Features
Release with proof, not just findings
Stella Ops combines orchestration, security gates, and audit export into a single control plane for non-Kubernetes container estates.
Four Pillars of Evidence-Grade Releases
First-Class SBOM & VEX
Generate SPDX/CycloneDX SBOMs, ingest OpenVEX from multiple issuers, resolve conflicts with K4 lattice logic — deterministic and offline-capable.
- → Generate SPDX 3.0.1 and CycloneDX 1.7 SBOMs from container images
- → Ingest OpenVEX from multiple issuers with K4 lattice conflict resolution
- → Match CVEs from 30+ advisory sources with sub-second warm-path scans
Reachability as Evidence
Three-layer analysis — static call graphs, binary symbols, runtime eBPF probes — produces signed DSSE proofs that meaningfully reduce false positives.
- → Three-layer analysis: static call graphs, binary symbols, runtime eBPF probes
- → Signed DSSE proofs — not assertions, verifiable evidence
- → Significantly fewer false positives: focus on reachable CVEs, not hundreds of theoretical ones
Digest-First Versioning
Releases are immutable OCI digest sets resolved at creation — tags are aliases, digests are truth, every pull is tamper-detectable.
- → Releases are immutable OCI digest sets resolved at creation time
- → Tags are aliases, digests are truth — every pull is tamper-detectable
- → Complete audit trail: know exactly what was deployed where and when
Agentless Deployment
Deploy to Linux (SSH) and Windows (WinRM) servers with canary, rolling, or blue-green strategies — rollback returns to known-good digests.
- → Deploy to Docker Compose, Swarm, ECS, Nomad, or scripted hosts
- → Agentless execution via SSH (Linux) and WinRM (Windows)
- → Canary, rolling, blue-green strategies with instant rollback
What Makes Stella Different
Most tools give you findings or deployments. Stella gives you proof.
Evidence, Not Assertions
Every decision is backed by signed, replayable evidence. Auditors can verify independently — no vendor dependency required.
Non-Kubernetes First
Docker Compose, ECS, Nomad, and scripted hosts are primary targets — not afterthoughts bolted onto a K8s-centric design.
Deterministic Replay
Re-run any decision 6 months later with frozen inputs. Same SBOM, same feeds, same policy — bit-for-bit identical output.
Sovereign & Offline
Run fully air-gapped with signed feed bundles. FIPS-140-3, GOST, SM2/SM3, eIDAS crypto profiles. No mandatory telemetry; opt-in only (disabled by default).
How Stella Compares
Stella combines scanning, policy, and deployment into one evidence-linked platform. See how it stacks up.
| Tool | Category | Key Difference | |
|---|---|---|---|
| Trivy / Grype | Scanners | Findings only — no reachability, no orchestration | Compare → |
| Snyk | SCA Platform | SaaS-only, no deterministic replay | Compare → |
| Octopus Deploy | CD Platform | No built-in security scanning or evidence chain | Compare → |
| GitHub Actions | CI/CD | CI-focused, no release orchestration layer | Compare → |
| Harness | CD Platform | K8s-centric, limited non-K8s support | Compare → |
Ready for evidence-grade releases?
Install with Docker Compose and run your first verified promotion.