The following project performs a Threat and Risk Analysis based on an architecture model defined through simple YAML file. We aim to implement the OWASP Application Security Verification Standard (ASVS)(https://owasp.org/www-project-application-security-verification-standard/) and also destribute their great database (https://github.com/OWASP/ASVS/raw/v4.0.2/4.0/docs_en/OWASP%20Application%20Security%20Verification%20Standard%204.0.2-en.csv). Furthermore, we use and distribute MITRE Common Weakness Enumeration (https://cwe.mitre.org/data/downloads.html) as a way to classify weaknesses.
The taralizer project was highly inspired by the Threagile (https://threagile.io) project which is a first class threat modelling tool for OWASP ASVP. Unfortunately, Threagile has some limits in the customization of reports and the extendability with custom rules. Taralizer tries to overcome these limitations with the following approach:
- Using Golang templating (https://golang.org/pkg/text/template/) for all reports and diagrams
- Use the Open Policy Agent (OPA) engine (https://www.openpolicyagent.org) to allow extentabilty
- use plantuml or graphviz dot to generate compelling diagrams
- use of wkhtmltopdf to create PDF reports
Taralizer currently provides the following features:
- backward compatiblity with Threagile (https://threagile.io) model files
- taralizer is packaged for all major devopment environments:
- MacOSX (x86_64, ARM64 M1)
- Linux (x86, x86_64, ARM64)
- Windows (x86, x86_64)
- supports graphviz dot and plantuml flow charts
- support of PDF and HTML reports
We demonstate the usage of Taralizer on the popular Bank of Anthos example application HERE
- Download latest release for your platform: https://github.com/devmatic-it/taralizer/releases/latest
- extract archive:
unzip taralizer_X.Y.Z_linux_amd64.zip - create dataflow diagram diagram.png using graphviz:
./taralizer diagram ./examples/gcp/bank_of_anthos.yaml - create dataflow diagram diagram.png using plantuml:
./taralizer diagram ./examples/gcp/bank_of_anthos.yaml --engine plantuml - create example HTML report:
./taralizer report ./examples/gcp/bank_of_anthos.yaml - open examples HTML report
report.htmlon browser - create example PDF report:
./taralizer report ./examples/gcp/bank_of_anthos.yaml --type pdf
- Use the search tool before opening a new issue: https://github.com/devmatic-it/taralizer/issues
- Please provide source code and commit fix if you found a bug.
- Review existing issues and provide feedback or react to them.
- Open your pull request against master: https://github.com/devmatic-it/taralizer/pulls
- Your pull request should have no more than two commits, if not you should squash them.
- It should pass all tests in the available continuous integrations systems such as TravisCI.
- You should add/modify tests to cover your proposed code changes.
- If your pull request contains a new feature, please document it on the https://github.com/devmatic-it/taralizer/blob/master/README.md
This work has been inspired and would not be possible without the following awesome open source projects:
- Threagile - Agile Threat Modelling (https://threagile.io)
- Open Policy Agent (https://www.openpolicyagent.org)
- PlantUML (https://plantuml.com)
- GraphViz (https://graphviz.org)
- WKhtmltoPDF (https://wkhtmltopdf.org)
- OWASP Application Security Verification Standard https://owasp.org/www-project-application-security-verification-standard/
- Common Weakness Enumeration (https://cwe.mitre.org/index.html)
- GoRleaser Builder Image (https://github.com/goreleaser/goreleaser)
- Building a basic CI/CD pipeline for a Golang application using GitHub Actions (https://dev.to/brpaz/building-a-basic-ci-cd-pipeline-for-a-golang-application-using-github-actions-icj)