ai threat modeling action
v1.3.4
?您可以使用此 GitHub Action 生成 AI 特色内容,以进行威胁建模和安全审查。它在底层使用 xvnpw/ai-threat-modeling。
️ 这是实验项目
支持的功能:
| 特征 | 描述 |
|---|---|
| 高级别安全和隐私要求 | 行动将采用项目描述,并使用法学硕士来生成有关安全和隐私的高级别要求 |
| 建筑威胁模型 | 行动将采用架构描述并使用 LLM 为其生成威胁模型 |
| 用户故事的安全验收标准 | 行动将采取特定的用户故事并生成与安全相关的验收标准 |
| 审查输入文件 | 操作将采用输入文件(例如架构描述)并使用 LLM 对其进行审查 |
针对特定型号使用以下版本:
| 模型 | 版本 | 笔记 |
|---|---|---|
| OpenAI GPT-3.5,人类克劳德 2 | v1.2.6.1 | |
| OpenAI GPT-4 | 最新的 | |
| 克劳德 3 | 最新的 |
| 模型 | 输入 | 输出 |
|---|---|---|
| OpenAI GPT-3.5 | 项目.md | PROJECT_SECURITY.md 或作为拉取请求 |
| 人类克劳德 2 | 项目.md | PROJECT_SECURITY.md 或作为拉取请求 |
| OpenAI GPT-4 | 项目.md | PROJECT_SECURITY.md 或作为拉取请求 |
| 人类克劳德 3 作品 | 项目.md | PROJECT_SECURITY.md 或作为拉取请求 |
| 模型 | 输入 | 输出 |
|---|---|---|
| OpenAI GPT-3.5 | 架构.md | ARCHITECTURE_SECURITY.md |
| 人类克劳德 2 | 架构.md | ARCHITECTURE_SECURITY.md |
| OpenAI GPT-4 | 架构.md | ARCHITECTURE_SECURITY.md |
| 人类克劳德 3 作品 | 架构.md | ARCHITECTURE_SECURITY.md |
| 模型 | 输入 | 输出 |
|---|---|---|
| OpenAI GPT-3.5 | 0001_STORE_DIET_INTRODUCTIONS.md 或问题 | 0001_STORE_DIET_INTRODUCTIONS_SECURITY.md 或作为问题评论 |
| 人类克劳德 2 | 0001_STORE_DIET_INTRODUCTIONS.md 或问题 | 0001_STORE_DIET_INTRODUCTIONS_SECURITY.md 或作为问题评论 |
| OpenAI GPT-4 | 0001_STORE_DIET_INTRODUCTIONS.md 或问题 | 0001_STORE_DIET_INTRODUCTIONS_SECURITY.md 或作为问题评论 |
| 人类克劳德 3 作品 | 0001_STORE_DIET_INTRODUCTIONS.md 或问题 | 0001_STORE_DIET_INTRODUCTIONS_SECURITY.md 或作为问题评论 |
| 模型 | 输入 | 输出 |
|---|---|---|
| OpenAI GPT-4 | 架构.md | ARCHITECTURE_REVIEW.md |
| 人类克劳德 3 作品 | 架构.md | ARCHITECTURE_REVIEW.md |
将这样的步骤添加到您的工作流程中:
- uses : xvnpw/[email protected] # You can change this to use a specific version.
with :
# Type of feature, one of: project, architecture, user-story
# Default: ''
# Required
type : ' project '
# Provider name, one of: openai, openrouter
# Default: 'openai'
provider : ' openai '
# Paths to input files formatted as json array
# Default: ''
input_files : ' ["PROJECT.md"] '
# Path to output file
# Default: ''
output_file : ' PROJECT_SECURITY.md '
# For USER STORY only! paths to architecture files formatted as json array
# Default: ''
input_architecture_files : ' ["ARCHITECTURE.md"] '
# For USER STORY only! path to architecture threat model
# Default: ''
input_architecture_threat_model_file : ' ARCHITECTURE_SECURITY.md '
# For USER STORY only! suffix that will be added to input file name to create output file
# Default: '_SECURITY'
user_story_output_suffix : ' _SECURITY '
# Type of OpenAI GPT model
# Default: gpt-4
# For openai models check: https://platform.openai.com/account/rate-limits
# For openrouter models check: https://openrouter.ai/docs#models
model : ' gpt-3.5-turbo-16k '
# Sampling temperature for a model
# Default: 0
temperature : ' 0.3 '
# Review input files using LLM
# Default: false
review : true
# Verbose log messages
# Default: false
verbose : true
# Debug log messages
# Default: false
debug : true
# Prompt templates directory
# Default: '/app/templates'
# By default action will use prompt templates build-in docker image. You can specify your own without forking action.
templates_dir : ' ./templates '
env :
# OpenAI API key
# Optional. Only if want to use openai provider
# Get a key from https://platform.openai.com/account/api-keys
# Add it to secrets in your repository settings
OPENAI_API_KEY : ${{ secrets.OPENAI_API_KEY }}
# Open Router API key
# Optional. Only if want to use openrouter provider
# Get a key from https://openrouter.ai/keys
# Add it to secrets in your repository settings
OPENROUTER_API_KEY : ${{ secrets.OPENROUTER_API_KEY }} 目前支持:
操作将根据输入生成output_file 。使用其他操作您可以:
如果您的输入文件很大,您需要将model更改为具有更大上下文的模型,例如gpt-3.5-turbo-16k 。
如果更改输入文件,请记住更改触发器:
on :
push :
branches :
- main
paths :
- ' project-desc-1.md '
- ' project-desc-2.md '示例(拉取请求方法):
on :
push :
branches :
- main
paths :
- ' PROJECT.md '
jobs :
project_ai_devsecops_job :
runs-on : ubuntu-latest
permissions :
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository. Also permission to create/update
# pull requests.
contents : write
pull-requests : write
name : Run ai threat modeling action for project analysis
steps :
- name : Checkout repo
uses : actions/checkout@v3
- name : Generate project security requirements
uses : xvnpw/[email protected]
with :
type : ' project '
input_files : ' ["PROJECT.md"] '
output_file : ' PROJECT_SECURITY.md '
temperature : 0
verbose : true
env :
OPENAI_API_KEY : ${{ secrets.OPENAI_API_KEY }}
# Will use peter-evans/create-pull-request to create or update pull request
- name : Create Pull Request
uses : peter-evans/create-pull-request@v5
with :
branch : create-pull-request/project
title : (AI Generated) High Level Security and Privacy Requirements
body : Automated pull request based on your changes to project. Please review it carefully.
labels : ' security, ai '有关触发器和模型的详细信息,请查看高级安全和隐私要求。
示例(直接推送到存储库):
on :
push :
branches :
- main
paths :
- ' ARCHITECTURE.md '
jobs :
architecture_ai_tm_job :
runs-on : ubuntu-latest
permissions :
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
contents : write
name : Will run ai threat modeling action for architecture analysis
steps :
- name : Checkout repo
uses : actions/checkout@v3
- name : Generate architecture threat model
uses : xvnpw/[email protected]
with :
type : ' architecture '
input_files : ' ["ARCHITECTURE.md"] '
output_file : ' ARCHITECTURE_SECURITY.md '
temperature : 0
verbose : true
env :
OPENAI_API_KEY : ${{ secrets.OPENAI_API_KEY }}
# Will use add-and-commit action to push output_file directly into repository
- name : Commit changes
uses : EndBug/add-and-commit@v9
with :
message : ' Project architecture threat model '
add : ' ARCHITECTURE_SECURITY.md '最有用的用法是处理 github 问题。但您也可以根据对特定目录的更改生成输出(我在研究中就是这样做的)。
用户故事功能需要两个新参数:
input_architecture_files - 输入架构文件路径的 json 数组,例如["arch-1.md","arch-2.md"]input_architecture_threat_model_file - 架构威胁模型的路径,例如ARCHITECTURE_SECURITY.md和一个可选的:
user_story_output_suffix - 将添加到输入文件名以创建输出文件的后缀,例如_SECURITY 对于用户故事,构建是在特定目录发生更改时触发的。首先,它需要找出哪些文件被更改并单独处理它们。
如您所见,我们不使用input_files参数。这次我们观察整个目录的变化:
on :
push :
branches :
- main
paths :
- ' user-stories/*.md '
- ' !user-stories/*_SECURITY.md '对于您自己的目录,您需要调整paths配置。这同样适用于使用add: 'user-stories/'提交更改。
示例(直接推送到存储库):
on :
push :
branches :
- main
paths :
- ' user-stories/*.md '
- ' !user-stories/*_SECURITY.md '
jobs :
user_story_ai_tm_job :
runs-on : ubuntu-latest
permissions :
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
contents : write
name : Will run ai threat modeling action for user story analysis
steps :
- name : Checkout repo
uses : actions/checkout@v3
- name : Check which files were changed
id : files_check
uses : lots0logs/[email protected]
with :
token : ${{ secrets.GITHUB_TOKEN }}
- name : Printing
run : |
echo "${{ steps.files_check.outputs.all }}"
- name : Generate user story security acceptance criteria
uses : xvnpw/[email protected]
with :
type : ' user-story '
input_files : " ${{ steps.files_check.outputs.all }} "
input_architecture_files : ' ["ARCHITECTURE.md"] '
input_architecture_threat_model_file : " ARCHITECTURE_SECURITY.md "
user_story_output_suffix : " _SECURITY "
temperature : 0
verbose : true
model : " gpt-3.5-turbo-16k "
env :
OPENAI_API_KEY : ${{ secrets.OPENAI_API_KEY }}
- name : Commit changes
uses : EndBug/add-and-commit@v9
with :
message : ' User stories: security acceptance criteria '
add : ' user-stories/ ' 在这种情况下,我们只考虑具有特定标签的故事:
if : contains(github.event.issue.labels.*.name, 'ai-threat-modeling')使用 peter-evans/find-comment 和 peter-evans/create-or-update-comment 操作添加(或更新)评论。
示例(对问题的评论):
name : Run ai threat modeling action for user story in issue analysis
on :
issues :
types :
- labeled
- edited
jobs :
user_story_issue_ai_devsecops :
name : Run ai threat modeling action for user story in issue analysis
if : contains(github.event.issue.labels.*.name, 'ai-threat-modeling')
runs-on : ubuntu-latest
permissions :
issues : write
contents : write
steps :
- name : Checkout repo
uses : actions/checkout@v3
- uses : actions/github-script@v6
id : set-result
with :
result-encoding : string
retries : 3
script : |
const issue = await github.rest.issues.get({
issue_number: ${{ github.event.issue.number }},
owner: "${{ github.repository_owner }}",
repo: "${{ github.event.repository.name }}",
});
const body = issue.data.body;
const fs = require('fs');
fs.writeFile('${{ github.workspace }}/issue_body.md', body, (err) => {
if (err) throw err;
console.log('Data written to file');
});
return JSON.stringify(body);
- name : Generate user story security acceptance criteria
uses : xvnpw/[email protected]
with :
type : ' user-story '
input_files : ' ["issue_body.md"] '
input_architecture_files : ' ["ARCHITECTURE.md"] '
input_architecture_threat_model_file : " ARCHITECTURE_SECURITY.md "
temperature : 0
verbose : true
model : " gpt-3.5-turbo-16k "
env :
OPENAI_API_KEY : ${{ secrets.OPENAI_API_KEY }}
- name : Find Comment
uses : peter-evans/find-comment@v2
id : fc
with :
issue-number : ${{ github.event.issue.number }}
comment-author : ' github-actions[bot] '
body-includes : (AI Generated) Security Related Acceptance Criteria
- name : Add comment
uses : peter-evans/create-or-update-comment@v3
with :
comment-id : ${{ steps.fc.outputs.comment-id }}
issue-number : ${{ github.event.issue.number }}
body-path : ${{ github.workspace }}/issue_body_SECURITY.md
edit-mode : replace示例(直接推送到存储库):
on :
push :
branches :
- main
paths :
- ' ARCHITECTURE.md '
workflow_dispatch :
jobs :
architecture_ai_review_job :
runs-on : ubuntu-latest
permissions :
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
contents : write
name : Run ai threat modeling action for architecture review
steps :
- name : Checkout repo
uses : actions/checkout@v3
- name : Generate architecture review
uses : xvnpw/[email protected]
with :
type : ' architecture ' # will create threat model
input_files : ' ARCHITECTURE.md '
output_file : ' ARCHITECTURE_REVIEW.md '
review : true
temperature : 0.2
verbose : true
model : ' gpt-4 '
env :
OPENAI_API_KEY : ${{ secrets.OPENAI_API_KEY }}
- name : Commit changes
uses : EndBug/add-and-commit@v9
with :
message : ' Project architecture review '
add : ' ARCHITECTURE_REVIEW.md '
pull : ' --rebase --autostash '通过添加和提交,您可以轻松地将output_file提交到存储库中:
- name : Commit changes
uses : EndBug/add-and-commit@v9
with :
message : ' Project architecture threat model '
add : ' ARCHITECTURE_SECURITY.md '如果更改输出文件,请记住更改提交文件:
- name : Commit changes
uses : EndBug/add-and-commit@v9
with :
message : ' Project security requirements '
add : ' project-sec-reqs.md '通过创建拉取请求,您可以使用output_file创建新的拉取请求:
- name : Create Pull Request
uses : peter-evans/create-pull-request@v5
with :
branch : create-pull-request/project
title : (AI Generated) High Level Security and Privacy Requirements
body : Automated pull request based on your changes to project. Please review it carefully.
labels : ' security, ai '在这种模式下,还需要调整工作流的权限:
permissions :
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
# It has also permission to pull requests
contents : write
pull-requests : write还可以更改操作设置。
您可能想要调整提示。为此,您不需要 fork 操作,而是将模板目录提供到目标存储库中:
cd $HOME / < projects > # your directory with repositories
git clone [email protected]:xvnpw/ai-threat-modeling-action.git
cp -r ai-threat-modeling-action/templates < target-repo > /
cd < target-repo > /templates
# edit templates在工作流程文件中添加:
uses : xvnpw/[email protected]
with :
...
templates_dir : ' ./templates ' ./templates - 是相对于
该项目最初是对法学硕士能力的研究,但随着时间的推移,它的改进超出了简单的 PoC。在版本 1 中,它可用于使用直接推送、PR 或问题来审阅 github 中的文档。不保证进一步的开发或修复。如果您打算在公司中使用它,最好分叉它并根据您的需求进行调整。
分叉这个项目。编辑文件并发布动作:
git add .
git commit -m "My first action is ready"
git tag -a -m "My first action release" v1
git push --follow-tags
该项目使用OpenAI API。默认情况下,根据 API 数据使用政策,您的数据不会用于学习:
OpenAI 不会使用客户通过我们的 API 提交的数据来训练或改进我们的模型,除非您明确决定为此目的与我们共享您的数据。您可以选择共享数据。
OpenRouter 在每个模型的设置中描述了隐私和过滤。
