Restructure solution layout by module

2025-10-28 15:10:40 +02:00
parent 4e3e575db5
commit 68da90a11a
4103 changed files with 192899 additions and 187024 deletions
--- a/samples/policy/README.md
+++ b/samples/policy/README.md
@@ -1,25 +1,25 @@
-# Policy Samples
-
-Curated fixtures used by CI smoke/determinism checks and example documentation.
-
-| Scenario | Policy | Findings | Expected Diff | UI/CLI Diff Fixture |
-|----------|--------|----------|---------------|---------------------|
-| `baseline` | `docs/examples/policies/baseline.yaml` | `samples/policy/baseline/findings.json` | `samples/policy/baseline/diffs.json` | `samples/policy/simulations/baseline/diff.json` |
-| `serverless` | `docs/examples/policies/serverless.yaml` | `samples/policy/serverless/findings.json` | `samples/policy/serverless/diffs.json` | `samples/policy/simulations/serverless/diff.json` |
-| `internal-only` | `docs/examples/policies/internal-only.yaml` | `samples/policy/internal-only/findings.json` | `samples/policy/internal-only/diffs.json` | `samples/policy/simulations/internal-only/diff.json` |
-
-Run the simulation harness locally:
-
-```bash
-dotnet run \
-  --project tools/PolicySimulationSmoke/PolicySimulationSmoke.csproj \
-  -- \
-  --scenario-root samples/policy/simulations \
-  --output out/policy-simulations
-```
-
-Then inspect `out/policy-simulations/policy-simulation-summary.json` for verdict changes.
-
---
-
-*Last updated: 2025-10-26.*
+# Policy Samples
+
+Curated fixtures used by CI smoke/determinism checks and example documentation.
+
+| Scenario | Policy | Findings | Expected Diff | UI/CLI Diff Fixture |
+|----------|--------|----------|---------------|---------------------|
+| `baseline` | `docs/examples/policies/baseline.yaml` | `samples/policy/baseline/findings.json` | `samples/policy/baseline/diffs.json` | `samples/policy/simulations/baseline/diff.json` |
+| `serverless` | `docs/examples/policies/serverless.yaml` | `samples/policy/serverless/findings.json` | `samples/policy/serverless/diffs.json` | `samples/policy/simulations/serverless/diff.json` |
+| `internal-only` | `docs/examples/policies/internal-only.yaml` | `samples/policy/internal-only/findings.json` | `samples/policy/internal-only/diffs.json` | `samples/policy/simulations/internal-only/diff.json` |
+
+Run the simulation harness locally:
+
+```bash
+dotnet run \
+  --project tools/PolicySimulationSmoke/PolicySimulationSmoke.csproj \
+  -- \
+  --scenario-root samples/policy/simulations \
+  --output out/policy-simulations
+```
+
+Then inspect `out/policy-simulations/policy-simulation-summary.json` for verdict changes.
+
+---
+
+*Last updated: 2025-10-26.*
--- a/samples/policy/baseline/diffs.json
+++ b/samples/policy/baseline/diffs.json
@@ -1,12 +1,12 @@
-[
-  {
-    "findingId": "library:pkg/openssl@1.1.1w",
-    "status": "Blocked",
-    "rule": "block_critical"
-  },
-  {
-    "findingId": "library:pkg/internal-runtime@1.0.0",
-    "status": "Warned",
-    "rule": "alert_warn_eol_runtime"
-  }
-]
+[
+  {
+    "findingId": "library:pkg/openssl@1.1.1w",
+    "status": "Blocked",
+    "rule": "block_critical"
+  },
+  {
+    "findingId": "library:pkg/internal-runtime@1.0.0",
+    "status": "Warned",
+    "rule": "alert_warn_eol_runtime"
+  }
+]
--- a/samples/policy/baseline/findings.json
+++ b/samples/policy/baseline/findings.json
@@ -1,14 +1,14 @@
-[
-  {
-    "findingId": "library:pkg/openssl@1.1.1w",
-    "severity": "Critical",
-    "source": "NVD",
-    "environment": "internet"
-  },
-  {
-    "findingId": "library:pkg/internal-runtime@1.0.0",
-    "severity": "Low",
-    "source": "NVD",
-    "tags": ["runtime:eol"]
-  }
-]
+[
+  {
+    "findingId": "library:pkg/openssl@1.1.1w",
+    "severity": "Critical",
+    "source": "NVD",
+    "environment": "internet"
+  },
+  {
+    "findingId": "library:pkg/internal-runtime@1.0.0",
+    "severity": "Low",
+    "source": "NVD",
+    "tags": ["runtime:eol"]
+  }
+]
--- a/samples/policy/internal-only/diffs.json
+++ b/samples/policy/internal-only/diffs.json
@@ -1,12 +1,12 @@
-[
-  {
-    "findingId": "library:pkg/internal-app@2.0.0",
-    "status": "RequiresVex",
-    "rule": "accept_vendor_vex"
-  },
-  {
-    "findingId": "library:pkg/kev-component@3.1.4",
-    "status": "RequiresVex",
-    "rule": "accept_vendor_vex"
-  }
-]
+[
+  {
+    "findingId": "library:pkg/internal-app@2.0.0",
+    "status": "RequiresVex",
+    "rule": "accept_vendor_vex"
+  },
+  {
+    "findingId": "library:pkg/kev-component@3.1.4",
+    "status": "RequiresVex",
+    "rule": "accept_vendor_vex"
+  }
+]
--- a/samples/policy/internal-only/findings.json
+++ b/samples/policy/internal-only/findings.json
@@ -1,15 +1,15 @@
-[
-  {
-    "findingId": "library:pkg/internal-app@2.0.0",
-    "severity": "Medium",
-    "source": "GHSA",
-    "environment": "internal"
-  },
-  {
-    "findingId": "library:pkg/kev-component@3.1.4",
-    "severity": "High",
-    "source": "NVD",
-    "tags": ["kev"],
-    "environment": "internal"
-  }
-]
+[
+  {
+    "findingId": "library:pkg/internal-app@2.0.0",
+    "severity": "Medium",
+    "source": "GHSA",
+    "environment": "internal"
+  },
+  {
+    "findingId": "library:pkg/kev-component@3.1.4",
+    "severity": "High",
+    "source": "NVD",
+    "tags": ["kev"],
+    "environment": "internal"
+  }
+]
--- a/samples/policy/serverless/diffs.json
+++ b/samples/policy/serverless/diffs.json
@@ -1,12 +1,12 @@
-[
-  {
-    "findingId": "library:pkg/aws-lambda@1.0.0",
-    "status": "Blocked",
-    "rule": "block_any_high"
-  },
-  {
-    "findingId": "image:sha256:untrusted-base",
-    "status": "Blocked",
-    "rule": "forbid_unpinned_base"
-  }
-]
+[
+  {
+    "findingId": "library:pkg/aws-lambda@1.0.0",
+    "status": "Blocked",
+    "rule": "block_any_high"
+  },
+  {
+    "findingId": "image:sha256:untrusted-base",
+    "status": "Blocked",
+    "rule": "forbid_unpinned_base"
+  }
+]
--- a/samples/policy/serverless/findings.json
+++ b/samples/policy/serverless/findings.json
@@ -1,15 +1,15 @@
-[
-  {
-    "findingId": "library:pkg/aws-lambda@1.0.0",
-    "severity": "High",
-    "source": "NVD",
-    "environment": "serverless"
-  },
-  {
-    "findingId": "image:sha256:untrusted-base",
-    "severity": "Medium",
-    "source": "NVD",
-    "tags": ["image:latest-tag"],
-    "environment": "serverless"
-  }
-]
+[
+  {
+    "findingId": "library:pkg/aws-lambda@1.0.0",
+    "severity": "High",
+    "source": "NVD",
+    "environment": "serverless"
+  },
+  {
+    "findingId": "image:sha256:untrusted-base",
+    "severity": "Medium",
+    "source": "NVD",
+    "tags": ["image:latest-tag"],
+    "environment": "serverless"
+  }
+]
--- a/samples/policy/simulations/baseline/diff.json
+++ b/samples/policy/simulations/baseline/diff.json
@@ -1,23 +1,23 @@
-{
-  "summary": {
-    "policy": "baseline",
-    "policyDigest": "sha256:simulation-baseline",
-    "changed": 2
-  },
-  "diffs": [
-    {
-      "findingId": "library:pkg/openssl@1.1.1w",
-      "baselineStatus": "Pass",
-      "projectedStatus": "Blocked",
-      "rule": "block_critical",
-      "notes": "Critical severity must be remediated before deploy."
-    },
-    {
-      "findingId": "library:pkg/internal-runtime@1.0.0",
-      "baselineStatus": "Pass",
-      "projectedStatus": "Warned",
-      "rule": "alert_warn_eol_runtime",
-      "notes": "Runtime marked as EOL; upgrade recommended."
-    }
-  ]
-}
+{
+  "summary": {
+    "policy": "baseline",
+    "policyDigest": "sha256:simulation-baseline",
+    "changed": 2
+  },
+  "diffs": [
+    {
+      "findingId": "library:pkg/openssl@1.1.1w",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Blocked",
+      "rule": "block_critical",
+      "notes": "Critical severity must be remediated before deploy."
+    },
+    {
+      "findingId": "library:pkg/internal-runtime@1.0.0",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Warned",
+      "rule": "alert_warn_eol_runtime",
+      "notes": "Runtime marked as EOL; upgrade recommended."
+    }
+  ]
+}
--- a/samples/policy/simulations/baseline/scenario.json
+++ b/samples/policy/simulations/baseline/scenario.json
@@ -1,21 +1,21 @@
-{
-  "name": "baseline",
-  "policyPath": "docs/examples/policies/baseline.yaml",
-  "findings": [
-    {
-      "findingId": "library:pkg/openssl@1.1.1w",
-      "severity": "Critical",
-      "source": "NVD"
-    },
-    {
-      "findingId": "library:pkg/internal-runtime@1.0.0",
-      "severity": "Low",
-      "source": "NVD",
-      "tags": ["runtime:eol"]
-    }
-  ],
-  "expectedDiffs": [
-    { "findingId": "library:pkg/openssl@1.1.1w", "status": "Blocked" },
-    { "findingId": "library:pkg/internal-runtime@1.0.0", "status": "Warned" }
-  ]
-}
+{
+  "name": "baseline",
+  "policyPath": "docs/examples/policies/baseline.yaml",
+  "findings": [
+    {
+      "findingId": "library:pkg/openssl@1.1.1w",
+      "severity": "Critical",
+      "source": "NVD"
+    },
+    {
+      "findingId": "library:pkg/internal-runtime@1.0.0",
+      "severity": "Low",
+      "source": "NVD",
+      "tags": ["runtime:eol"]
+    }
+  ],
+  "expectedDiffs": [
+    { "findingId": "library:pkg/openssl@1.1.1w", "status": "Blocked" },
+    { "findingId": "library:pkg/internal-runtime@1.0.0", "status": "Warned" }
+  ]
+}
--- a/samples/policy/simulations/internal-only/diff.json
+++ b/samples/policy/simulations/internal-only/diff.json
@@ -1,23 +1,23 @@
-{
-  "summary": {
-    "policy": "internal-only",
-    "policyDigest": "sha256:simulation-internal-only",
-    "changed": 2
-  },
-  "diffs": [
-    {
-      "findingId": "library:pkg/internal-app@2.0.0",
-      "baselineStatus": "Pass",
-      "projectedStatus": "RequiresVex",
-      "rule": "accept_vendor_vex",
-      "notes": "Trust vendor VEX statements for internal scope."
-    },
-    {
-      "findingId": "library:pkg/kev-component@3.1.4",
-      "baselineStatus": "Pass",
-      "projectedStatus": "RequiresVex",
-      "rule": "accept_vendor_vex",
-      "notes": "Trust vendor VEX statements for internal scope."
-    }
-  ]
-}
+{
+  "summary": {
+    "policy": "internal-only",
+    "policyDigest": "sha256:simulation-internal-only",
+    "changed": 2
+  },
+  "diffs": [
+    {
+      "findingId": "library:pkg/internal-app@2.0.0",
+      "baselineStatus": "Pass",
+      "projectedStatus": "RequiresVex",
+      "rule": "accept_vendor_vex",
+      "notes": "Trust vendor VEX statements for internal scope."
+    },
+    {
+      "findingId": "library:pkg/kev-component@3.1.4",
+      "baselineStatus": "Pass",
+      "projectedStatus": "RequiresVex",
+      "rule": "accept_vendor_vex",
+      "notes": "Trust vendor VEX statements for internal scope."
+    }
+  ]
+}
--- a/samples/policy/simulations/internal-only/scenario.json
+++ b/samples/policy/simulations/internal-only/scenario.json
@@ -1,23 +1,23 @@
-{
-  "name": "internal-only",
-  "policyPath": "docs/examples/policies/internal-only.yaml",
-  "findings": [
-    {
-      "findingId": "library:pkg/internal-app@2.0.0",
-      "severity": "Medium",
-      "source": "GHSA",
-      "environment": "internal"
-    },
-    {
-      "findingId": "library:pkg/kev-component@3.1.4",
-      "severity": "High",
-      "source": "NVD",
-      "tags": ["kev"],
-      "environment": "internal"
-    }
-  ],
-  "expectedDiffs": [
-    { "findingId": "library:pkg/internal-app@2.0.0", "status": "RequiresVex" },
-    { "findingId": "library:pkg/kev-component@3.1.4", "status": "RequiresVex" }
-  ]
-}
+{
+  "name": "internal-only",
+  "policyPath": "docs/examples/policies/internal-only.yaml",
+  "findings": [
+    {
+      "findingId": "library:pkg/internal-app@2.0.0",
+      "severity": "Medium",
+      "source": "GHSA",
+      "environment": "internal"
+    },
+    {
+      "findingId": "library:pkg/kev-component@3.1.4",
+      "severity": "High",
+      "source": "NVD",
+      "tags": ["kev"],
+      "environment": "internal"
+    }
+  ],
+  "expectedDiffs": [
+    { "findingId": "library:pkg/internal-app@2.0.0", "status": "RequiresVex" },
+    { "findingId": "library:pkg/kev-component@3.1.4", "status": "RequiresVex" }
+  ]
+}
--- a/samples/policy/simulations/serverless/diff.json
+++ b/samples/policy/simulations/serverless/diff.json
@@ -1,23 +1,23 @@
-{
-  "summary": {
-    "policy": "serverless",
-    "policyDigest": "sha256:simulation-serverless",
-    "changed": 2
-  },
-  "diffs": [
-    {
-      "findingId": "library:pkg/aws-lambda@1.0.0",
-      "baselineStatus": "Pass",
-      "projectedStatus": "Blocked",
-      "rule": "block_any_high",
-      "notes": "Serverless workloads block High+ severities."
-    },
-    {
-      "findingId": "image:sha256:untrusted-base",
-      "baselineStatus": "Pass",
-      "projectedStatus": "Blocked",
-      "rule": "forbid_unpinned_base",
-      "notes": "Base image must be pinned (no :latest)."
-    }
-  ]
-}
+{
+  "summary": {
+    "policy": "serverless",
+    "policyDigest": "sha256:simulation-serverless",
+    "changed": 2
+  },
+  "diffs": [
+    {
+      "findingId": "library:pkg/aws-lambda@1.0.0",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Blocked",
+      "rule": "block_any_high",
+      "notes": "Serverless workloads block High+ severities."
+    },
+    {
+      "findingId": "image:sha256:untrusted-base",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Blocked",
+      "rule": "forbid_unpinned_base",
+      "notes": "Base image must be pinned (no :latest)."
+    }
+  ]
+}
--- a/samples/policy/simulations/serverless/scenario.json
+++ b/samples/policy/simulations/serverless/scenario.json
@@ -1,23 +1,23 @@
-{
-  "name": "serverless",
-  "policyPath": "docs/examples/policies/serverless.yaml",
-  "findings": [
-    {
-      "findingId": "library:pkg/aws-lambda@1.0.0",
-      "severity": "High",
-      "source": "NVD",
-      "environment": "serverless"
-    },
-    {
-      "findingId": "image:sha256:untrusted-base",
-      "severity": "Medium",
-      "source": "NVD",
-      "tags": ["image:latest-tag"],
-      "environment": "serverless"
-    }
-  ],
-  "expectedDiffs": [
-    { "findingId": "library:pkg/aws-lambda@1.0.0", "status": "Blocked" },
-    { "findingId": "image:sha256:untrusted-base", "status": "Blocked" }
-  ]
-}
+{
+  "name": "serverless",
+  "policyPath": "docs/examples/policies/serverless.yaml",
+  "findings": [
+    {
+      "findingId": "library:pkg/aws-lambda@1.0.0",
+      "severity": "High",
+      "source": "NVD",
+      "environment": "serverless"
+    },
+    {
+      "findingId": "image:sha256:untrusted-base",
+      "severity": "Medium",
+      "source": "NVD",
+      "tags": ["image:latest-tag"],
+      "environment": "serverless"
+    }
+  ],
+  "expectedDiffs": [
+    { "findingId": "library:pkg/aws-lambda@1.0.0", "status": "Blocked" },
+    { "findingId": "image:sha256:untrusted-base", "status": "Blocked" }
+  ]
+}