Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/devmatic-it/taralizer

Taralizer - the Threat and Risk Analyzer
https://github.com/devmatic-it/taralizer

Last synced: about 1 month ago
JSON representation

Taralizer - the Threat and Risk Analyzer

Host: GitHub
URL: https://github.com/devmatic-it/taralizer
Owner: devmatic-it
License: apache-2.0
Created: 2021-05-15T07:52:09.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2023-02-25T10:14:29.000Z (almost 2 years ago)
Last Synced: 2024-06-20T22:35:19.136Z (6 months ago)
Language: Java
Size: 2.26 MB
Stars: 3
Watchers: 2
Forks: 0
Open Issues: 3
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: SECURITY.md
- Authors: AUTHORS

Awesome Lists containing this project

README

        # Taralizer - The Threat and Risk Analyzer

[![Go Report Card](https://goreportcard.com/badge/github.com/devmatic-it/taralizer)](https://goreportcard.com/report/github.com/devmatic-it/taralizer)

[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/devmatic-it/taralizer/blob/master/LICENSE)

[![codecov](https://codecov.io/gh/devmatic-it/taralizer/branch/main/graph/badge.svg)](https://codecov.io/gh/devmatic-it/taralizer)

[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=devmatic-it_taralizer&metric=alert_status)](https://sonarcloud.io/dashboard?id=devmatic-it_taralizer)

[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=devmatic-it_taralizer&metric=sqale_rating)](https://sonarcloud.io/dashboard?id=devmatic-it_taralizer)

[![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=devmatic-it_taralizer&metric=reliability_rating)](https://sonarcloud.io/dashboard?id=devmatic-it_taralizer)

[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=devmatic-it_taralizer&metric=security_rating)](https://sonarcloud.io/dashboard?id=devmatic-it_taralizer)

[![Bugs](https://sonarcloud.io/api/project_badges/measure?project=devmatic-it_taralizer&metric=bugs)](https://sonarcloud.io/dashboard?id=devmatic-it_taralizer)

[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=devmatic-it_taralizer&metric=vulnerabilities)](https://sonarcloud.io/dashboard?id=devmatic-it_taralizer)

[![Code Smells](https://sonarcloud.io/api/project_badges/measure?project=devmatic-it_taralizer&metric=code_smells)](https://sonarcloud.io/dashboard?id=devmatic-it_taralizer)

The following project performs a **Threat and Risk Analysis** based on an architecture model defined through simple YAML file.

We aim to implement the **OWASP Application Security Verification Standard** (ASVS)() and also destribute their great database ().

Furthermore, we use and distribute MITRE Common Weakness Enumeration () as a way to classify weaknesses.

## Motivation

The **taralizer** project was highly inspired by the **Threagile** () project which is a first class threat modelling tool for OWASP ASVP.

Unfortunately, **Threagile** has some limits in the customization of reports and the extendability with custom rules.

Taralizer tries to overcome these limitations with the following approach:

- Using Golang templating () for all reports and diagrams

- Use the Open Policy Agent (OPA) engine () to allow extentabilty

- use plantuml or graphviz dot to generate compelling diagrams

- use of wkhtmltopdf to create PDF reports

## Features

Taralizer currently provides the following features:

- backward compatiblity with Threagile () model files

- taralizer is packaged for all major devopment environments:

  - MacOSX (x86_64, ARM64 M1)

  - Linux (x86, x86_64, ARM64)

  - Windows (x86, x86_64)

- supports graphviz dot and plantuml flow charts

![PlantUML]()

![GraphViz]()

- support of PDF and HTML reports

![PDF Report]()

![HTML Report]()

We demonstate the usage of **Taralizer** on the popular **Bank of Anthos** example application [HERE]()

## Installation

### Getting Started

1. Download latest release for your platform: 

2. extract archive: `unzip taralizer_X.Y.Z_linux_amd64.zip`

3. create dataflow diagram diagram.png using graphviz: `./taralizer diagram ./examples/gcp/bank_of_anthos.yaml`

4. create dataflow diagram diagram.png using plantuml: `./taralizer diagram ./examples/gcp/bank_of_anthos.yaml --engine plantuml`

5. create example HTML report: `./taralizer report ./examples/gcp/bank_of_anthos.yaml`

6. open examples HTML report `report.html`on browser

7. create example PDF report: `./taralizer report ./examples/gcp/bank_of_anthos.yaml --type pdf`

## Contribute

### New Issues

1. Use the search tool before opening a new issue: 

2. Please provide source code and commit fix if you found a bug.

3. Review existing issues and provide feedback or react to them.

### Pull requests

1. Open your pull request against master:  

2. Your pull request should have no more than two commits, if not you should squash them.

3. It should pass all tests in the available continuous integrations systems such as TravisCI.

4. You should add/modify tests to cover your proposed code changes.

5. If your pull request contains a new feature, please document it on the 

## Credits

This work has been inspired and would not be possible without the following awesome open source projects:

- Threagile - Agile Threat Modelling ()

- Open Policy Agent ()

- PlantUML ()

- GraphViz ()

- WKhtmltoPDF ()

- OWASP Application Security Verification Standard 

- Common Weakness Enumeration ()

- GoRleaser Builder Image ()

- Building a basic CI/CD pipeline for a Golang application using GitHub Actions

()