{"id":13799925,"url":"https://github.com/rusakovichma/TicTaaC","last_synced_at":"2025-05-13T08:32:17.949Z","repository":{"id":37840319,"uuid":"400129809","full_name":"rusakovichma/TicTaaC","owner":"rusakovichma","description":"Easy-to-use Threat modeling-as-a-Code (TaaC) solution following DevSecOps principles. Simple CI/CD integration as well as console usage. Sugar-Free and Secure: no any external dependencies except for chart plotting are used","archived":false,"fork":false,"pushed_at":"2024-06-26T11:12:04.000Z","size":763,"stargazers_count":55,"open_issues_count":5,"forks_count":16,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-11-18T15:00:20.679Z","etag":null,"topics":["application-security","appsec","devsecops","secure-development","threat","threat-model","threat-modeling","threat-modeling-from-code","threat-modeling-tool","threat-models"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rusakovichma.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-26T10:30:22.000Z","updated_at":"2024-10-03T05:15:44.000Z","dependencies_parsed_at":"2024-11-18T14:51:55.709Z","dependency_job_id":"9f674cb9-b8ea-498f-b402-303d52ba70bf","html_url":"https://github.com/rusakovichma/TicTaaC","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rusakovichma%2FTicTaaC","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rusakovichma%2FTicTaaC/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rusakovichma%2FTicTaaC/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rusakovichma%2FTicTaaC/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rusakovichma","download_url":"https://codeload.github.com/rusakovichma/TicTaaC/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253903904,"owners_count":21981766,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["application-security","appsec","devsecops","secure-development","threat","threat-model","threat-modeling","threat-modeling-from-code","threat-modeling-tool","threat-models"],"created_at":"2024-08-04T00:01:07.250Z","updated_at":"2025-05-13T08:32:17.622Z","avatar_url":"https://github.com/rusakovichma.png","language":"Java","funding_links":[],"categories":["Tools"],"sub_categories":["Free tools"],"readme":"# [![TicTaaC](https://raw.githubusercontent.com/rusakovichma/TicTaaC/master/etc/tic-taac-logo-40per.png)](https://github.com/rusakovichma/TicTaaC) [![Join the chat at https://gitter.im/TicTaaC/TicTaaC-support](https://badges.gitter.im/TicTaaC/TicTaaC-support.svg)](https://gitter.im/TicTaaC/TicTaaC-support?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge) [![CI](https://github.com/rusakovichma/TicTaaC/actions/workflows/ci.yml/badge.svg)](https://github.com/rusakovichma/TicTaaC/actions/workflows/ci.yml) [![Testing](https://github.com/rusakovichma/TicTaaC/actions/workflows/tests.yml/badge.svg)](https://github.com/rusakovichma/TicTaaC/actions/workflows/tests.yml)\n\u003cbr\u003e Threat modeling-as-a-Code in a Tick (TicTaaC)\nLightweight and easy-to-use Threat modeling solution following DevSecOps principles\n\n## Preface\n\"One day the customer asked to perform threat modeling for our product. Of course, we have heard about it a lot\nfrom different teams, I have even read several articles and looked through a book to get familiar with this process,\nbut they were too abstract as for me and didn't give me a certainty at all. Then we have faced several enterprise - level \nproducts which theoretically would help us, but we didn't want to deploy the whole security program because of it, \nwe just wanted to get the prioritized threats list for our product to put it in our security backlog. Nothing else\"\n\u003cp align=\"right\"\u003e\u003cem\u003eAnonymous Developer\u003c/em\u003e\u003c/p\u003e\n\n## Idea\nThe idea behind this product is clear - I want to create something simple that would help to solve this difficult problem.\nIdeally, with \u003cem\u003eone click\u003c/em\u003e or \u003cem\u003ea command\u003c/em\u003e and with a possibility to integrate it into a pipeline and do it \u003cem\u003econtinuously\u003c/em\u003e if needed. Inspired by \u003cem\u003edependency-check\u003c/em\u003e architecture and simplicity plus taking in mind that \u003cem\u003edevelopers just love mapping\u003c/em\u003e everything in code, I've created \u003cstrong\u003e\"TicTaaC\"\u003c/strong\u003e, which means \u003cem\u003e\"\u003cstrong\u003eT\u003c/strong\u003ehreat modeling-\u003cstrong\u003ea\u003c/strong\u003es-\u003cstrong\u003ea\u003c/strong\u003e-\u003cstrong\u003eC\u003c/strong\u003eode in a \u003cstrong\u003eTic\u003c/strong\u003ek\"\u003c/em\u003e\n\n## Usage\nAll the tool is needed is a \u003cstrong\u003edata flow code file\u003c/strong\u003e described in the \u003cem\u003eyml-like format\u003c/em\u003e specially designed for this.\u003cbr\u003e\n\u003cstrong\u003eThe examples\u003c/strong\u003e of these files with verbose comments describing every aspect may be found [here](https://github.com/rusakovichma/TicTaaC/tree/master/expl). \u003cbr\u003e\n\n### Command Line\nMore detailed instructions can be found on the\n[github wiki](https://github.com/rusakovichma/TicTaaC/wiki).\nThe latest CLI can be downloaded from github in the [releases section](https://github.com/rusakovichma/TicTaaC/releases). \u003cbr\u003e\n\u003cstrong\u003eOn *nix:\u003c/strong\u003e\n```\n$ ./bin/tic-taac.sh -h\n$ ./bin/tic-taac.sh --out . --threatModel [path to threat model file(s) or folder to scan]\n```\n\u003cstrong\u003eOn Windows:\u003c/strong\u003e\n```\n\u003e .\\bin\\tic-taac.bat -h\n\u003e .\\bin\\tic-taac.bat --out . --threatModel [path to threat model file(s) or folder to scan]\n```\n\n### Docker\nSee [TicTaaC Docker Hub repository](https://hub.docker.com/r/rusakovichma/tic-taac).\n\n\u003cstrong\u003eQuickstart on Windows:\u003c/strong\u003e\n```\n\u003e docker run --volume /D/threat-model:/threat-model --volume /D/report:/report rusakovichma/tic-taac:latest --threatModel /threat-model/ --out /report\n```\n\n\u003cstrong\u003e*nix script:\u003c/strong\u003e\n```console\n#!/bin/sh\n\nTT_VERSION=\"latest\"\nTHREAT_MODEL_DIR=$HOME/threat-model\n\n# Make sure we are using the latest version\ndocker pull rusakovichma/tic-taac:$TT_VERSION\n\ndocker run --rm \\\n    -e user=$USER \\\n    -u $(id -u ${USER}):$(id -g ${USER}) \\\n    --volume $THREAT_MODEL_DIR:/threat-model:z \\\n    --volume $(pwd)/report:/report:z \\\n    rusakovichma/tic-taac:$TT_VERSION \\\n    --threatModel /threat-model \\\n    --outFormat html \\\n    --out /report\n    # Set mitigation strategy for the corresponding threats\n    # see https://github.com/rusakovichma/TicTaaC/blob/master/expl/mitigations.yml \n    # --mitigations /threat-model/mitigations.yml \n    # or set the folder where scan the mitigations files: --mitigations /mitigations\n```\n### Jenkins pipeline\nFor TicTaaC usage at Jenkins pipeline, see [Jenkinsfile example](https://github.com/rusakovichma/TicTaaC/blob/master/cicd/Jenkinsfile).\n\n## Data Flows Examples\n* [Simple Threat Model](https://github.com/rusakovichma/TicTaaC/blob/master/expl/simpest-threat-model.yml)\n* [Intermediate Model](https://github.com/rusakovichma/TicTaaC/blob/master/expl/intermediate-threat-model.yml)\n* [Advanced Model](https://github.com/rusakovichma/TicTaaC/blob/master/expl/advanced-threat-model.yml)\n\n## Generated report example\n![Threat Modeling Report Example](https://raw.githubusercontent.com/rusakovichma/TicTaaC/master/etc/threat-modeling-report-example.png)\n\n## Features\n* [x] Automatic Data Flow generation in a report\n* [x] Ideal for Security Teams - it has flexible [Threats Library logic](https://github.com/rusakovichma/TicTaaC/blob/master/src/main/resources/threats-library/default-threats-library.yml) customization in a separate file with special expression language support\n* [x] Suitable for [CICD pipeline integration](https://github.com/rusakovichma/TicTaaC/blob/master/cicd/Jenkinsfile)\n* [X] Setting Quality Gate that can block the product release in case if unmitigated threats are presented\n* [x] No *required* additional dependencies\n* [x] Special [lightweight and easy-to-understand format](https://github.com/rusakovichma/TicTaaC/blob/master/expl/simpest-threat-model.yml) for data flows description\n* [x] Automatic Threats Attack Vector \u0026 Risk Score calculation based on the data flow context\n* [x] Threats classification by OWASP Top 10 and Microsoft STRIDE\n* [x] Setting Threats mitigation strategy in [one place](https://github.com/rusakovichma/TicTaaC/blob/master/expl/mitigations.yml)\n* [x] Reporting in html or json format\n\n## License\n\nCopyright (c) Mikhail Rusakovich\n\nLicensed under the [Apache License version 2.0](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frusakovichma%2FTicTaaC","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frusakovichma%2FTicTaaC","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frusakovichma%2FTicTaaC/lists"}