Automatic Threat Modeling with pytm and Github Actions

pytm is a OWASP tool that integrates with a custom GPT to make the threat modeling process quicker and more automated.

I've developed a custom Github Action that, on every Pull Request event, generates or updates a Threat Model report, based on changes to the Python files generated using the GPT.

In order to use it, you need a Github repository with the following structure:

  • a /models directory, where you're going to keep the Python files;
  • a /reports directory, where the reports are going to be stored;
  • a pytm_template directory, which should contain your template.md and styles.css files (you can find basic examples here).

The Action works as follows:

  • every time you create or update a PR with any changes to the Python files in the  /models directory, pytm scans the modified files and generates a Data Flow Diagram (DFD) and HTML report for each one;
  • for each new HTML report, the tool generates a PDF file;
  • both the DFD and the PDF files are added to a /reports/{filename}/ directory;
  • everything in the /reports/ directory is immediately pushed to the main branch, so you can review these artefacts.

You can find this Github Action below: