{"id":15396624,"url":"https://github.com/hupe1980/tmac","last_synced_at":"2025-12-14T17:32:37.506Z","repository":{"id":64958822,"uuid":"579514281","full_name":"hupe1980/tmac","owner":"hupe1980","description":"Agile Threat Modeling as Code","archived":false,"fork":false,"pushed_at":"2023-01-03T12:50:48.000Z","size":2608,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-11-15T04:54:08.813Z","etag":null,"topics":["agile","appsec","cybersecurity","devsecops","jupyter-notebook","openthreatmodel","threat-modeling","threatbook","threatmodeling"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hupe1980.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-12-17T23:53:08.000Z","updated_at":"2024-03-25T13:15:36.000Z","dependencies_parsed_at":"2023-02-01T06:16:03.500Z","dependency_job_id":null,"html_url":"https://github.com/hupe1980/tmac","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hupe1980%2Ftmac","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hupe1980%2Ftmac/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hupe1980%2Ftmac/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hupe1980%2Ftmac/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hupe1980","download_url":"https://codeload.github.com/hupe1980/tmac/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228546188,"owners_count":17934865,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agile","appsec","cybersecurity","devsecops","jupyter-notebook","openthreatmodel","threat-modeling","threatbook","threatmodeling"],"created_at":"2024-10-01T15:34:24.700Z","updated_at":"2025-12-14T17:32:32.457Z","avatar_url":"https://github.com/hupe1980.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# tmac\n\u003e Agile Threat Modeling as Code\n- Close to the code - close to developers\n\n## Install\n```bash\npip install tmac\n```\n\n## How to use\n```bash\npython3 tmac.py\n```\n\n```python\n#!/usr/bin/env python3\n\nfrom tmac import (\n Model,\n Process,\n Protocol,\n Score,\n TableFormat,\n Technology,\n TrustBoundary,\n)\nfrom tmac.plus import Browser, Database\n\nmodel = Model(\"Demo Model\", description=\"Sample description\")\n\ninternet = TrustBoundary(model, \"Internet\")\ndmz = TrustBoundary(model, \"DMZ\")\nintranet = TrustBoundary(model, \"Intranet\")\n\nbrowser = Browser(model, \"Browser\", trust_boundary=internet)\n\nweb_server = Process(\n model,\n \"WebServer\",\n technology=Technology.WEB_APPLICATION,\n trust_boundary=dmz,\n)\n\ndatabase = Database(\n model,\n \"Database\",\n trust_boundary=intranet,\n)\n\nweb_traffic = browser.add_data_flow(\n \"WebTraffic\",\n destination=web_server,\n protocol=Protocol.HTTPS,\n)\n\nweb_traffic.transfers(\n \"UserCredentials\",\n confidentiality=Score.HIGH,\n integrity=Score.HIGH,\n availability=Score.HIGH,\n)\n\ndatabase_traffic = web_server.add_data_flow(\n \"DatabaseTraffic\",\n destination=database,\n protocol=Protocol.SQL,\n)\n\ndatabase_traffic.transfers(\n \"UserDetails\",\n confidentiality=Score.HIGH,\n integrity=Score.HIGH,\n availability=Score.HIGH,\n)\n\nprint(model.risks_table(table_format=TableFormat.GITHUB))\n```\nOutput:\n| ID | Category | Risk | Treatment |\n|------------------------------------|-------------------------|---------------------------------------------------------------------------------|-------------|\n| CAPEC-62@WebServer@WebTraffic | Subvert Access Control | Cross-Site Request Forgery (CSRF) risk at WebServer via WebTraffic from Browser | in-progress |\n| CAPEC-63@WebServer | Inject Unexpected Items | Cross-Site Scripting (XSS) risk at WebServer | accepted |\n| CAPEC-66@WebServer@DatabaseTraffic | Inject Unexpected Items | SQL Injection risk at WebServer against database Database via DatabaseTraffic | mitigated |\n|...|...|...|...|\n```python\nprint(model.create_backlog_table(table_format=TableFormat.GITHUB))\n```\nOutput:\n| ID | Category | User Story | State |\n|-----------------------------------------------|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|\n| ASVS-13.2.3@CAPEC-62@WebServer@WebTraffic | RESTful Web Service | Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, or Origin request header checks. | draft |\n| ASVS-5.3.5@CAPEC-66@WebServer@DatabaseTraffic | Output Encoding and Injection Prevention | Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection. | closed |\n| ASVS-1.2.3@CAPEC-62@WebServer@WebTraffic | Authentication Architecture | Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches. | in-progress |\n|...|...|...|...|\n## Jupyter Threatbooks\n\u003e Threat modeling with jupyter notebooks\n\n![threatbook.png](https://github.com/hupe1980/tmac/raw/main/.assets/threatbook.png)\n\n## Generating Diagrams\n```python\nmodel.create_data_flow_diagram()\n```\n![threatbook.png](https://github.com/hupe1980/tmac/raw/main/.assets/data-flow-diagram.png)\n\n## High level elements (tmac/plus*)\n```python\nfrom tmac.plus_aws import ApplicationLoadBalancer\n\n# ...\n\nalb = ApplicationLoadBalancer(model, \"ALB\", waf=True)\n\n```\n\n## Custom ThreatLibrary\n```python\nfrom tmac import Model, ThreatLibrary\n\nlib = ThreatLibrary()\n\nlib.add_threat(\"\"\"... your custom threats ...\"\"\")\n\nmodel = Model(\"Demo Model\", threat_library=lib)\n```\n## Examples\n\nSee more complete [examples](https://github.com/hupe1980/tmac/tree/master/examples).\n\n## Prior work and other related projects\n- [pytm](https://github.com/izar/pytm) - A Pythonic framework for threat modeling\n- [threagile](https://github.com/Threagile/threagile) - Agile Threat Modeling Toolkit\n- [cdk-threagile](https://github.com/hupe1980/cdk-threagile) - Agile Threat Modeling as Code\n- [OpenThreatModel](https://github.com/iriusrisk/OpenThreatModel) - OpenThreatModel\n\n## License\n\n[MIT](LICENSE)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhupe1980%2Ftmac","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhupe1980%2Ftmac","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhupe1980%2Ftmac/lists"}