Run Stella Ops on Air‑Gapped Networks

The Offline Update Kit (OUK) rolls CVE feeds, images and signatures into a single, cryptographically sealed tarball—no Internet, no external dependencies.

1 · What ships in the bundle

Vulnerability feeds

Merged OSV, GHSA, NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU.

Signed provenance

<code>cosign</code> & in‑toto attestations. SPDX SBOM covers every byte.

Nightly delta patches

Keeps bundle < 350 MB while staying <em>T‑1 day</em> fresh.

Registry mirror

Pre‑loaded scanner & Zastava images for both x86‑64 / arm64.

* Regional feeds enable via settings.yaml.

2 · Download & verify

curl -LO https://get.stella-ops.org/releases/latest/stella-ops-offline-update-kit-2025‑12‑15.tgz
curl -LO https://get.stella-ops.org/releases/latest/stella-ops-offline-update-kit-2025‑12‑15.tgz.sig

cosign verify-blob 
  --key https://stella-ops.org/keys/cosign.pub 
  --signature stella-ops-offline-update-kit-2025‑12‑15.tgz.sig 
  stella-ops-offline-update-kit-2025‑12‑15.tgz

Verification prints OK and the bundle’s SHA‑256 digest; cross‑check against the release notes.

3 · Import in one command

docker compose --env-file .env -f docker-compose.stella-ops.yml 
  exec stella admin import-offline-update-kit stella-ops-offline-update-kit-2025‑12‑15.tgz

Scanner validates Cosign signature before activation.
DB switch is atomic—no downtime needed.

4 · How the quota works offline

• Anonymous mode: 33 scans per UTC day.
• Free token: email token@stella-ops.org — unlocks 333 scans/day.

Hitting 90 % daily scan quota triggers a gentle reminder & throttles speed, but never blocks your pipeline.
See token documentation.

5 · Sovereign roadmap highlights

Full detail lives on the public roadmap.

Follow install guide Read sovereign mode

Run Stella Ops on Air‑Gapped Networks