{"id":23110122,"url":"https://github.com/yevh/taac-ai","last_synced_at":"2025-09-22T03:46:57.085Z","repository":{"id":215328805,"uuid":"731572951","full_name":"yevh/TaaC-AI","owner":"yevh","description":"AI-driven Threat modeling-as-a-Code (TaaC-AI)","archived":false,"fork":false,"pushed_at":"2024-06-07T10:20:03.000Z","size":11729,"stargazers_count":128,"open_issues_count":2,"forks_count":14,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-04-03T23:30:49.591Z","etag":null,"topics":["ai","application-security","claude-3","devsecops","gpt","gpt-3","gpt-4","llm-security","mistral-7b","secure-development","taac","threat","threat-modeling","threat-modeling-from-code","threat-modeling-tool","threat-models"],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yevh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-12-14T11:35:26.000Z","updated_at":"2025-04-02T14:58:45.000Z","dependencies_parsed_at":"2024-03-27T16:29:10.149Z","dependency_job_id":"8bb5b86c-4bc0-4001-b63b-e9b50b40cb9c","html_url":"https://github.com/yevh/TaaC-AI","commit_stats":null,"previous_names":["yevh/taac-ai"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/yevh/TaaC-AI","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yevh%2FTaaC-AI","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yevh%2FTaaC-AI/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yevh%2FTaaC-AI/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yevh%2FTaaC-AI/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yevh","download_url":"https://codeload.github.com/yevh/TaaC-AI/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yevh%2FTaaC-AI/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276342527,"owners_count":25625581,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-22T02:00:08.972Z","response_time":79,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","application-security","claude-3","devsecops","gpt","gpt-3","gpt-4","llm-security","mistral-7b","secure-development","taac","threat","threat-modeling","threat-modeling-from-code","threat-modeling-tool","threat-models"],"created_at":"2024-12-17T01:48:07.624Z","updated_at":"2025-09-22T03:46:57.030Z","avatar_url":"https://github.com/yevh.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AI-driven Threat Modeling-as-a-Code (TaaC-AI)\n\nIt leverages AI to analyze service descriptions, identify security threats, visualize data flow and suggest remediations based on the STRIDE framework and OWASP guidelines. The script generates in-depth HTML report and includes feature for manual risk assessment.\n\n## Design\n\n![design](/src/design1.png)\n\n## How It Works\n\n- **YAML File Processing:** Loads and validates a YAML file containing the service details\n- **AI Threat Analysis:** If an OpenAI API key is provided, the script uses AI to generate a comprehensive threat modeling analysis\n- **AI Threat Cross validation:** Various LLMs performs a validation results\n- **Data Flow Generation:** Automatically generates a visual representation of the data flow within the service\n- **Manual Risk Management:** Users can manually add, modify, or cross out risks in the generated report\n- **Report Generation:** Produces a detailed HTML report, including both AI-generated and manually added risks\n\n## Model supported\n\n- GPT-3.5\n- GPT-4\n- Claude 3 Haiku\n- Mistral 7b (through ollama)\n- ‎Gemini (Planned)\n\n## Set API Key\n\nSet the openai api key as an environment variable OPENAI_KEY and ANTHROPIC_KEY in your operating system\n\n[OpenAI API](https://openai.com/blog/openai-api)\n[Anthropic API](https://docs.anthropic.com/claude/reference/getting-started-with-the-api)\n\n**Linux/Mac**\n\n```bash\nexport OPENAI_KEY=sk-ApiKeyExample\n```\n\n```bash\nexport ANTHROPIC_KEY=sk-ant-api03-ApiKeyExample\n```\n\n**Windows**\n\n```bash\nset OPENAI_KEY=sk-ApiKeyExample\n```\n\n```bash\nset ANTHROPIC_KEY=sk-ant-api03-ApiKeyExample\n```\n\n## Install dependencies \n\n```bash\npip3 install -r requirements.txt\n```\n## Install Mistral and Ollama\n\n1. Download and install Ollama [ollama.ai](https://ollama.ai)\n2. Install Mistral\n\n```bash\nollama pull mistral\n```\n3. Start ollama service (make sure the Ollama desktop app is closed)\n\n```bash\nollama serve\n```\nNow you can use mistral as the main model:\n\n```bash\npython3 TaaC-AI.py --model mistral \u003cpath_to_yaml_file\u003e\n```\nOr for cross-validation\n\n```bash\npython3 TaaC-AI.py --model claude --cross-validation mistral \u003cpath_to_yaml_file\u003e\n```\n\n## How to Use ❓\n1. Create a valid service description using [these guidelines](src/template.md) or use ```taac_yaml_generator.py``` that will guide you through the process of generating one\n\n![yaml_generator!](src/yaml_generator.png)\n   \n2. Execute the script (GPT-3.5 is used by default)\n\n```bash\npython3 TaaC-AI.py \u003cpath_to_yaml_file\u003e\n```\n\nUse ```gpt-4```, ```claude``` or ```mistral``` as a model to identify threats by specifying the ```--model``` option\n\n```bash\npython3 TaaC-AI.py --model gpt-4 \u003cpath_to_yaml_file\u003e\n```\n\nTo perform Threats result validation by another LLM use ```--cross-validation``` option.\n\n```bash\npython3 TaaC-AI.py --model claude --cross-validation claude \u003cpath_to_yaml_file\u003e\n```\n\n3. Open generate .html report\n4. Review/Edit AI-driven Threat Modeling Analysis table, and for false positives or resolved issues, mark the 'Status' checkbox\n5. Add manually identified threats to the table (optional)\n6. Download the report via the Download Report button \n\n## Usage Example 🏁\n\n1. Valid service description example\n```yaml\nVersion: '1.0'\nDate: 14.11.2023\n\n# Authentication Service Description\nDescription:\n  Name:  AuthService\n  Type: Service\n  Criticality: Tier1\n\n# Service Functionality\nFunctionality: Handles user authentication, including login and token generation.\n\n# Data Processing Details\nDataProcessed: \n  Type: Confidential\n  DataCategory: Auth\n  EncryptionAtRest: Yes\n\n# Components Used by the Service\nComponents:\n  Internal: \n    Exist: Yes\n    Source: Private\n    Note: Scoped Package Access\n  External: \n    Exist: Yes\n    PackageManager: NPM\n\n# Pipeline Configuration\nPipeline:\n  Type: GithubActions\n  CODEOWNERS: Yes\n  BranchProtection: Yes\n  SignCommits: Yes\n  PinActions: Yes\n  \n# Network Information\nNetwork:\n  Access: Private\n\n# Authentication Service Data Flow\ndataFlow:  # Removed the dash here\n  - name: UserAuthenticationFlow\n    description: Authenticates users and issues tokens.\n    source: UserLoginInterface\n    EncryptionTransit: Yes\n    Authentication:\n      Exist: Yes\n      Type: JWT\n    Authorization: read-write\n    Protocol: HTTPS\n    Communication:\n      Type: RESTful API\n    interactions:\n      - from: UserLoginInterface\n        to: AuthService\n        method: RESTful API\n        protocol: HTTPS\n      - from: AuthService\n        to: UserDatabase\n        method: Query\n        protocol: JDBC\n    servicesInvolved: [UserLoginInterface, AuthService, UserDatabase]\n```\n2. Script execution\n![execution!](src/execution1.png)\n3. Download and Review the generated [HTML report](src/AuthService_2024-03-27_ThreatModelingReport.html)\n   \n![review!](src/review1.gif)   \n\n5. Add Threats manually\n\n![manual!](src/manual1.gif) \n\n6. Download the latest report\n\n![download!](src/download1.gif) \n\n## Roadmap 🗓️\n\n- ~~Template Design~~\n- ~~Basic Functionality~~\n- ~~GPT-3 Integration~~\n- ~~Report generation~~\n- ~~Manually adding identified threats~~\n- ~~GPT-4 Integration~~\n- ~~Claude Integration~~\n- ~~LLM Cross Validation~~\n- ~~Mistral Integration via Ollama~~\n- ‎Gemini Integration\n- Accuracy Comparison\n\n## Contact 📧\n\nAll suggestions write to yevhsec1@gmail.com\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyevh%2Ftaac-ai","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyevh%2Ftaac-ai","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyevh%2Ftaac-ai/lists"}