Skip to content

Demos

Browse the screenshot tour, then pick the script that matches your audience.

Product demo

Walkthrough of the SARC portal — what an operator sees and does day-to-day.

Demo video: re-recording in progress. In the meantime, browse the screenshot tour.

Code to production — the pipeline walkthrough

Follow a single change from commit through Fides attest, change-gate, ServiceNow CR, approval, ArgoCD deploy, and post-deploy Fides snapshot.

Demo video: re-recording in progress. The written walkthrough below covers the same end-to-end scenario.

The scenario — one commit, end to end

Every demo follows the same real pipeline. It runs identically on GitLab CI, GitHub Actions, and Azure DevOps, and against any of AWS EKS, Azure AKS, GCP GKE, or local k3d — the only thing that changes is TARGET_CLOUD and the Fides environment name (<cloud>-karc-<env>).

  1. Commit + build. A change lands on the portal or podtato-head. CI builds the image, pins the OCI digest, and opens a Fides trail for the pipeline run on flow karc-pipeline.
  2. Attest. Each stage writes a Fides attestation against that trail — artifact/SBOM (CycloneDX), the security scans (SAST, SCA, container, secret, IaC via Trivy/Grype/Checkov), and the deploy attestation. Evidence is hash-chained and tamper-evident, stored in the self-hosted Evidence Vault.
  3. Change-gate. At promotion the Fides change-gate scores the trail and returns a single verdict (approve / hold) plus a 0-100 risk score computed from the org's governance controls — no green light unless controls pass and a human approver signed off.
  4. ServiceNow CR. SARC creates a Change Request carrying the Fides risk score (u_risk_score), the evidence chain link (u_fides_trail_url), and the SBOM + SARIF as attachments. Fides writes its verdict back as a work note — it advises, ServiceNow decides.
  5. Approve. qa maps to a Standard Change that auto-approves when the score is within threshold; prod maps to a Normal Change that routes to CAB for manual approval. The approval policy reads the Fides score; it does not recompute compliance.
  6. Deploy. The gitops image tag is bumped and ArgoCD syncs the app. A PreSync Fides assertion + Kyverno policy gates (change-window, vuln SLO, license) run before the workload rolls.
  7. Snapshot + drift. Post-deploy, Fides snapshots the environment and watches for drift, and a PostSync DAST scan runs. The whole trail is one auditor-ready evidence pack.

The ServiceNow integration showcase breaks down exactly what this puts inside ServiceNow — the risk score, the u_fides_* tables, CMDB reconciliation, and the auto-approve vs CAB paths.

By persona

Compliance dashboard

Banking compliance pack — 5 min

Compliance / GRC / audit director at a payment institution or regulated bank. Covers DORA, PSD2, ISO 27001, SOC 2 frameworks shipped in the pack.

Walks through the framework cards, drills into a PSD2 control, hits "evidence export" to render the auditor PDF, then opens the AUDITOR-role session.

Read the full script →

Operator dashboard

General portal demo — 10 min

Platform engineering / DevOps lead. Default audience.

Multi-cloud, multi-CI pipeline + the karc-portal feature surface. Designed to follow a typical introduction to SARC.

Read the full script →

Control mapping

Presentation deck — exec framing

Pre-demo executive framing.

Slide talking points for the 5-minute scene-setting before the live walkthrough. Covers the pain narrative, the three-layer architecture, and the demo agenda.

Read the full script →

Agent dispatch settings

MCP Gateway runbook

Technical deep dive — for the platform / principal engineer.

Full operator runbook for the MCP-Client Gateway — agentic, permissioned, audited writes against GitHub via in-cluster sidecar. Includes the post-install bug log for first-time enablement.

Read the full runbook →

By cloud target

Multi-cluster view

AWS EKS

EKS cluster + IRSA + ECR + VPC endpoints. Full SARC stack including karc-portal + podtato-head. Cost ingest via AWS Cost Explorer.

How AWS is wired →

ArgoCD apps

Azure AKS

AKS cluster + Workload Identity + Key Vault. Azure-only parallel CI via Azure DevOps in addition to GitLab.

How Azure is wired →

Cost dashboard

GCP GKE

GKE cluster + Workload Identity Federation + Secret Manager. GitHub Actions handles Terraform here.

How GCP is wired →

Environments view

Local k3d

Single-command local install for hands-on evaluation without any cloud cost. just demo-up-k3d brings the full SARC stack up on your laptop in 5 minutes.

How local k3d is wired →