Frequently Asked Questions

No. Stella Ops is designed for non-Kubernetes estates as a primary use case.

We support Docker, Compose, ECS, Nomad, and agentless SSH/WinRM deployments. Kubernetes is supported but not required.

Scanners tell you a vulnerable package exists. Stella Ops tells you if your code actually calls it.

We use reachability analysis to trace call paths, resulting in meaningfully fewer false positives. We also save complete scan records that you can replay months later—something no scanner offers.

vs Trivy · vs Snyk · Full comparison

Reachability determines whether your application actually calls the vulnerable code path in a dependency.

Most CVEs affect code paths your app never touches. Stella analyzes static call graphs, manifest imports, and optionally runtime traces to prove which vulnerabilities are actually exploitable.

Result: focus on 12 reachable CVEs instead of 500 theoretical ones.

A Decision Capsule bundles everything needed to understand and replay a release decision:

• Artifact digest (SHA-256)
• SBOM snapshot (CycloneDX/SPDX)
• Reachability evidence (signed graphs)
• VEX state and policy version
• Approval records

Every component is DSSE-signed. Learn more about evidence →

Yes. Stella operates 100% offline with no external dependencies.

The Offline Kit bundles vulnerability feeds, container images, and provenance data. You get identical scan results whether online or in a sovereign network.

See the Offline Kit →

Auditors receive Decision Capsules — cryptographically signed evidence bundles that prove:

• What was scanned (exact artifact digest)
• What was found (SBOM + reachability)
• Why it was approved (policy verdict)
• Who approved it (signed approvals)

Auditors can independently verify signatures and replay the decision offline using stella replay.

Stella Ops is source-available (BUSL-1.1). The Free tier is evaluation-limited (3 environments, 999 scans/month) — production workloads require a paid plan (Plus or Pro).

Paid plans are metered by environments and new-digest deep scans — no per-seat or per-project fees. All features are included at every tier.

See pricing →

Stella Ops is in closed early release for non-Kubernetes estates.

• Now: Closed early release — signed images and Offline Kit bundles available to accepted applicants
• Ongoing: Backwards-compatible evidence formats and deterministic replay
• Enterprise: Limited support tickets available by request

See FAQ →

Stella models releases as a promotion graph (Dev → Stage → Prod). At each gate:

• Policy is evaluated against the artifact's evidence
• Approvals are recorded with cryptographic signatures
• A Decision Capsule is generated for audit

Promotions are tied to artifact digests, not tags. Same digest = same evidence reused.

Follow the Installation Guide and then run the Quickstart to create your first verified promotion.

Stella Ops Suite is source-available under BUSL-1.1. You can read, build, and audit the code. The verification layer (capsule validation, signature checks) is licensed under Apache-2.0.

BUSL-1.1 permits non-production use freely. Production use requires a paid plan (Plus or Pro). After the change date (4 years from each release), the code converts to Apache-2.0.

This model funds sustainable development while keeping the evidence chain fully auditable.

An environment is a named deployment target paired with a policy and optional approval rules. Examples: dev, staging, production.

Each environment defines:

• Targets — where containers actually run (Docker host, Compose project, ECS cluster)
• Policy — the pass/fail conditions for promotion (CVE thresholds, reachability gates)
• Approvals — who must sign off before a release enters this environment

Releases are promoted between environments through policy gates, with every promotion recorded as signed evidence.

The Free tier is for evaluation and development only. It includes full scanning and up to 3 environments with 999 monthly new-digest scans, but does not permit production deployment.

For production use, you need Plus (up to 33 environments) or Pro (up to 333 environments). For larger needs, contact us.

See the pricing page for tier details.

Yes. Stella is not a replacement for your existing scanner — it is a control layer on top. You can feed scan results from Trivy, Snyk, Grype, or any SARIF/CycloneDX source into Stella for reachability filtering and policy gating.

Stella adds what standalone scanners lack: reachability analysis, multi-issuer VEX, environment-aware policy gates, and signed evidence export. Your scanner finds CVEs; Stella decides which ones matter and proves the decision.