeds, plugins, and optional telemetry collectors (disabled by default).

  1. 1

    Download and verify

    Fetch the kit plus signature and manifest. Verify with Cosign before transfer.

  2. 2

    Transfer

    Move the verified bundle to your air-gapped site via approved medium (USB, courier, drop box).

  3. 3

    Import

    Run stella offline-kit import or use the Console. Feeds swap in under three seconds.

The kit includes cached evidence inputs and regional vulnerability snapshots.

Read the Offline Kit guide Sovereign deployment

4 · Optional access token (pre-built images + managed updates)

If you want pre-built images and managed updates, request a signed token at /register/. Self-built distributions do not require a token.

(Free tier includes 999 scans/month and 3 environments — see /offer/.)

Terminal
$ docker compose --env-file .env -f docker-compose.stella-ops.yml exec stella-ops stella set-jwt <JWT_FROM_REGISTER>
 Access token validated
 Token bound to instance
Updates and pre-built images now available

Next steps

Run the quickstart Explore features

Browse documentation