Air-Gap Ready

Run Stella Ops on Air‑Gapped Networks

One signed Offline Kit bundle plus an operator runbook delivers feeds, images, and provenance so Stella Ops runs 100% offline behind the strictest perimeter.

Start verified trial Read the Offline Kit guide

What the kit enables

The Offline Update Kit includes an installable bundle and runbook so air-gapped deployments keep parity with connected environments.

  • Full vulnerability scanning with up-to-date advisories from 33+ sources
  • ReachabilityAnalysis that proves whether vulnerable code is actually called by your application — filtering out false positives from scanner noise analysis and VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context-aware risk filtering without internet access
  • Policy-gated promotions with signed Decision Capsules for every release
  • Deterministic replay and audit verification — no network required

1 · What's inside

Curated advisories

Global feeds plus regional sources (CNNVD, JVN, ENISA, BDU) preserved as individual signed snapshots so policy can trust or ignore each one independently.

Preloaded runtime

Scanner, Zastava, and supporting images for x86‑64 and arm64 ready to mirror into your registry.

Provenance & SBOM

Cosign signatures, DSSE attestations, and SPDX SBOMs that prove what you imported.

Delta updates

Compact daily patches keep the kit fresh without hauling gigabytes across the perimeter.

Detailed kit contents

Vulnerability Feeds

  • NVDNational Vulnerability Database - the U.S. government repository of standards-based vulnerability data (NIST)
  • OSVOpen Source Vulnerabilities - a distributed vulnerability database for open source projects (Google)
  • CISACybersecurity and Infrastructure Security Agency - U.S. federal agency responsible for cybersecurity guidance and vulnerability catalogs KEVKnown Exploited Vulnerabilities - CISA's catalog of vulnerabilities actively exploited in the wild
  • → GitHub Advisories
  • → CNNVD (China)
  • JVNJapan Vulnerability Notes - Japan's vulnerability database managed by JPCERT/CC and IPA (Japan)
  • → ENISA (EU)
  • → BDU (Russia)
  • → 33+ regional sources

Container Images

  • → stella-scanner (x86-64, arm64)
  • → zastava runtime
  • → console-ui
  • → authority service
  • → supporting services

Signatures & Provenance

  • CosignContainer signing tool from Sigstore project for signing and verifying container images and artifacts signatures for all artifacts
  • DSSEDead Simple Signing Envelope - a simple, flexible standard for signing arbitrary data with cryptographic signatures attestations
  • SPDXSoftware Package Data Exchange - another open standard format for SBOMs, widely used in open source SBOMs for every image
  • → Manifest checksums (SHA-256)
  • → Timestamp proofs

Runbooks & Automation

  • → Import automation scripts
  • → Multi-site sync playbooks
  • → Verification checklists
  • → Rollback procedures
  • → Compliance templates

Three steps to update

  1. 1

    Download and verify

    Fetch the latest kit and signature on a connected mirror. Verify with your Cosign public key before transfer.

  2. 2

    Transfer to air-gapped site

    Use your approved channel: USB, courier, or controlled rsync drop box. Unsigned bundles never cross the boundary.

  3. 3

    Import

    Run stella offline-kit import or use the Console UI. Feeds swap in under three seconds with zero downtime.

Terminal
$ stella offline-kit import stella-ouk-2026-01-20.tar.gz --verify
Verifying bundle signature... OK
Importing vulnerability feeds... 33 sources updated
Importing container images... 12 images loaded
Importing provenance data... OK

Offline Kit imported successfully
Knowledge snapshot: 2026-01-20T00:00:00Z
Next update recommended: 2026-01-27

Automation scripts, manifest audits, and troubleshooting live in the <a href="/docs/offline_kit/" class="link">Offline Kit guide</a>.

Keep multiple sites in sync

  1. 1

    Schedule downloads

    Configure cron on a connected mirror to fetch the latest kit on your preferred cadence.

  2. 2

    Distribute via approved channel

    Transfer to each site via USB, courier, or controlled drop box per your security policy.

  3. 3

    Import per change window

    Each air-gapped site imports independently according to its own maintenance schedule.

Before you import

  • Log the bundle ID and manifest hash for your compliance trail
  • Verify the CosignContainer signing tool from Sigstore project for signing and verifying container images and artifacts signature matches your trusted public key
  • Rotate the free quota token on your schedule; validation stays offline
  • Store a clean copy in a tamper-evident vault for quick reissue

Keep your air-gapped deployment current

Start verified trial Read the Offline Kit guide

Sovereign deployment · Operations overview