Back
RoadmapChangelog

Documentation

Stellar in 10 minutes.

An honest, technical guide to how Stellar audits code, what it catches, and where to plug it into your workflow.

Quickstart

  1. Sign in with Google or email at /auth.
  2. Open the Vulnerability Core.
  3. Paste code, drag in files, or upload a .zip.
  4. Pick an engine — Speed Scan for fast triage or Deep Reasoning for complex flows.
  5. Click Run audit. Findings stream in real-time with line refs and patch suggestions.
  6. Export as JSON or SARIF, or revisit later from History.
Tip — hit ⌘K anywhere in the app to jump straight to a scan, and ? for all shortcuts.

Scan engines

Stellar ships two reasoning engines tuned for different jobs.

Speed Scan

single-pass

Single-pass triage. Best for snippets, configs, single files, and CI gates where latency matters. Catches the obvious — injection, hardcoded secrets, weak crypto, misconfigured RBAC.

Deep Reasoning

multi-step

Chains analysis across files, tracks data flow between functions, and reasons about business-logic abuse. Recommended for smart contracts, auth flows, and anything where exploit chains span multiple files.

Pre-flight checks

Before any payload leaves your browser, the Pre-flight panel runs two deterministic checks locally:

  • Secret detection — regex + entropy scoring for AWS GitHub OpenAI Anthropic Stripe Slack Google JWT RSA / SSH keys and generic .env values.
  • Dependency CVEs — parses package.json, requirements.txt, Cargo.toml, go.mod, Gemfile.lock — then queries OSV.dev for known vulnerabilities.
Pre-flight is a sanity check, not a replacement for the AI scan. It will miss any secret that doesn't match a known pattern.

Reading findings

Every finding has the same shape:

  • Threat level — Critical · High · Medium · Low · Safe (color-coded).
  • Title + category — e.g. SQL injection via unsanitized input, mapped to OWASP / CWE.
  • Location — file path and line number, clickable to jump in the editor.
  • Explanation — why it's a vulnerability, what an attacker would do with it.
  • Patch — a concrete code suggestion, copyable in one click.

Use the Compare view (/compare) to diff two scans side-by-side and see which findings were resolved.

Exporting SARIF / JSON

Every scan exports as SARIF 2.1.0 — the industry standard. SARIF imports cleanly into:

  • GitHub Code Scanning (upload via the Security tab)
  • VS Code SARIF Viewer extension
  • GitLab, Sonatype, DefectDojo, and most security dashboards

Raw JSON is also available for custom pipelines.

Supported inputs

Source files for mainstream stacks, plus configs and archives.

TypeScript / JS
Python
Go
Rust
Solidity
Ruby
PHP
Java / Kotlin
C / C++
C# / .NET
Swift
YAML / TOML / JSON
.env files
Dockerfile
Zip archives

Privacy & retention

Your source code is not retained after a scan completes. We persist only the scan metadata (target name, mode, timestamp) and the structured report so you can revisit findings later.

Payloads are not used to train any model. Deleting a scan from History removes the report from our database.

Limits

  • Per-file: 15 MB
  • Per-scan payload: 500,000 characters total
  • Rate limits: not enforced during public preview — be reasonable.
  • History retention: scans stay in your workspace until you delete them.

Keyboard shortcuts

Command palette⌘K
All shortcuts?
Posture OverviewG then D
New scanG then S
Scan historyG then H
Close dialogEsc

What's not here yet

Stellar is in public preview. Things that are not shipped today — GitHub PR integration, auto-fix PRs, deep IaC scanning, team workspaces, SSO, and more — live on the public roadmap.

Have a request? Email us.