Get Running

Quickstart

Stand up the suite with Docker Compose and run a verified promotion.

Production-ready. Use these steps to run a verified promotion and export a Decision Capsule.
1

Download and verify

Fetch the latest bundle and verify its Cosign signature before proceeding.

Terminal
$ curl -sSL https://get.stella-ops.org/releases/latest/ -o bundle.tgz && cosign verify-blob --key https://stella-ops.org/keys/cosign.pub --signature bundle.tgz.sig bundle.tgz
Verified OK
2

Launch services

Start the infrastructure and Stella Ops containers with Docker Compose.

Terminal
$ cp .env.example .env && docker compose -f docker-compose.infrastructure.yml up -d && docker compose -f docker-compose.stella-ops.yml up -d
Creating stella-db ... done
Creating stella-ops ... done
Creating stella-scanner ... done
All services healthy.
3

Create environments

Define your promotion pipeline: dev, staging, and production with their policies.

Terminal
$ stella env create dev --policy policy-dev.yml && stella env create staging --policy policy-staging.yml && stella env create prod --policy policy-prod.yml --require-approval
Environment dev created (policy: policy-dev.yml)
Environment staging created (policy: policy-staging.yml)
Environment prod created (policy: policy-prod.yml, approval required)
4

Create a digest release

Register a container image by its content digest. Stella scans it and generates an SBOM.

Terminal
$ stella release create registry.example.com/app@sha256:a1b2c3d4... --env dev
Scanning artifact sha256:a1b2c3d4...
SBOM generated: 142 packages
CVEs matched: 312 | Reachable: 8
Release myapp-v2.1.0 created in dev
5

Gate and promote

Evaluate the release against your staging policy. If it passes, promote to the next environment.

Terminal
$ stella promote --from dev --to staging --require-approval
Evaluating policy: policy-staging.yml v1.0.0
Reachable CVEs: 8 (threshold: 10) PASS
Critical reachable: 0 (threshold: 0) PASS
Gate passed — promoted to staging
6

Export audit evidence

Package the decision into a signed capsule containing all inputs, policy, and verdict.

Terminal
$ stella capsule export myapp-v2.1.0 --output decision-capsule.json
Packaging decision capsule...
Including: SBOM, reachability graph, VEX state, policy verdict
Signing with: default profile (ECDSA P-256)
Decision capsule exported to decision-capsule.json

Access tokens are optional and only needed for pre-built images and managed updates.

Ready to go further?

Request an access token Browse the docs