feat: seed Lariza feature demonstration
Add synthetic fixtures and proposed policy contracts for safely demonstrating future Lariza capabilities. Assisted-by: Codex: GPT-5.6
This commit is contained in:
@@ -0,0 +1,17 @@
|
||||
apiVersion: security.lariza.dev/v1alpha1
|
||||
kind: SecurityPolicyIntent
|
||||
metadata:
|
||||
name: default-security-gate
|
||||
spec:
|
||||
mode: audit
|
||||
trustedPublishers: [lariza-security-demo]
|
||||
mergeGate:
|
||||
blockNewSeverities: [critical, high]
|
||||
requireTriageFor: [medium]
|
||||
dismissedFindingsRequire:
|
||||
reason: true
|
||||
expiresAt: true
|
||||
approverRole: security-owner
|
||||
evidence:
|
||||
acceptedFormats: [sarif-2.1.0, cyclonedx-1.5, junit]
|
||||
retainDays: 90
|
||||
@@ -0,0 +1,12 @@
|
||||
# Security evidence demo
|
||||
|
||||
This repository contains small, synthetic evidence files for developing Lariza
|
||||
ingestion, triage, pull-request summaries, and merge policies.
|
||||
|
||||
- `sample.sarif.json`: one safe static-analysis finding.
|
||||
- `sbom.cdx.json`: a minimal CycloneDX inventory.
|
||||
- `junit.xml`: one passing and one skipped test.
|
||||
- `secret-findings.json`: redacted evidence with no usable credential.
|
||||
|
||||
No scanner runs here. The goal is to normalize external evidence, establish
|
||||
trusted publisher identity, explain policy outcomes, and test retention/export.
|
||||
@@ -0,0 +1,7 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<testsuite name="lariza-demo" tests="2" failures="0" skipped="1" time="0.02">
|
||||
<testcase classname="demo.Transfer" name="accepts reference" time="0.02"/>
|
||||
<testcase classname="demo.Transfer" name="external settlement">
|
||||
<skipped message="Synthetic external dependency is unavailable in the demo."/>
|
||||
</testcase>
|
||||
</testsuite>
|
||||
@@ -0,0 +1,24 @@
|
||||
{
|
||||
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
|
||||
"version": "2.1.0",
|
||||
"runs": [
|
||||
{
|
||||
"tool": {
|
||||
"driver": {
|
||||
"name": "Lariza Synthetic Analyzer",
|
||||
"version": "1.0.0",
|
||||
"rules": [{"id": "DEMO001", "shortDescription": {"text": "Synthetic review finding"}}]
|
||||
}
|
||||
},
|
||||
"results": [
|
||||
{
|
||||
"ruleId": "DEMO001",
|
||||
"level": "warning",
|
||||
"message": {"text": "Synthetic medium-severity result for triage demonstrations."},
|
||||
"locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/transfer.go"}, "region": {"startLine": 4}}}],
|
||||
"properties": {"severity": "medium", "synthetic": true}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"specVersion": "1.5",
|
||||
"serialNumber": "urn:uuid:11111111-2222-4333-8444-555555555555",
|
||||
"version": 1,
|
||||
"metadata": {"component": {"type": "application", "name": "security-evidence-demo", "version": "1.0.0"}},
|
||||
"components": [
|
||||
{
|
||||
"type": "library",
|
||||
"name": "synthetic-safe-library",
|
||||
"version": "1.2.3",
|
||||
"purl": "pkg:generic/synthetic-safe-library@1.2.3"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"schemaVersion": "1.0",
|
||||
"findings": [
|
||||
{
|
||||
"id": "synthetic-secret-001",
|
||||
"type": "example-api-token",
|
||||
"severity": "high",
|
||||
"path": "fixtures/nonexistent.env",
|
||||
"line": 1,
|
||||
"evidence": "demo_****_REDACTED",
|
||||
"usableCredential": false,
|
||||
"synthetic": true
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
package demo
|
||||
|
||||
// Transfer is intentionally simple source code referenced by the SARIF fixture.
|
||||
func Transfer(reference string) string {
|
||||
return "accepted:" + reference
|
||||
}
|
||||
Reference in New Issue
Block a user