Skip to content

Enterprise Deployment Guide

[20260310_DOCS] Runtime-aligned note: built-in compliance scanning currently covers HIPAA, SOC2, GDPR, and PCI-DSS through Enterprise-tier policy checks. Governance files remain useful for overlays, audit settings, and organizational controls, but they are not the source of the built-in compliance patterns.

This guide covers deploying Code Scalpel in enterprise environments, including organization license management, governance policies, audit logging, and multi-team setups.

Enterprise Features Overview

Enterprise tier provides:

  • Unlimited analysis depth and scope
  • Full governance and compliance controls
  • Audit logging for compliance (SOC 2, ISO 27001)
  • Multi-team license management
  • Priority support and SLAs
  • Custom security rules
  • Graph query language for complex analysis

License Management

Organization License Setup

  1. Receive License

Your organization license comes as a JWT file from your account manager.

  1. Centralized Deployment
# Create license directory
sudo mkdir -p /opt/code-scalpel/licenses

# Copy license file
sudo cp code_scalpel_license_enterprise.jwt /opt/code-scalpel/licenses/

# Set permissions
sudo chmod 644 /opt/code-scalpel/licenses/*.jwt
  1. Configure Organization-Wide
# /etc/profile.d/code-scalpel.sh
export CODE_SCALPEL_LICENSE_PATH="/opt/code-scalpel/licenses/code_scalpel_license_enterprise.jwt"

License Verification

# Verify license
code-scalpel license info

# Expected output
License Information:
  Tier: Enterprise
  Organization: YourCompany Inc.
  Valid Until: 2027-01-15
  Seats: 500
  Features:
    - Unlimited depth analysis
    - Cross-file security scanning
    - Graph query language
    - Audit logging
    - Custom governance policies

Multi-Seat Management

Enterprise licenses support multiple seats:

# License features
organization: "YourCompany Inc."
seats: 500
seat_tracking: true
usage_reporting: weekly

Track usage through the admin dashboard:

# View seat usage
code-scalpel admin seats --status

# Output
Seat Usage:
  Total: 500
  Active: 247
  Available: 253
  Peak (30 days): 312

Governance Configuration

Full Governance Setup

# .code-scalpel/governance.yaml
version: "1.0"
profile: "enterprise"

# Security policies
security:
  enabled: true

  # Vulnerability severity thresholds
  fail_on_severity: "high"

  # Required security checks
  required_checks:
    - sql_injection
    - xss
    - command_injection
    - path_traversal
    - secrets_detection

  # Custom sinks for your codebase
  custom_sinks:
    - name: "internal_api"
      patterns:
        - "internal_api.call(*)"
        - "InternalService.request(*)"
      sensitivity: "HIGH"

  # Custom sanitizers
  sanitizers:
    - name: "company_sanitizer"
      patterns:
        - "security.sanitize(*)"
        - "validate_and_escape(*)"
      neutralizes:
        - "XSS"
        - "SQL_INJECTION"

# Modification policies
modification:
  enabled: true

  # Require backup before any modification
  require_backup: true

  # Protected patterns (cannot be modified without approval)
  protected_patterns:
    - "src/security/**"
    - "src/auth/**"
    - "config/production.py"

  # Require approval for sensitive changes
  approval_required:
    - pattern: "**/*.pem"
      approvers: ["security-team"]
    - pattern: "src/payments/**"
      approvers: ["payments-team", "security-team"]

# Compliance overlay settings
compliance:
  # Optional organization-specific overlays that supplement
  # built-in Enterprise compliance standards (HIPAA, SOC2, GDPR, PCI-DSS).
  custom_rules:
    - id: "ORG001"
      description: "Require internal data classification comment on export jobs"
      severity: "warning"

  # Audit retention
  audit_retention_days: 365

  # Required metadata in reports
  required_metadata:
    - timestamp
    - user
    - tool_version
    - file_hash

# Audit configuration
audit:
  enabled: true

  # What to log
  log_events:
    - tool_invocation
    - security_findings
    - code_modifications
    - configuration_changes

  # Destinations
  destinations:
    - type: "file"
      path: "/var/log/code-scalpel/audit.log"
      format: "json"

    - type: "syslog"
      host: "syslog.internal.company.com"
      port: 514
      protocol: "tcp"

    - type: "splunk"
      hec_endpoint: "https://splunk.company.com:8088"
      token_env: "SPLUNK_HEC_TOKEN"
      index: "security"

Policy File Integrity

Ensure governance files haven't been tampered with:

# AI prompt
"Verify the integrity of our governance configuration"

Uses verify_policy_integrity:

{
  "verification_results": {
    "governance.yaml": {
      "status": "VALID",
      "hash": "sha256:abc123...",
      "last_modified": "2025-01-15T10:30:00Z"
    },
    "limits.toml": {
      "status": "VALID",
      "hash": "sha256:def456..."
    }
  },
  "all_valid": true
}

Audit Logging

Audit Log Format

{
  "timestamp": "2025-02-01T14:30:00.123Z",
  "event_type": "tool_invocation",
  "tool": "cross_file_security_scan",
  "user": "alice@company.com",
  "machine": "dev-workstation-042",
  "parameters": {
    "project_root": "/home/alice/project",
    "max_depth": 10
  },
  "result": {
    "status": "success",
    "vulnerabilities_found": 3,
    "duration_ms": 2450
  },
  "metadata": {
    "tool_version": "1.3.0",
    "license_id": "ent-12345",
    "correlation_id": "req-abc-123"
  }
}

SIEM Integration

Splunk

audit:
  destinations:
    - type: "splunk"
      hec_endpoint: "https://splunk.company.com:8088/services/collector"
      token_env: "SPLUNK_HEC_TOKEN"
      index: "code_security"
      source: "code-scalpel"
      sourcetype: "_json"

Elasticsearch

audit:
  destinations:
    - type: "elasticsearch"
      hosts:
        - "https://es1.company.com:9200"
        - "https://es2.company.com:9200"
      index_pattern: "code-scalpel-audit-%Y.%m"
      auth:
        username_env: "ES_USER"
        password_env: "ES_PASS"

Datadog

audit:
  destinations:
    - type: "datadog"
      api_key_env: "DD_API_KEY"
      site: "datadoghq.com"
      service: "code-scalpel"
      env: "production"

Compliance Reports

Enterprise compliance reports are generated from the built-in policy engine checks. Lower tiers do not degrade these requests; they return explicit upgrade_required responses.

Generate compliance reports:

# Generate SOC 2 compliance report
code-scalpel compliance report --standard soc2 --period 2025-Q1

# Generate HIPAA report
code-scalpel compliance report --standard hipaa --output hipaa_report.pdf

Multi-Team Setup

Team-Specific Configurations

organization/
├── .code-scalpel/
│   ├── governance.yaml       # Organization-wide policies
│   └── limits.toml           # Organization limits
├── team-backend/
│   └── .code-scalpel/
│       └── config.json       # Team-specific settings
├── team-frontend/
│   └── .code-scalpel/
│       └── config.json
└── team-data/
    └── .code-scalpel/
        └── config.json

Configuration Inheritance

Team configs inherit from organization:

// team-backend/.code-scalpel/config.json
{
  "inherit_from": "../../.code-scalpel",
  "project_name": "Backend Services",
  "language": "python",
  "analysis": {
    "exclude_patterns": [
      "migrations/**",
      "tests/**"
    ]
  },
  "security": {
    "additional_sinks": [
      "database.raw_query(*)"
    ]
  }
}

Access Control

# .code-scalpel/governance.yaml
access_control:
  roles:
    - name: "developer"
      permissions:
        - "analyze:read"
        - "extract:read"
        - "security:read"

    - name: "security_engineer"
      permissions:
        - "analyze:*"
        - "security:*"
        - "audit:read"

    - name: "admin"
      permissions:
        - "*"

  role_mappings:
    - group: "cn=developers,ou=groups,dc=company"
      role: "developer"
    - group: "cn=security,ou=groups,dc=company"
      role: "security_engineer"
    - group: "cn=platform,ou=groups,dc=company"
      role: "admin"

Deployment Options

Docker Deployment

# docker-compose.yml
version: '3.8'

services:
  code-scalpel:
    image: codescalpel/code-scalpel-enterprise:latest
    environment:
      - CODE_SCALPEL_LICENSE_PATH=/licenses/enterprise.jwt
      - CODE_SCALPEL_AUDIT_ENABLED=true
      - CODE_SCALPEL_LOG_LEVEL=info
    volumes:
      - ./licenses:/licenses:ro
      - ./config:/etc/code-scalpel:ro
      - ./logs:/var/log/code-scalpel
      - /projects:/workspace:ro
    restart: unless-stopped

  audit-collector:
    image: fluent/fluent-bit:latest
    volumes:
      - ./fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf:ro
      - ./logs:/var/log/code-scalpel:ro
    depends_on:
      - code-scalpel

Kubernetes Deployment

# k8s/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: code-scalpel
  namespace: dev-tools
spec:
  replicas: 3
  selector:
    matchLabels:
      app: code-scalpel
  template:
    metadata:
      labels:
        app: code-scalpel
    spec:
      containers:
      - name: code-scalpel
        image: codescalpel/code-scalpel-enterprise:1.3.0
        env:
        - name: CODE_SCALPEL_LICENSE_PATH
          value: /licenses/enterprise.jwt
        volumeMounts:
        - name: license
          mountPath: /licenses
          readOnly: true
        - name: config
          mountPath: /etc/code-scalpel
          readOnly: true
        resources:
          requests:
            memory: "1Gi"
            cpu: "500m"
          limits:
            memory: "4Gi"
            cpu: "2000m"
      volumes:
      - name: license
        secret:
          secretName: code-scalpel-license
      - name: config
        configMap:
          name: code-scalpel-config

---
apiVersion: v1
kind: Secret
metadata:
  name: code-scalpel-license
  namespace: dev-tools
type: Opaque
data:
  enterprise.jwt: <base64-encoded-license>

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: code-scalpel-config
  namespace: dev-tools
data:
  config.json: |
    {
      "project_name": "Organization",
      "analysis": {
        "max_file_size_mb": 50
      }
    }

IDE Integration for Teams

Standardized VS Code settings:

// .vscode/settings.json (committed to repo)
{
  "code-scalpel.licensePath": "${workspaceFolder}/../.licenses/enterprise.jwt",
  "code-scalpel.configPath": "${workspaceFolder}/.code-scalpel",
  "code-scalpel.auditEnabled": true,
  "code-scalpel.securityScanOnSave": true
}

Monitoring and Metrics

Prometheus Metrics

# Enable metrics endpoint
monitoring:
  prometheus:
    enabled: true
    port: 9090
    path: /metrics

Available metrics:

# Tool invocation counter
code_scalpel_tool_invocations_total{tool="security_scan",status="success"}

# Vulnerability detection
code_scalpel_vulnerabilities_detected{severity="critical",type="sql_injection"}

# Analysis duration
code_scalpel_analysis_duration_seconds{tool="cross_file_security_scan"}

# License seat usage
code_scalpel_license_seats_used

Grafana Dashboard

Import the official Grafana dashboard:

# Download dashboard
curl -O https://codescalpel.dev/dashboards/enterprise-monitoring.json

# Import to Grafana
grafana-cli dashboards import enterprise-monitoring.json

Support and SLAs

Enterprise Support

Priority Response Time Resolution Target
P1 - Critical 1 hour 4 hours
P2 - High 4 hours 1 business day
P3 - Medium 1 business day 3 business days
P4 - Low 2 business days Best effort

Support Channels

  • Email: enterprise-support@codescalpel.dev
  • Phone: +1 (888) CODE-SCALPEL
  • Portal: https://support.codescalpel.dev
  • Slack: Dedicated channel (on request)

Custom Development

Enterprise customers can request:

  • Custom security rules and sinks
  • Integration with internal tools
  • Custom compliance reports
  • On-premise deployment support
  • Training and workshops

Next Steps