mock data
This commit is contained in:
master
@@ -0,0 +1,119 @@
|
||||
-- Migration: S001_demo_seed
|
||||
-- Category: seed
|
||||
-- Description: Demo data for Policy module (packs, rules, risk profiles, evaluations)
|
||||
-- Idempotent: ON CONFLICT DO NOTHING
|
||||
|
||||
-- ============================================================================
|
||||
-- Policy Packs
|
||||
-- ============================================================================
|
||||
|
||||
INSERT INTO policy.packs (id, tenant_id, name, display_name, description, active_version, is_builtin, created_by)
|
||||
VALUES
|
||||
('d0000001-0000-0000-0000-000000000001', 'demo-prod', 'default', 'Default Security Policy', 'Balanced security policy suitable for most deployments. Blocks critical and high CVEs, requires SBOM attestation.', 1, true, 'system'),
|
||||
('d0000001-0000-0000-0000-000000000002', 'demo-prod', 'strict', 'Strict Compliance Policy', 'Maximum security posture for regulated environments. Blocks all unpatched CVEs, requires signed attestations and provenance.', 1, true, 'system'),
|
||||
('d0000001-0000-0000-0000-000000000003', 'demo-prod', 'permissive', 'Development Policy', 'Relaxed policy for development environments. Warns on high CVEs, allows unsigned artifacts.', 1, false, 'admin')
|
||||
ON CONFLICT (tenant_id, name) DO NOTHING;
|
||||
|
||||
-- ============================================================================
|
||||
-- Pack Versions
|
||||
-- ============================================================================
|
||||
|
||||
INSERT INTO policy.pack_versions (id, pack_id, version, description, rules_hash, is_published, published_at, published_by, created_by)
|
||||
VALUES
|
||||
('d0000002-0000-0000-0000-000000000001', 'd0000001-0000-0000-0000-000000000001', 1, 'Initial release', 'sha256:default-v1-rules', true, NOW() - INTERVAL '30 days', 'system', 'system'),
|
||||
('d0000002-0000-0000-0000-000000000002', 'd0000001-0000-0000-0000-000000000002', 1, 'Initial release', 'sha256:strict-v1-rules', true, NOW() - INTERVAL '30 days', 'system', 'system'),
|
||||
('d0000002-0000-0000-0000-000000000003', 'd0000001-0000-0000-0000-000000000003', 1, 'Initial release', 'sha256:permissive-v1-rules', true, NOW() - INTERVAL '15 days', 'admin', 'admin')
|
||||
ON CONFLICT (pack_id, version) DO NOTHING;
|
||||
|
||||
-- ============================================================================
|
||||
-- Policy Rules
|
||||
-- ============================================================================
|
||||
|
||||
INSERT INTO policy.rules (id, pack_version_id, name, description, rule_type, content, content_hash, severity, category, tags)
|
||||
VALUES
|
||||
-- Default pack rules
|
||||
('d0000003-0000-0000-0000-000000000001', 'd0000002-0000-0000-0000-000000000001', 'block-critical-cves',
|
||||
'Block artifacts with critical severity CVEs', 'rego',
|
||||
'package stellaops.policy.cve\ndefault allow = false\nallow { input.max_cvss < 9.0 }',
|
||||
'sha256:rule-001', 'critical', 'vulnerability', ARRAY['cve', 'cvss', 'blocking']),
|
||||
('d0000003-0000-0000-0000-000000000002', 'd0000002-0000-0000-0000-000000000001', 'block-high-cves',
|
||||
'Block artifacts with high severity CVEs older than 30 days', 'rego',
|
||||
'package stellaops.policy.cve\ndefault allow = true\ndeny { input.max_cvss >= 7.0; input.cve_age_days > 30 }',
|
||||
'sha256:rule-002', 'high', 'vulnerability', ARRAY['cve', 'cvss', 'age']),
|
||||
('d0000003-0000-0000-0000-000000000003', 'd0000002-0000-0000-0000-000000000001', 'require-sbom',
|
||||
'Require SBOM attestation for all artifacts', 'rego',
|
||||
'package stellaops.policy.attestation\ndefault allow = false\nallow { input.sbom_present == true }',
|
||||
'sha256:rule-003', 'high', 'attestation', ARRAY['sbom', 'attestation']),
|
||||
('d0000003-0000-0000-0000-000000000004', 'd0000002-0000-0000-0000-000000000001', 'license-deny-gpl3',
|
||||
'Deny artifacts containing GPL-3.0 licensed dependencies', 'rego',
|
||||
'package stellaops.policy.license\ndefault allow = true\ndeny { input.licenses[_] == "GPL-3.0" }',
|
||||
'sha256:rule-004', 'medium', 'license', ARRAY['license', 'compliance']),
|
||||
-- Strict pack rules
|
||||
('d0000003-0000-0000-0000-000000000005', 'd0000002-0000-0000-0000-000000000002', 'block-all-cves',
|
||||
'Block any artifact with unpatched CVEs', 'rego',
|
||||
'package stellaops.policy.cve\ndefault allow = false\nallow { count(input.cves) == 0 }',
|
||||
'sha256:rule-005', 'critical', 'vulnerability', ARRAY['cve', 'zero-tolerance']),
|
||||
('d0000003-0000-0000-0000-000000000006', 'd0000002-0000-0000-0000-000000000002', 'require-signature',
|
||||
'Require cryptographic signature on all artifacts', 'rego',
|
||||
'package stellaops.policy.signature\ndefault allow = false\nallow { input.signature_valid == true }',
|
||||
'sha256:rule-006', 'critical', 'signature', ARRAY['signing', 'cosign', 'provenance']),
|
||||
('d0000003-0000-0000-0000-000000000007', 'd0000002-0000-0000-0000-000000000002', 'require-provenance',
|
||||
'Require SLSA provenance attestation', 'rego',
|
||||
'package stellaops.policy.provenance\ndefault allow = false\nallow { input.slsa_level >= 2 }',
|
||||
'sha256:rule-007', 'high', 'provenance', ARRAY['slsa', 'provenance', 'supply-chain']),
|
||||
-- Permissive pack rules
|
||||
('d0000003-0000-0000-0000-000000000008', 'd0000002-0000-0000-0000-000000000003', 'warn-critical-cves',
|
||||
'Warn on critical CVEs but allow deployment', 'rego',
|
||||
'package stellaops.policy.cve\ndefault allow = true\nwarn { input.max_cvss >= 9.0 }',
|
||||
'sha256:rule-008', 'info', 'vulnerability', ARRAY['cve', 'warning-only']),
|
||||
('d0000003-0000-0000-0000-000000000009', 'd0000002-0000-0000-0000-000000000003', 'warn-no-sbom',
|
||||
'Warn if SBOM is missing', 'rego',
|
||||
'package stellaops.policy.attestation\ndefault allow = true\nwarn { input.sbom_present == false }',
|
||||
'sha256:rule-009', 'info', 'attestation', ARRAY['sbom', 'warning-only']),
|
||||
('d0000003-0000-0000-0000-000000000010', 'd0000002-0000-0000-0000-000000000003', 'kev-check',
|
||||
'Block artifacts with known exploited vulnerabilities (KEV)', 'rego',
|
||||
'package stellaops.policy.kev\ndefault allow = true\ndeny { input.kev_count > 0 }',
|
||||
'sha256:rule-010', 'critical', 'vulnerability', ARRAY['kev', 'cisa', 'exploit'])
|
||||
ON CONFLICT (pack_version_id, name) DO NOTHING;
|
||||
|
||||
-- ============================================================================
|
||||
-- Risk Profiles
|
||||
-- ============================================================================
|
||||
|
||||
INSERT INTO policy.risk_profiles (id, tenant_id, name, display_name, description, version, is_active, thresholds, scoring_weights, created_by)
|
||||
VALUES
|
||||
('d0000004-0000-0000-0000-000000000001', 'demo-prod', 'standard', 'Standard Risk Profile', 'Default risk scoring for production environments', 1, true,
|
||||
'{"critical": 0.0, "high": 5, "medium": 20, "low": 100}'::jsonb,
|
||||
'{"cvss": 0.4, "epss": 0.3, "kev": 0.2, "age": 0.1}'::jsonb, 'system'),
|
||||
('d0000004-0000-0000-0000-000000000002', 'demo-prod', 'aggressive', 'Aggressive Risk Profile', 'Low tolerance risk scoring for critical infrastructure', 1, false,
|
||||
'{"critical": 0, "high": 0, "medium": 5, "low": 50}'::jsonb,
|
||||
'{"cvss": 0.3, "epss": 0.35, "kev": 0.25, "age": 0.1}'::jsonb, 'admin')
|
||||
ON CONFLICT (tenant_id, name, version) DO NOTHING;
|
||||
|
||||
-- ============================================================================
|
||||
-- Evaluation Runs (policy evaluation history)
|
||||
-- ============================================================================
|
||||
|
||||
INSERT INTO policy.evaluation_runs (id, tenant_id, project_id, artifact_id, pack_id, pack_version, risk_profile_id, status, result, score, findings_count, critical_count, high_count, medium_count, low_count, duration_ms, created_by, started_at, completed_at)
|
||||
VALUES
|
||||
('d0000005-0000-0000-0000-000000000001', 'demo-prod', 'webapp-frontend', 'sha256:demo_node_20',
|
||||
'd0000001-0000-0000-0000-000000000001', 1, 'd0000004-0000-0000-0000-000000000001',
|
||||
'completed', 'fail', 72.50, 8, 0, 2, 4, 2, 1250, 'scheduler',
|
||||
NOW() - INTERVAL '2 hours', NOW() - INTERVAL '2 hours' + INTERVAL '1250 milliseconds'),
|
||||
('d0000005-0000-0000-0000-000000000002', 'demo-prod', 'api-gateway', 'sha256:demo_nginx_latest',
|
||||
'd0000001-0000-0000-0000-000000000001', 1, 'd0000004-0000-0000-0000-000000000001',
|
||||
'completed', 'pass', 95.00, 3, 0, 0, 2, 1, 890, 'scheduler',
|
||||
NOW() - INTERVAL '2 hours', NOW() - INTERVAL '2 hours' + INTERVAL '890 milliseconds'),
|
||||
('d0000005-0000-0000-0000-000000000003', 'demo-prod', 'data-store', 'sha256:demo_postgres_16',
|
||||
'd0000001-0000-0000-0000-000000000002', 1, 'd0000004-0000-0000-0000-000000000001',
|
||||
'completed', 'fail', 45.00, 12, 1, 3, 5, 3, 2100, 'scheduler',
|
||||
NOW() - INTERVAL '3 hours', NOW() - INTERVAL '3 hours' + INTERVAL '2100 milliseconds'),
|
||||
('d0000005-0000-0000-0000-000000000004', 'demo-prod', 'cache-layer', 'sha256:demo_redis_7',
|
||||
'd0000001-0000-0000-0000-000000000001', 1, 'd0000004-0000-0000-0000-000000000001',
|
||||
'completed', 'pass', 98.00, 1, 0, 0, 0, 1, 450, 'scheduler',
|
||||
NOW() - INTERVAL '2 hours', NOW() - INTERVAL '2 hours' + INTERVAL '450 milliseconds'),
|
||||
('d0000005-0000-0000-0000-000000000005', 'demo-prod', 'backend-api', 'sha256:demo_dotnet_8',
|
||||
'd0000001-0000-0000-0000-000000000001', 1, 'd0000004-0000-0000-0000-000000000001',
|
||||
'completed', 'warn', 82.00, 5, 0, 1, 2, 2, 1680, 'scheduler',
|
||||
NOW() - INTERVAL '2 hours', NOW() - INTERVAL '2 hours' + INTERVAL '1680 milliseconds')
|
||||
ON CONFLICT DO NOTHING;
|
||||
Reference in New Issue
Block a user