Operations & Deployment
Deploy anywhere. Prove everything.
First-class support for Docker, Compose, ECS, Nomad, and agentless SSH/WinRM. 100% offline operation with sovereign crypto profiles.
What you operate here
Image scanning
SBOM generation, CVE matching, VEX statement management for every container image.
Reachability filtering
Static, manifest, and runtime analysis to separate exploitable from theoretical risk.
Release promotion
Move images between environments through policy gates with full traceability.
Progressive delivery
A/B testing, canary, blue/green deployments, and instant rollback across targets.
Evidence export
Decision Capsules bundle all inputs, policy, and verdicts for audit and compliance.
Offline operation
Full functionality in air-gapped environments using signed Offline Update Kits.
Non-Kubernetes first
Most CD tools treat non-Kubernetes as an afterthought. Stella treats it as a primary use case.
Docker Host
Direct container deployment to Docker hosts.
Docker Compose
Multi-container application deployment.
AWS ECS
ECS and Fargate task deployments.
HashiCorp Nomad
Nomad job deployments and updates.
SSH (Agentless)
Linux/Unix targets without agents.
WinRM (Agentless)
Windows targets without agents.
Unlimited deployment targets at all pricing tiers
Digest-first versioning
Every release is identified by its content digest, not a mutable tag. This guarantees that what was scanned is what gets deployed, and what gets audited is what actually ran.
Immutable identity
sha256 digests ensure the artifact promoted is byte-identical to the artifact scanned and approved.
Provenance chain
Each promotion records the source digest, policy version, and approval evidence in a signed attestation.
Deployment patterns
A/B testing
Route a percentage of traffic to the new version. Compare metrics before committing.
Canary release
Deploy to a small subset of targets first. Automatic rollback on health-check failure.
Blue/Green
Run old and new versions in parallel. Switch traffic atomically when ready.
Instant rollback
Revert to any previous digest-verified version. Evidence trail preserved for both forward and back.
100% offline operation
Core decisions work without external dependencies. Vulnerability feeds and evidence verification work entirely inside your boundary.
Offline Update Kit
Signed bundle with everything needed for air-gapped operation.
- → Vulnerability feeds from 33+ sources
- → Container images for all components
- → Provenance data and SBOMs
- → Delta updates for efficient transfer
No external egress required
Every operation works inside sovereign networks.
- → Local vulnerability database
- → Offline signature verification
- → Deterministic replay without network
- → No mandatory telemetry (opt-in only, disabled by default)
$ stella offline-kit import stella-ouk-2026-01-20.tar.gz --verify
Verifying bundle signature... OK
Importing vulnerability feeds... 33 sources updated
Importing container images... 12 images loaded
Importing provenance data... OK
Offline Kit imported successfully
Knowledge snapshot: 2026-01-20T00:00:00Z
Next update recommended: 2026-01-27Sovereign crypto profiles
Pluggable cryptographic profiles for regional compliance. Choose your algorithms without changing your workflow.
| Profile | Algorithms | Use Case |
|---|---|---|
| Default | Ed25519, ECDSA P-256, SHA-256 | Standard deployments |
| FIPS 140-2/3 | ECDSA P-384, SHA-384 | US federal / FedRAMP |
| GOST R 34.10 | GOST R 34.10-2012, Streebog | CIS region compliance |
| SM2/SM3 | SM2, SM3 | Chinese national standards |
| eIDAS | RSA-PSS, ECDSA (QES) | EU qualified signatures |
| Dilithium | ML-DSA (Dilithium) | Post-quantum future-proofing |
HSM/PKCS#11 integration
Hardware security modules for key storage and signing operations.
Multi-profile signing
Sign the same artifact with multiple algorithms for cross-jurisdiction compliance.
Infrastructure integration
HashiCorp Vault
Secrets injection for deployments.
HashiCorp Consul
Service registry integration.
Container registries
Docker Hub, Harbor, ECR, GCR, ACR.
SCM webhooks
GitHub, GitLab, Bitbucket triggers.
Notifications
Slack, Teams, email, PagerDuty, OpsGenie.
Plugin system
Custom connectors and workflow steps.
Platform Requirements
Supported Operating Systems
- → Ubuntu 20.04, 22.04, 24.04 LTS
- → RHEL/CentOS 8, 9
- → Debian 11, 12
- → Amazon Linux 2, 2023
- → Windows Server 2019, 2022
- → Alpine 3.18+ (containers)
Container Registries
- → Docker Hub
- → AWS ECR (incl. ECR Public)
- → Google Artifact Registry / GCR
- → Azure Container Registry
- → GitHub Container Registry
- → Harbor, Nexus, JFrog Artifactory
- → Any OCI-compliant registry
Scale Guidance
- → Up to 100 environments per instance
- → Up to 1,000 targets per environment
- → 50 concurrent deployments
- → 10,000+ scans/month supported
- → Horizontal scaling via HA mode
- → Federated multi-region available
Contact sales for larger deployments
Minimum Requirements
4 vCPU, 8 GB RAM, 50 GB storage. Docker 20.10+ or Podman 4.0+.
Recommended Production
8 vCPU, 16 GB RAM, 200 GB SSD. PostgreSQL 14+ for HA deployments.
Deployment architecture
Single-node deployment
Docker Compose for evaluation and small teams.
- 2 vCPU, 2 GiB RAM minimum
- PostgreSQL 16+, Valkey 8.0+
- 10 GiB SSD for cache and evidence
High-availability deployment
Horizontal scaling for production workloads.
- Multi-replica API and workers
- Kubernetes Helm charts available
- Dedicated capacity for enterprise
Ready for sovereign deployment?
Start with the install guide or the offline kit.