Example of how to do threat modeling as code using Threagile.
This example repo acts as some sort of template to see the integration of Threagile into a GitHub workflow in action. Use and modify according to what fits best within your workflow. Usually, there would be a real project with real sources and other stuff. Also, such a repo contains a threagile.yaml file, which contains the threat model input (see the Threagile docs for info about this). Here we're using the Threagile example YAML file as an example threat model input.
This example repo has a GitHub workflow associated, which executes a job once the Threagile model file (threagile.yaml) changes on a push (see the .github/workflows/main.yaml file for this).
This workflow executes the run-threagile-action (published on the GitHub actions marketplace as open-source) to work on the threagile.yaml threat model file and generate the data-flow-diagram (DFD), threat model report (PDF), Excel and JSON exports, etc. on every change of threagile.yaml.
The full set of generated results is preserved as the action's artifacts (see the actions tab). Additionally, the data flow diagram and threat model report are saved within the source tree (in the folder threagile/output) for further automatic referencing from within this README.md (or any other markdown file) in the repo.
The open-source toolkit for agile threat modeling, Threagile, was used to model and analyze potential threats.
The following DFD was generated by Threagile during threat model analysis:
The following report was generated by Threagile during threat model analysis: Threat Model Report