# Security evidence demo This repository contains small, synthetic evidence files for developing Lariza ingestion, triage, pull-request summaries, and merge policies. - `sample.sarif.json`: one safe static-analysis finding. - `sbom.cdx.json`: a minimal CycloneDX inventory. - `junit.xml`: one passing and one skipped test. - `secret-findings.json`: redacted evidence with no usable credential. No scanner runs here. The goal is to normalize external evidence, establish trusted publisher identity, explain policy outcomes, and test retention/export.