What is a container-security scanner?
A container-security scanner examines every layer of an image (or an SBOM you already have), compares it with trusted vulnerability data, and emits a signed report so you can prove what was shipped. Vulnerability detection Matches OS packages and language dependencies with OSV, GHSA, NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU, attaching CVE IDs, severities and safe upgrade hints. Secrets & keys sweep Scans files and env vars for API tokens, passwords or private keys — closing supply-chain backdoors early. Licence & compliance audit Extracts SPDX IDs so legal teams avoid copyleft surprises and tick compliance check-boxes automatically. Misconfiguration checks Flags dangerous Dockerfile habits (root users, latest tags, lax permissions). Provenance & attestation Produces signed SBOMs plus in-toto / SLSA attestations so anyone can verify what ran and where it came from.Read more
What is a container-security scanner?
A container-security scanner examines every layer of an image (or an SBOM you already have), compares it with trusted vulnerability data, and emits a signed report so you can prove what was shipped.
Vulnerability detection
Matches OS packages and language dependencies with OSV, GHSA, NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU, attaching CVE IDs, severities and safe upgrade hints.
Secrets & keys sweep
Scans files and env vars for API tokens, passwords or private keys — closing supply-chain backdoors early.
Licence & compliance audit
Extracts SPDX IDs so legal teams avoid copyleft surprises and tick compliance check-boxes automatically.
Misconfiguration checks
Flags dangerous Dockerfile habits (root users, latest tags, lax permissions).
Provenance & attestation
Produces signed SBOMs plus in-toto / SLSA attestations so anyone can verify what ran and where it came from.
What exactly is Stella Ops?
Stella Ops is a sovereign, SBOM-first security toolkit. It pairs a deterministic scan engine with a policy layer, bundles every finding inside a signed DSSE package, and works the same way online or completely offline. Delta-SBOM engine Only new layers are analysed; warm runs finish in under five seconds. Policy engine with lattice explainers OpenVEX, waivers, and custom rule packs merge into a single verdict with a human-readable proof trail. Cartographer overlays SBOM and vulnerability dependencies are graphed so teams can see impact by image, service, or supplier. Provenance & sovereignty Signed attestations, quota tokens that verify locally, and optional regional crypto profiles keep evidence inside your boundary. Need a capability-by-capability breakdown? Jump to the feature tour.Read more
What exactly is Stella Ops?
Stella Ops is a sovereign, SBOM-first security toolkit. It pairs a deterministic scan engine with a policy layer, bundles every finding inside a signed DSSE package, and works the same way online or completely offline.
Delta-SBOM engine
Only new layers are analysed; warm runs finish in under five seconds.
Policy engine with lattice explainers
OpenVEX, waivers, and custom rule packs merge into a single verdict with a human-readable proof trail.
Cartographer overlays
SBOM and vulnerability dependencies are graphed so teams can see impact by image, service, or supplier.
Provenance & sovereignty
Signed attestations, quota tokens that verify locally, and optional regional crypto profiles keep evidence inside your boundary.
Need a capability-by-capability breakdown? Jump to the feature tour.
Why does Stella Ops exist when scanners already exist?
The competitive landscape spells it out: we needed a scanner that treats SBOMs as the source of truth, explains every policy decision, and stays trustworthy without any external service. That mix simply didn't exist, so Stella Ops was designed around three pillars: Deterministic replay — auditors can re-run the DSSE bundle and get the same verdict. Explainable policy — lattice logic shows why a deployment passes or blocks. Sovereign operation — offline kits, regional crypto profiles, and transparent quota tokens. For the deep dive, see the full Stella Ops moat dossier.Read more
Why does Stella Ops exist when scanners already exist?
The competitive landscape spells it out: we needed a scanner that treats SBOMs as the source of truth, explains every policy decision, and stays trustworthy without any external service. That mix simply didn't exist, so Stella Ops was designed around three pillars:
- Deterministic replay — auditors can re-run the DSSE bundle and get the same verdict.
- Explainable policy — lattice logic shows why a deployment passes or blocks.
- Sovereign operation — offline kits, regional crypto profiles, and transparent quota tokens.
For the deep dive, see the full Stella Ops moat dossier.
Road-map highlights
v0.1 alpha (2025) — SBOM-first engine, deterministic replay manifests, transparent quota tokens. v0.2 beta (Q1 2026) — Zastava forbidden-image sweeps, Cartographer dashboards. v0.3 beta (Q2 2026) — Policy packs with lattice explainers and SARIF/JSON exports. v0.4 RC (Q3 2026) — AI remediation coach, LDAP/AD SSO, regional crypto provider catalogues. v1.0 GA (Q4 2026) — SLSA L3 provenance, signed start-up plug-in marketplace.Read more
Road-map highlights
- v0.1 alpha (2025) — SBOM-first engine, deterministic replay manifests, transparent quota tokens.
- v0.2 beta (Q1 2026) — Zastava forbidden-image sweeps, Cartographer dashboards.
- v0.3 beta (Q2 2026) — Policy packs with lattice explainers and SARIF/JSON exports.
- v0.4 RC (Q3 2026) — AI remediation coach, LDAP/AD SSO, regional crypto provider catalogues.
- v1.0 GA (Q4 2026) — SLSA L3 provenance, signed start-up plug-in marketplace.
Technology stack under the hood
Layer Tech Why it matters Back-end .NET 10 LTS High-perf async IO, single static binary. Front-end Angular 20 Enterprise-grade SPA with strict typing. Container base Distroless glibc Tiny attack surface, reproducible digests.Read more
Technology stack under the hood
| Layer | Tech | Why it matters |
|---|---|---|
| Back-end | .NET 10 LTS | High-perf async IO, single static binary. |
| Front-end | Angular 20 | Enterprise-grade SPA with strict typing. |
| Container base | Distroless glibc | Tiny attack surface, reproducible digests. |
What's in the UI?
Dashboard — live counters & vulnerability trends. Reports — latest, personal and pipeline-specific. Settings — theme and report preferences. Admin — vuln DB sync, Offline Kit import, JWT swap, pipeline mutes, users & roles.Read more
What's in the UI?
- Dashboard — live counters & vulnerability trends.
- Reports — latest, personal and pipeline-specific.
- Settings — theme and report preferences.
- Admin — vuln DB sync, Offline Kit import, JWT swap, pipeline mutes, users & roles.
Who builds Stella Ops?
Stella Ops is a public experiment: can one senior engineer, plus today's AI tooling, ship a full-featured scanner without VC funding? All design docs, commits and benchmarks are in the open. Early adopters steer the scope and keep the project honest. Join #stellaops on Matrix or file issues on our self-hosted forge.Read more
Who builds Stella Ops?
Stella Ops is a public experiment: can one senior engineer, plus today's AI tooling, ship a full-featured scanner without VC funding?
All design docs, commits and benchmarks are in the open. Early adopters steer the scope and keep the project honest.
Join #stellaops on Matrix or file issues on our self-hosted forge.