AGPL‑3.0‑or‑later
Stella Ops is free software: the full source ships under the AGPL, the compiled containers are free to run with a complimentary token, and everyone receives the same transparency we use internally.
What “free” means here
- Source forever free: clone the repos, audit the SBOM, fork the code, and ship your own builds — all under AGPL‑3.0‑or‑later.
- Pre-built containers: run the official images at no cost. Anonymous mode covers 33 scans per UTC day; a complimentary token unlocks 333 scans.
- Token cadence: each token is valid for 30 days. Requesting a fresh one takes seconds and never interrupts existing quotas.
- Transparency: every release includes Cosign signatures, DSSE attestations, and a reproducible SPDX SBOM.
Reciprocity & the network clause
The GNU Affero GPL adds one simple rule: if you run a modified Stella Ops for someone else over a network, you must let them download the source of that exact version.
- Running unmodified images? Nothing extra is required.
- Shipping a fork? Publish the source under the AGPL alongside your binaries.
- Offering Stella Ops as a service? Provide your users with the source code of the build that powers the service.
How to verify what you run
- Cosign signatures: verify every image or Offline Kit against
https://stella-ops.org/keys/cosign.pub. - PGP mail: vulnerability notices and roadmap updates are signed with fingerprint
. - Replay manifests: each scan emits a DSSE bundle so you can prove findings to auditors.
cosign verify \ --key https://stella-ops.org/keys/cosign.pub \ registry.stella-ops.org/stella-ops/stella-ops:<VERSION>