Connect. Bundle. Gate. Deploy.

Stella Ops connects your toolchain, produces evidence, gates promotions, and exports decision proof for every release.

Get started Read docs

After initial setup, you'll have:

  • 1. Your first image scanned with SBOM + reachability analysis
  • 2. A signed Decision Capsule proving the scan results
  • 3. One complete promotion from dev to staging with evidence

Release lifecycle at a glance

Connect, bundle, gate, deploy, and export a Decision Capsule with evidence bound to the artifact digest.

Release lifecycle diagramConnectBundleGateDeployDecision CapsuleEvidence sealed at each step
1

Connect registry, SCM, CI, and infrastructure

Link your container registries, CI pipelines, and infrastructure components to build a digest-first release ledger. Stella watches for new images and coordinates with your existing infrastructure.

Source & Registry

  • → Docker Hub, Harbor, ECR, GCR, ACR
  • → GitHub, GitLab, Bitbucket webhooks
  • → Jenkins, GitHub Actions, GitLab CI

Infrastructure

  • HashiCorp Vault for secrets
  • HashiCorp Consul for service registry
  • SSH/WinRM for agentless targets
2

Build release bundle

Capture artifact digests, SBOMs, and provenance as a single unit of promotion. The bundle travels through environments, accumulating evidence at each step.

  • → CycloneDX / SPDX SBOM generation
  • → SLSA provenance attestation
  • → Content-addressed artifact identity (SHA-256)
3

Gate with hybrid reachability + policy

Evaluate policy against evidence at each promotion. Hybrid reachability analysis uses three layers to determine which vulnerabilities your code actually calls:

1. Static analysis

Call graph extraction from bytecode/source

2. Manifest analysis

Import/require statements, dependency trees

3. Runtime traces

Optional profiling data for higher confidence

Terminal
$ stella gate evaluate --env stage --artifact sha256:abc123...
 487 CVEs found in dependencies
 475 NOT REACHABLE (hybrid analysis)
! 12 REACHABLE (evaluated against policy)
Policy verdict: PASS — 12 reachable CVEs below threshold
Gate evaluation saved: evidence/gate-stage-2025-07-15.json

Result: Significantly fewer false positives compared to traditional CVE counting.

4

Deploy + export Decision Capsule

Execute deployment to your targets and export a signed evidence bundle. Configure environments via SSH/WinRM for agentless deployment or use built-in providers.

Deployment Targets

  • → Docker Compose deployments
  • → AWS ECS / Fargate
  • → HashiCorp Nomad
  • → Scripted deployments (.NET 10)

Environment Setup

  • SSH for Linux/Unix targets
  • WinRM for Windows targets
  • Vault for secret injection
  • Consul for service discovery

Decision Capsules are DSSE-signed and contain everything for audit export and deterministic replay.

The reachability difference

Without reachability

  • 487 CVEs to triage
  • Days of investigation
  • No audit trail
  • Guessing at exploitability
  • Ad-hoc exceptions

With Stella Ops

  • 12 reachable CVEs to fix
  • Hours to resolution
  • Decision Capsule export
  • Proof of call paths
  • Policy-governed gates

What auditors get

Every Decision Capsule contains:

  • Exact artifact digest (SHA-256)
  • SBOM snapshot (CycloneDX/SPDX)
  • Reachability evidence (signed graphs)
  • Policy version + verdict
  • VEX state (lattice-resolved)
  • Signed approval records

Auditors can independently verify signatures and replay the decision offline using stella replay.

Ready to see it in action?

Get started Read docs

See all features · Evidence & Audit · Documentation