Installation Guide

Two ways to get started: a five-minute Docker setup for connected hosts and a fully offline path for sovereign networks.

Status: the first signed public alpha drops in late 2025. The steps below line up with the images and bundles that ship at that tag.

1 · Checklist before you begin

Platform

Ubuntu 22.04 LTS or Alma 9 (x86‑64/arm64).

Resources

2 vCPU, 2 GiB RAM, 10 GiB SSD for the SBOM + feed cache.

Docker

Engine 25 with Compose v2. Run docker -v to verify.

PGP trust

Import the project Cosign/PGP keys from /keys/ so you can verify bundles.

2 · Connected host (Docker Compose)

  1. Download the signed Compose files and example .env from https://get.stella-ops.org/releases/latest/.
  2. Verify each file with Cosign using the public key at /keys/cosign.pub.
  3. Copy .env.example to .env, set admin credentials, then run the duo of Compose stacks (infrastructure first, then stella-ops).
  4. Open https://<host>:8443 (self-signed cert) — default login is admin/changeme.

Full command-by-command instructions live in the Quickstart. Expect the first run to download ~50 MB of signed advisory snapshots.

3 · Offline Update Kit

Every release ships a signed bundle that mirrors feeds, plug-ins, and telemetry collectors. The high-level flow:

  1. Download the kit (stella-ops-offline-kit-*.tar.gz) plus signature and manifest.
  2. Verify with Cosign: cosign verify-blob --key https://stella-ops.org/keys/cosign.pub ...
  3. Transfer via your approved medium (USB, courier, etc.).
  4. Import using stella offline-kit import or the Console; the process swaps feeds live in under three seconds.

The kit includes Delta SBOM cache seeds, language analyzer plug-ins, regional vulnerability snapshots, and Cosign/PGP metadata so the air-gap stays trustworthy.

Read the Offline Kit guide

4 · (Optional) request a free quota token

Without any registration you can run 33 scans per UTC‑day. Email token@stella-ops.org from any address and our bot will reply with a signed JWT that lifts the quota to 333 scans per day. Above 90% daily scan quota the UI slows by ~10 % and shows a friendly “support the project” banner.

docker compose --env-file .env -f docker-compose.stella-ops.yml \
  exec stella-ops stella set-jwt <JWT_FROM_EMAIL>

We keep the requesting IP and e‑mail for up to seven days for delivery and abuse prevention, then archive a salted hash of the token ID.

Explore key features   Browse the docs