Implementation Examples and Templates
This document provides practical implementation examples and ready-to-use templates for various use cases and environments.
Table of Contents
- Quick Start Templates
- Environment-Specific Configurations
- Framework-Specific Examples
- Language-Specific Configurations
- Real-World Use Cases
- Troubleshooting Examples
Quick Start Templates
Basic Security Scan
Minimal setup for quick security assessment:
#!/bin/bash
# quick-scan.sh - Basic security scan script
set -e
echo "Kestrel Quick Security Scan"
echo "=============================="
# Download Kestrel if not present
if [ ! -f "./kestrel" ]; then
echo "Downloading Kestrel..."
curl -L https://github.com/harekrishnarai/kestrel/releases/latest/download/kestrel-linux-amd64 -o kestrel
chmod +x kestrel
fi
# Install Semgrep if not present
if ! command -v semgrep &> /dev/null; then
echo "Installing Semgrep..."
python3 -m pip install semgrep
fi
# Run basic scan
echo "Running security scan..."
./kestrel scan --path . --frameworks fips_140_3 --html --output security-report.html
echo "Scan completed! Report saved to: security-report.html"
echo "Open the report: firefox security-report.html"
Docker One-Liner
Single command Docker scan:
# Quick Docker scan
docker run --rm -v $(pwd):/workspace \
-e SCAN_PATH=/workspace \
-e OUTPUT_FORMAT=html \
kestrel:latest
# With custom frameworks
docker run --rm -v $(pwd):/workspace \
-e SCAN_PATH=/workspace \
-e OUTPUT_FORMAT=html \
-e FRAMEWORKS=fips_140_3,pci_dss_4 \
kestrel:latest
GitHub Actions Starter
Basic GitHub Actions workflow:
# .github/workflows/security-scan.yml
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Kestrel
run: |
curl -L https://github.com/harekrishnarai/kestrel/releases/latest/download/kestrel-linux-amd64 -o kestrel
chmod +x kestrel
python3 -m pip install semgrep
./kestrel scan --path . --sarif --output results.sarif
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
- name: Upload SARIF as artifact
uses: actions/upload-artifact@v4
with:
name: kestrel-sarif
path: results.sarif
Environment-Specific Configurations
Development Environment
dev-config.yaml
# Development environment configuration
scan:
frameworks:
- fips_140_3
- owasp_crypto
min_severity: low
include_patterns:
- "src/**/*.go"
- "src/**/*.py"
- "src/**/*.js"
exclude_patterns:
- "*_test.go"
- "test_*.py"
- "node_modules/**"
- "vendor/**"
html:
theme: light
enable_charts: true
chart_types: ["severity", "languages"]
policy:
fail_on_critical: false
fail_on_high: false
max_violations: 1000
notifications:
slack_webhook: "${DEV_SLACK_WEBHOOK}"
channels: ["#dev-security"]
Development scan script:
#!/bin/bash
# dev-scan.sh
./kestrel scan \
--config dev-config.yaml \
--path . \
--html \
--output reports/dev-security-$(date +%Y%m%d).html \
--html-charts \
--verbose
Staging Environment
staging-config.yaml
# Staging environment configuration
scan:
frameworks:
- fips_140_3
- pci_dss_4
- company_policy
min_severity: medium
timeout: 600 # 10 minutes
policy:
fail_on_critical: true
fail_on_high: false
max_high_violations: 5
max_medium_violations: 20
reporting:
formats: ["html", "json", "sarif"]
html_theme: corporate
include_trends: true
notifications:
email_recipients:
- staging-team@company.com
slack_webhook: "${STAGING_SLACK_WEBHOOK}"
alert_on_critical: true
Production Environment
prod-config.yaml
# Production environment configuration
scan:
frameworks:
- fips_140_3
- pci_dss_4
- sox_crypto
- company_policy
min_severity: high
timeout: 1800 # 30 minutes
parallel_workers: 4
policy:
fail_on_critical: true
fail_on_high: true
max_critical_violations: 0
max_high_violations: 2
compliance_threshold: 95
security:
require_signed_commits: true
audit_log: true
evidence_retention: "7_years"
notifications:
pagerduty_key: "${PAGERDUTY_INTEGRATION_KEY}"
email_recipients:
- security-team@company.com
- ciso@company.com
escalation_matrix:
critical: ["security_oncall", "ciso"]
high: ["security_team"]
Framework-Specific Examples
FIPS 140-3 Compliance
fips-scan.sh
#!/bin/bash
# FIPS 140-3 compliance scan
echo "FIPS 140-3 Cryptographic Compliance Scan"
echo "========================================"
./kestrel scan \
--path . \
--frameworks fips_140_3 \
--min-severity medium \
--html \
--output reports/fips-compliance-$(date +%Y%m%d).html \
--html-charts \
--report-title "FIPS 140-3 Compliance Report" \
--report-description "Federal cryptographic standards compliance assessment"
# Generate JSON for automation
./kestrel scan \
--path . \
--frameworks fips_140_3 \
--json \
--output reports/fips-compliance.json
# Check compliance score
SCORE=$(cat reports/fips-compliance.json | jq -r '.compliance_score // 0')
echo "FIPS 140-3 Compliance Score: $SCORE%"
if (( $(echo "$SCORE < 90" | bc -l) )); then
echo "❌ FIPS 140-3 compliance below threshold (90%)"
exit 1
else
echo "✅ FIPS 140-3 compliance acceptable"
fi
PCI DSS 4.0 Compliance
pci-scan.sh
#!/bin/bash
# PCI DSS 4.0 compliance scan
echo "PCI DSS 4.0 Cryptographic Requirements Scan"
echo "==========================================="
./kestrel scan \
--path . \
--frameworks pci_dss_4 \
--min-severity high \
--html \
--output reports/pci-compliance-$(date +%Y%m%d).html \
--html-charts \
--report-title "PCI DSS 4.0 Compliance Report" \
--report-description "Payment Card Industry security standards compliance"
# Generate SARIF for security platforms
./kestrel scan \
--path . \
--frameworks pci_dss_4 \
--sarif \
--output reports/pci-compliance.sarif
# Check for payment-related violations
CRITICAL_COUNT=$(cat reports/pci-compliance.json | jq -r '.summary.critical // 0')
if [ "$CRITICAL_COUNT" -gt "0" ]; then
echo "❌ Critical PCI DSS violations found: $CRITICAL_COUNT"
echo "Payment processing may be at risk!"
exit 1
fi
echo "✅ No critical PCI DSS violations found"
SOX Compliance
sox-compliance-scan.sh
#!/bin/bash
# SOX compliance for financial data protection
echo "SOX Cryptographic Controls Assessment"
echo "===================================="
# Scan financial modules specifically
./kestrel scan \
--path src/financial/ \
--frameworks sox_crypto \
--min-severity medium \
--html \
--output reports/sox-compliance-$(date +%Y%m%d).html \
--report-title "SOX Cryptographic Controls Report" \
--report-description "Sarbanes-Oxley Act cryptographic compliance for financial data"
# Generate evidence for auditors
./kestrel scan \
--path src/financial/ \
--frameworks sox_crypto \
--json \
--output evidence/sox-crypto-evidence-$(date +%Y%m%d).json
# Create audit trail
echo "SOX Compliance Scan - $(date)" >> audit-trail.log
echo "Scanned: src/financial/" >> audit-trail.log
echo "Framework: sox_crypto" >> audit-trail.log
echo "Report: reports/sox-compliance-$(date +%Y%m%d).html" >> audit-trail.log
echo "---" >> audit-trail.log
Language-Specific Configurations
Go Project Configuration
go-project-scan.sh
#!/bin/bash
# Go-specific cryptographic security scan
echo "Go Cryptographic Security Scan"
echo "=============================="
# Scan Go source files
./kestrel scan \
--path . \
--include "*.go" \
--exclude "*_test.go,vendor/**" \
--frameworks fips_140_3,go_crypto_best_practices \
--html \
--output reports/go-crypto-$(date +%Y%m%d).html \
--report-title "Go Cryptographic Security Report"
# Check for common Go crypto issues
./kestrel scan \
--path . \
--include "*.go" \
--rules-config rules/go-crypto-rules.yaml \
--json \
--output reports/go-specific-issues.json
# Analyze crypto/tls usage
echo "Analyzing crypto/tls usage patterns..."
grep -r "crypto/tls" --include="*.go" . > reports/tls-usage.txt
Python Project Configuration
python-crypto-scan.sh
#!/bin/bash
# Python cryptographic security scan
echo "Python Cryptographic Security Scan"
echo "=================================="
# Install Python crypto analysis dependencies
pip install cryptography safety bandit
# Run Kestrel for crypto compliance
./kestrel scan \
--path . \
--include "*.py" \
--exclude "test_*.py,*_test.py,venv/**,__pycache__/**" \
--frameworks fips_140_3,python_crypto_guidelines \
--html \
--output reports/python-crypto-$(date +%Y%m%d).html
# Additional Python-specific checks
bandit -r . -f json -o reports/bandit-results.json
safety check --json --output reports/safety-results.json
# Combine results
echo "Combining Python security scan results..."
JavaScript/Node.js Configuration
js-crypto-scan.sh
#!/bin/bash
# JavaScript/Node.js cryptographic security scan
echo "JavaScript Cryptographic Security Scan"
echo "====================================="
# Install Node.js security tools
npm install -g audit-ci eslint-plugin-security
# Run Kestrel for crypto compliance
./kestrel scan \
--path . \
--include "*.js,*.ts,*.jsx,*.tsx" \
--exclude "node_modules/**,dist/**,build/**" \
--frameworks fips_140_3,nodejs_crypto_best_practices \
--html \
--output reports/js-crypto-$(date +%Y%m%d).html
# NPM audit for crypto vulnerabilities
npm audit --audit-level moderate --json > reports/npm-audit.json
# ESLint security rules
eslint . --ext .js,.ts --config .eslintrc-security.js -f json -o reports/eslint-security.json
Java Configuration
java-crypto-scan.sh
#!/bin/bash
# Java cryptographic security scan
echo "Java Cryptographic Security Scan"
echo "==============================="
# Run Kestrel for Java crypto compliance
./kestrel scan \
--path . \
--include "*.java" \
--exclude "test/**,target/**" \
--frameworks fips_140_3,java_crypto_guidelines \
--html \
--output reports/java-crypto-$(date +%Y%m%d).html
# SpotBugs security analysis
if command -v spotbugs &> /dev/null; then
spotbugs -textui -effort:max -include crypto-bugs.xml . > reports/spotbugs-crypto.txt
fi
# Find Security Manager usage
find . -name "*.java" -exec grep -l "SecurityManager\|Policy\|Permission" {} \; > reports/security-manager-usage.txt
Real-World Use Cases
Banking Application Scan
banking-compliance-scan.sh
#!/bin/bash
# Banking application comprehensive security scan
echo "Banking Application Cryptographic Compliance Scan"
echo "================================================"
# Multi-framework compliance for banking
./kestrel scan \
--path . \
--frameworks fips_140_3,pci_dss_4,sox_crypto,fed_crypto_guidelines \
--min-severity high \
--html \
--output reports/banking-compliance-$(date +%Y%m%d).html \
--html-charts \
--report-title "Banking Application Security Assessment" \
--report-description "Comprehensive cryptographic compliance for banking operations"
# Focus on payment processing modules
./kestrel scan \
--path src/payments/ \
--frameworks pci_dss_4 \
--min-severity critical \
--json \
--output reports/payment-security.json
# Account management security
./kestrel scan \
--path src/accounts/ \
--frameworks fips_140_3,sox_crypto \
--html \
--output reports/account-security.html
# Generate executive summary
CRITICAL=$(cat reports/payment-security.json | jq -r '.summary.critical // 0')
HIGH=$(cat reports/payment-security.json | jq -r '.summary.high // 0')
cat > reports/executive-summary.txt << EOF
Banking Application Security Summary
===================================
Date: $(date)
Critical Issues: $CRITICAL
High Priority Issues: $HIGH
Risk Assessment: $([ "$CRITICAL" -eq 0 ] && echo "ACCEPTABLE" || echo "REQUIRES IMMEDIATE ATTENTION")
Compliance Status:
- PCI DSS 4.0: $([ "$CRITICAL" -eq 0 ] && echo "COMPLIANT" || echo "NON-COMPLIANT")
- FIPS 140-3: Processing...
- SOX Controls: Processing...
Recommended Actions:
$([ "$CRITICAL" -gt 0 ] && echo "1. Address critical payment security issues immediately" || echo "1. No critical issues identified")
2. Review high-priority findings
3. Schedule quarterly compliance review
EOF
Healthcare HIPAA Compliance
healthcare-scan.sh
#!/bin/bash
# Healthcare application HIPAA compliance scan
echo "Healthcare HIPAA Cryptographic Compliance Scan"
echo "============================================="
# HIPAA requires strong encryption for PHI
./kestrel scan \
--path . \
--frameworks fips_140_3,hipaa_crypto,nist_800_111 \
--min-severity medium \
--html \
--output reports/hipaa-compliance-$(date +%Y%m%d).html \
--report-title "HIPAA Cryptographic Compliance Assessment"
# Specific PHI handling modules
./kestrel scan \
--path src/patient-data/ \
--frameworks hipaa_crypto \
--min-severity high \
--json \
--output reports/phi-security.json
# Database encryption compliance
./kestrel scan \
--path src/database/ \
--include "*.sql,*.java,*.py" \
--frameworks fips_140_3 \
--json \
--output reports/database-encryption.json
# Generate HIPAA compliance report
echo "Generating HIPAA compliance documentation..."
E-commerce Platform Scan
ecommerce-scan.sh
#!/bin/bash
# E-commerce platform security scan
echo "E-commerce Platform Security Scan"
echo "================================"
# PCI DSS compliance for payment processing
./kestrel scan \
--path . \
--frameworks pci_dss_4,fips_140_3 \
--html \
--output reports/ecommerce-security-$(date +%Y%m%d).html \
--report-title "E-commerce Security Assessment"
# Payment gateway integration scan
./kestrel scan \
--path src/payment-gateway/ \
--frameworks pci_dss_4 \
--min-severity critical \
--json \
--output reports/payment-gateway-security.json
# Customer data protection
./kestrel scan \
--path src/customer/ \
--frameworks gdpr_crypto,ccpa_crypto \
--html \
--output reports/customer-data-protection.html
# API security assessment
./kestrel scan \
--path src/api/ \
--include "*.js,*.py,*.java" \
--frameworks api_crypto_best_practices \
--json \
--output reports/api-security.json
Troubleshooting Examples
Common Issues and Solutions
troubleshooting-guide.sh
#!/bin/bash
# Kestrel troubleshooting script
echo "Kestrel Troubleshooting Guide"
echo "=============================="
# Check system requirements
echo "1. Checking system requirements..."
echo "OS: $(uname -s)"
echo "Architecture: $(uname -m)"
echo "Available memory: $(free -h | grep Mem | awk '{print $7}')"
# Check Semgrep installation
echo "2. Checking Semgrep installation..."
if command -v semgrep &> /dev/null; then
echo "✅ Semgrep version: $(semgrep --version)"
else
echo "❌ Semgrep not found. Installing..."
python3 -m pip install semgrep
fi
# Check Kestrel binary
echo "3. Checking Kestrel binary..."
if [ -f "./kestrel" ]; then
echo "✅ Kestrel binary found"
chmod +x ./kestrel
else
echo "❌ Kestrel binary not found. Downloading..."
curl -L https://github.com/harekrishnarai/kestrel/releases/latest/download/kestrel-linux-amd64 -o kestrel
chmod +x kestrel
fi
# Test basic functionality
echo "4. Testing basic functionality..."
if ./kestrel --help > /dev/null 2>&1; then
echo "✅ Kestrel help command works"
else
echo "❌ Kestrel help command failed"
echo "Debugging information:"
ldd ./kestrel 2>&1 || echo "Dynamic library check failed"
fi
# Test Semgrep connectivity
echo "5. Testing Semgrep connectivity..."
if semgrep --test > /dev/null 2>&1; then
echo "✅ Semgrep connectivity test passed"
else
echo "❌ Semgrep connectivity test failed"
echo "Check internet connection and proxy settings"
fi
# Performance test
echo "6. Running performance test..."
mkdir -p test-repo
echo 'package main; import "crypto/md5"; func main() { md5.New() }' > test-repo/test.go
if timeout 30 ./kestrel scan --path test-repo --json --output test-results.json; then
echo "✅ Performance test passed"
rm -rf test-repo test-results.json
else
echo "❌ Performance test failed (timeout or error)"
echo "This may indicate performance issues or configuration problems"
fi
echo "Troubleshooting complete!"
Performance Optimization
performance-optimization.sh
#!/bin/bash
# Performance optimization for large repositories
echo "Kestrel Performance Optimization"
echo "================================="
# Large repository scan with optimization
./kestrel scan \
--path . \
--parallel-workers 8 \
--timeout 1800 \
--semgrep-timeout 300 \
--cache-enabled \
--incremental \
--exclude "vendor/**,node_modules/**,target/**,build/**,dist/**" \
--verbose
# Memory usage monitoring
echo "Memory usage during scan:"
ps aux | grep kestrel | head -1
# Disk space check
echo "Temporary files cleanup:"
find /tmp -name "*kestrel*" -type f -delete 2>/dev/null || true
CI/CD Integration Debugging
ci-debug.sh
#!/bin/bash
# CI/CD integration debugging script
echo "CI/CD Integration Debug Information"
echo "================================="
# Environment information
echo "Environment Variables:"
env | grep -E "(CI|BUILD|GITHUB|GITLAB|JENKINS)" | sort
# Network connectivity
echo "Network connectivity test:"
curl -I https://github.com || echo "GitHub connectivity failed"
curl -I https://semgrep.dev || echo "Semgrep connectivity failed"
# File permissions
echo "File permissions:"
ls -la kestrel 2>/dev/null || echo "Kestrel binary not found"
# Available tools
echo "Available tools:"
which python3 || echo "Python3 not found"
which pip || echo "Pip not found"
which curl || echo "Curl not found"
which git || echo "Git not found"
# Disk space
echo "Disk space:"
df -h .
# Run minimal test
echo "Running minimal test scan..."
mkdir -p ci-test
echo "console.log('test');" > ci-test/test.js
if ./kestrel scan --path ci-test --json; then
echo "✅ Minimal scan successful"
else
echo "❌ Minimal scan failed"
fi
rm -rf ci-test
For additional support and advanced configurations, see the CI/CD Overview.