# SecurityGPT Usage Examples Practical examples for using SecurityGPT in various development scenarios. ## Table of Contents 1. [Basic Usage](#basic-usage) 2. [Secure API Development](#secure-api-development) 3. [Frontend Development](#frontend-development) 4. [Database Operations](#database-operations) 5. [Security Reviews](#security-reviews) 6. [DevOps & Infrastructure](#devops--infrastructure) 7. [Advanced Patterns](#advanced-patterns) --- ## Basic Usage ### Example 1: Simple Code Generation ```python from transformers import AutoModelForCausalLM, AutoTokenizer model_name = "pki/securitygpt-14b" tokenizer = AutoTokenizer.from_pretrained(model_name, trust_remote_code=True) model = AutoModelForCausalLM.from_pretrained( model_name, device_map="auto", trust_remote_code=True ) # Simple prompt prompt = "Write a Python function to validate email addresses using regex" messages = [ {"role": "system", "content": "You are a helpful coding assistant."}, {"role": "user", "content": prompt} ] text = tokenizer.apply_chat_template(messages, tokenize=False, add_generation_prompt=True) inputs = tokenizer([text], return_tensors="pt").to(model.device) outputs = model.generate(**inputs, max_new_tokens=512, temperature=0.7) response = tokenizer.decode(outputs[0], skip_special_tokens=True) print(response) ``` ### Example 2: Using Ollama CLI ```bash # Simple query ollama run securitygpt:14b "Create a FastAPI health check endpoint" # With context ollama run securitygpt:14b "Create a user authentication endpoint with JWT tokens and argon2 password hashing" # Code review ollama run securitygpt:14b "Review this code for security issues: $(cat auth.py)" ``` --- ## Secure API Development ### Example 3: FastAPI User Authentication **Prompt:** ``` Create a complete FastAPI authentication system with: - User signup endpoint with email validation - Login endpoint with JWT token generation - Password hashing using argon2 - Proper error handling - Input validation using Pydantic ``` **Expected Output Pattern:** ```python from fastapi import APIRouter, HTTPException, Depends from pydantic import BaseModel, EmailStr, Field from passlib.context import CryptContext from datetime import datetime, timedelta import jwt router = APIRouter(prefix="/api/v1/auth", tags=["authentication"]) # Password hashing with argon2 (NEVER bcrypt) pwd_context = CryptContext(schemes=["argon2"], deprecated="auto") class UserSignup(BaseModel): email: EmailStr password: str = Field(..., min_length=8) full_name: str = Field(..., min_length=2) class UserLogin(BaseModel): email: EmailStr password: str @router.post("/signup") async def signup(user: UserSignup): """Create new user with secure password hashing.""" # Validate password strength if len(user.password) < 8: raise HTTPException(400, "Password must be at least 8 characters") # Hash password with argon2 hashed_password = pwd_context.hash(user.password) # Store user in database # ... (database logic) return {"message": "User created successfully"} @router.post("/login") async def login(credentials: UserLogin): """Authenticate user and return JWT token.""" # Get user from database # user = get_user_by_email(credentials.email) # Verify password if not pwd_context.verify(credentials.password, user.hashed_password): raise HTTPException(401, "Invalid credentials") # Generate JWT token token_data = { "sub": user.email, "exp": datetime.utcnow() + timedelta(hours=24) } token = jwt.encode(token_data, SECRET_KEY, algorithm="HS256") return {"access_token": token, "token_type": "bearer"} ``` ### Example 4: API with Input Validation **Prompt:** ``` Create a FastAPI endpoint for creating blog posts with: - Title validation (max 200 chars) - Content validation - Tag validation (max 5 tags) - SQL injection prevention - Proper error responses ``` --- ## Frontend Development ### Example 5: Secure React Login Form **Prompt:** ``` Create a React login component with: - Email and password inputs - Client-side validation - XSS protection - CSRF token handling - Loading states - Error display - TypeScript types ``` **Expected Output Pattern:** ```typescript import React, { useState } from 'react'; import DOMPurify from 'dompurify'; interface LoginFormProps { onSubmit: (email: string, password: string) => Promise; csrfToken: string; } interface FormErrors { email?: string; password?: string; general?: string; } export const LoginForm: React.FC = ({ onSubmit, csrfToken }) => { const [email, setEmail] = useState(''); const [password, setPassword] = useState(''); const [errors, setErrors] = useState({}); const [loading, setLoading] = useState(false); const validateEmail = (email: string): boolean => { const regex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/; return regex.test(email); }; const handleSubmit = async (e: React.FormEvent) => { e.preventDefault(); // Clear previous errors setErrors({}); // Validate inputs const newErrors: FormErrors = {}; if (!validateEmail(email)) { newErrors.email = 'Invalid email address'; } if (password.length < 8) { newErrors.password = 'Password must be at least 8 characters'; } if (Object.keys(newErrors).length > 0) { setErrors(newErrors); return; } // Sanitize inputs (XSS protection) const cleanEmail = DOMPurify.sanitize(email); try { setLoading(true); await onSubmit(cleanEmail, password); } catch (error) { setErrors({ general: 'Login failed. Please try again.' }); } finally { setLoading(false); } }; return (
setEmail(e.target.value)} disabled={loading} required /> {errors.email && {errors.email}}
setPassword(e.target.value)} disabled={loading} required /> {errors.password && {errors.password}}
{errors.general &&
{errors.general}
}
); }; ``` ### Example 6: API Client with Error Handling **Prompt:** ``` Create a TypeScript API client class with: - Axios integration - JWT token management - Request interceptors - Error handling - Retry logic - Type safety ``` --- ## Database Operations ### Example 7: Secure SQLAlchemy Model **Prompt:** ``` Create a SQLAlchemy User model with: - Secure password storage - Email uniqueness constraint - Timestamps (created_at, updated_at) - Soft delete support - Audit logging ``` **Expected Output:** ```python from sqlalchemy import Column, Integer, String, DateTime, Boolean from sqlalchemy.ext.declarative import declarative_base from datetime import datetime from passlib.context import CryptContext Base = declarative_base() pwd_context = CryptContext(schemes=["argon2"], deprecated="auto") class User(Base): __tablename__ = "users" id = Column(Integer, primary_key=True, index=True) email = Column(String(255), unique=True, index=True, nullable=False) hashed_password = Column(String(255), nullable=False) full_name = Column(String(255)) is_active = Column(Boolean, default=True) is_deleted = Column(Boolean, default=False) created_at = Column(DateTime, default=datetime.utcnow, nullable=False) updated_at = Column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow) def set_password(self, password: str): """Hash and set user password using argon2.""" self.hashed_password = pwd_context.hash(password) def verify_password(self, password: str) -> bool: """Verify password against stored hash.""" return pwd_context.verify(password, self.hashed_password) def soft_delete(self): """Mark user as deleted without removing from database.""" self.is_deleted = True self.is_active = False ``` ### Example 8: Database Migration **Prompt:** ``` Create an Alembic migration script to add user authentication table with proper indexes ``` --- ## Security Reviews ### Example 9: Code Security Audit **Prompt:** ``` Review this authentication code for security vulnerabilities: def login(username, password): query = f"SELECT * FROM users WHERE username='{username}' AND password='{password}'" result = db.execute(query) if result: return create_token(username) return None ``` **Expected Output:** ``` SECURITY VULNERABILITIES FOUND: 1. SQL INJECTION (CRITICAL) - Line 2: Raw string concatenation in SQL query - Attack vector: username = "admin' OR '1'='1" - Fix: Use parameterized queries or ORM 2. PLAINTEXT PASSWORDS (CRITICAL) - Line 2: Password stored/compared in plaintext - Fix: Use argon2 password hashing 3. TIMING ATTACK (MEDIUM) - Different execution paths for valid/invalid users - Fix: Use constant-time comparison SECURE IMPLEMENTATION: from sqlalchemy.orm import Session from passlib.context import CryptContext pwd_context = CryptContext(schemes=["argon2"], deprecated="auto") def login(username: str, password: str, db: Session): """Secure login with parameterized query and password hashing.""" # Parameterized query (SQL injection prevention) user = db.query(User).filter(User.username == username).first() # Constant-time check to prevent timing attacks if user is None: # Perform dummy hash to maintain constant time pwd_context.hash("dummy") return None # Verify password with argon2 if not pwd_context.verify(password, user.hashed_password): return None return create_token(user.id) ``` --- ## DevOps & Infrastructure ### Example 10: Docker Compose with Security **Prompt:** ``` Create a secure docker-compose.yml for a FastAPI app with PostgreSQL including: - Non-root users - Environment variables from secrets - Network isolation - Health checks - Resource limits ``` ### Example 11: GitLab CI/CD Pipeline **Prompt:** ``` Create a GitLab CI pipeline for a Python FastAPI app with: - Linting (flake8) - Testing (pytest) - Security scanning - Docker build - Deployment to production ``` --- ## Advanced Patterns ### Example 12: Rate Limiting Middleware **Prompt:** ``` Create FastAPI rate limiting middleware using Redis with: - IP-based limiting - Token bucket algorithm - Configurable limits - Custom error responses ``` ### Example 13: API Key Management **Prompt:** ``` Create an API key management system with: - Key generation with secure random - Key hashing for storage - Rate limiting per key - Key expiration - Usage tracking ``` ### Example 14: Multi-factor Authentication **Prompt:** ``` Implement TOTP-based 2FA for FastAPI with: - QR code generation - Token verification - Backup codes - Account recovery ``` --- ## Integration Examples ### Example 15: Using with LangChain ```python from langchain.llms import HuggingFacePipeline from transformers import AutoModelForCausalLM, AutoTokenizer, pipeline model_name = "pki/securitygpt-14b" tokenizer = AutoTokenizer.from_pretrained(model_name, trust_remote_code=True) model = AutoModelForCausalLM.from_pretrained( model_name, device_map="auto", trust_remote_code=True ) pipe = pipeline( "text-generation", model=model, tokenizer=tokenizer, max_new_tokens=1024, temperature=0.7 ) llm = HuggingFacePipeline(pipeline=pipe) # Use with LangChain from langchain.chains import LLMChain from langchain.prompts import PromptTemplate template = """Create a secure {feature} for a {framework} application. Include proper error handling and security best practices. Feature: {feature} Framework: {framework} """ prompt = PromptTemplate(template=template, input_variables=["feature", "framework"]) chain = LLMChain(llm=llm, prompt=prompt) result = chain.run(feature="user authentication", framework="FastAPI") print(result) ``` ### Example 16: Batch Processing ```python # Process multiple code generation tasks prompts = [ "Create a FastAPI endpoint for user registration", "Create a React form component for login", "Create a PostgreSQL schema for user management" ] for prompt in prompts: messages = [ {"role": "system", "content": "You are a secure coding assistant."}, {"role": "user", "content": prompt} ] text = tokenizer.apply_chat_template(messages, tokenize=False, add_generation_prompt=True) inputs = tokenizer([text], return_tensors="pt").to(model.device) outputs = model.generate(**inputs, max_new_tokens=512) response = tokenizer.decode(outputs[0], skip_special_tokens=True) print(f"\n{'='*60}\nPrompt: {prompt}\n{'='*60}") print(response) ``` --- ## Tips for Best Results ### 1. Be Specific in Prompts ❌ Bad: "Create an API endpoint" ✅ Good: "Create a FastAPI POST endpoint at /api/v1/users for user registration with email validation and argon2 password hashing" ### 2. Specify Technology Stack Include framework versions and specific libraries when relevant: ``` Create a React 18 component using TypeScript and Tailwind CSS for... ``` ### 3. Request Security Features Explicitly ask for security features: ``` Create a login endpoint with argon2 password hashing, rate limiting, and CSRF protection ``` ### 4. Use System Prompts Customize the system prompt for your use case: ```python messages = [ {"role": "system", "content": "You are a senior security engineer reviewing code for vulnerabilities."}, {"role": "user", "content": "Review this authentication code..."} ] ``` ### 5. Adjust Temperature - **Low (0.1-0.3):** Deterministic, consistent code generation - **Medium (0.5-0.7):** Balanced creativity and consistency - **High (0.8-1.0):** More creative solutions, less predictable ### 6. Iterate and Refine Use follow-up prompts to refine output: ``` 1st prompt: "Create a user authentication endpoint" 2nd prompt: "Add rate limiting to prevent brute force attacks" 3rd prompt: "Add logging for security audit trail" ``` --- ## Common Patterns ### Pattern 1: Full-Stack Feature ``` Create a complete user profile feature including: - Backend: FastAPI endpoint with SQLAlchemy model - Frontend: React component with TypeScript - Database: PostgreSQL migration script - Tests: pytest for backend, Jest for frontend ``` ### Pattern 2: Security Hardening ``` Review and harden this [component] for production: - Add input validation - Implement rate limiting - Add security headers - Add audit logging - Fix any SQL injection or XSS vulnerabilities ``` ### Pattern 3: Migration/Upgrade ``` Migrate this Flask endpoint to FastAPI: - Use Pydantic for validation - Add async/await - Update to /api/v1 versioning - Add OpenAPI documentation [paste code] ``` --- ## Troubleshooting ### Issue: Model generating outdated patterns **Solution:** Explicitly specify modern versions in prompt ``` Create a FastAPI endpoint using FastAPI 0.110+ with Pydantic v2 ``` ### Issue: Output too verbose **Solution:** Lower temperature and add conciseness requirement ```python outputs = model.generate(..., temperature=0.3) # Add to prompt: "Provide concise implementation without extensive comments" ``` ### Issue: Missing security features **Solution:** Explicitly list required security features in prompt ``` Include: input validation, SQL injection prevention, XSS protection, rate limiting ``` --- ## Additional Resources - [Model Card](./MODEL_CARD.md) - Full model documentation - [Training Details](./TRAINING.md) - Training methodology - [Deployment Guide](./DEPLOYMENT.md) - Production deployment - [Hugging Face Model Hub](https://huggingface.co/pki/securitygpt-14b) --- **Need help?** Open an issue on the model repository or use the Hugging Face discussions tab.