Automatic Threat Modeling with pytm and Github Actions
pytm is a OWASP tool that integrates with a custom GPT to make the threat modeling process quicker and more automated.
I've developed a custom Github Action that, on every Pull Request event, generates or updates a Threat Model report, based on changes to the Python files generated using the GPT.
In order to use it, you need a Github repository with the following structure:
- a
/modelsdirectory, where you're going to keep the Python files; - a
/reportsdirectory, where the reports are going to be stored; - a
pytm_templatedirectory, which should contain yourtemplate.mdandstyles.cssfiles (you can find basic examples here).
The Action works as follows:
- every time you create or update a PR with any changes to the Python files in the
/modelsdirectory,pytmscans the modified files and generates a Data Flow Diagram (DFD) and HTML report for each one; - for each new HTML report, the tool generates a PDF file;
- both the DFD and the PDF files are added to a
/reports/{filename}/directory; - everything in the
/reports/directory is immediately pushed to themainbranch, so you can review these artefacts.
You can find this Github Action below: