feat: seed Lariza feature demonstration

Add synthetic fixtures and proposed policy contracts for safely demonstrating future Lariza capabilities.

Assisted-by: Codex: GPT-5.6
This commit is contained in:
reynold
2026-07-18 20:21:38 +08:00
commit 8b6e3b4919
7 changed files with 96 additions and 0 deletions
+17
View File
@@ -0,0 +1,17 @@
apiVersion: security.lariza.dev/v1alpha1
kind: SecurityPolicyIntent
metadata:
name: default-security-gate
spec:
mode: audit
trustedPublishers: [lariza-security-demo]
mergeGate:
blockNewSeverities: [critical, high]
requireTriageFor: [medium]
dismissedFindingsRequire:
reason: true
expiresAt: true
approverRole: security-owner
evidence:
acceptedFormats: [sarif-2.1.0, cyclonedx-1.5, junit]
retainDays: 90
+12
View File
@@ -0,0 +1,12 @@
# Security evidence demo
This repository contains small, synthetic evidence files for developing Lariza
ingestion, triage, pull-request summaries, and merge policies.
- `sample.sarif.json`: one safe static-analysis finding.
- `sbom.cdx.json`: a minimal CycloneDX inventory.
- `junit.xml`: one passing and one skipped test.
- `secret-findings.json`: redacted evidence with no usable credential.
No scanner runs here. The goal is to normalize external evidence, establish
trusted publisher identity, explain policy outcomes, and test retention/export.
+7
View File
@@ -0,0 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<testsuite name="lariza-demo" tests="2" failures="0" skipped="1" time="0.02">
<testcase classname="demo.Transfer" name="accepts reference" time="0.02"/>
<testcase classname="demo.Transfer" name="external settlement">
<skipped message="Synthetic external dependency is unavailable in the demo."/>
</testcase>
</testsuite>
+24
View File
@@ -0,0 +1,24 @@
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Lariza Synthetic Analyzer",
"version": "1.0.0",
"rules": [{"id": "DEMO001", "shortDescription": {"text": "Synthetic review finding"}}]
}
},
"results": [
{
"ruleId": "DEMO001",
"level": "warning",
"message": {"text": "Synthetic medium-severity result for triage demonstrations."},
"locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/transfer.go"}, "region": {"startLine": 4}}}],
"properties": {"severity": "medium", "synthetic": true}
}
]
}
]
}
+15
View File
@@ -0,0 +1,15 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:11111111-2222-4333-8444-555555555555",
"version": 1,
"metadata": {"component": {"type": "application", "name": "security-evidence-demo", "version": "1.0.0"}},
"components": [
{
"type": "library",
"name": "synthetic-safe-library",
"version": "1.2.3",
"purl": "pkg:generic/synthetic-safe-library@1.2.3"
}
]
}
+15
View File
@@ -0,0 +1,15 @@
{
"schemaVersion": "1.0",
"findings": [
{
"id": "synthetic-secret-001",
"type": "example-api-token",
"severity": "high",
"path": "fixtures/nonexistent.env",
"line": 1,
"evidence": "demo_****_REDACTED",
"usableCredential": false,
"synthetic": true
}
]
}
+6
View File
@@ -0,0 +1,6 @@
package demo
// Transfer is intentionally simple source code referenced by the SARIF fixture.
func Transfer(reference string) string {
return "accepted:" + reference
}