ai threat modeling action
v1.3.4
?您可以使用此 GitHub Action 產生 AI 特色內容,以進行威脅建模和安全性審查。它在底層使用 xvnpw/ai-threat-modeling。
️ 這是實驗項目
支援的功能:
| 特徵 | 描述 |
|---|---|
| 高級別安全和隱私要求 | 行動將採用專案描述,並使用法學碩士來產生有關安全和隱私的高級要求 |
| 建築威脅模型 | 行動將採用架構描述並使用 LLM 為其產生威脅模型 |
| 使用者故事的安全驗收標準 | 行動將採取特定的使用者故事並產生與安全相關的驗收標準 |
| 審查輸入文件 | 操作將採用輸入檔案(例如架構描述)並使用 LLM 進行審查 |
針對特定型號使用以下版本:
| 模型 | 版本 | 筆記 |
|---|---|---|
| OpenAI GPT-3.5,人類克勞德 2 | v1.2.6.1 | |
| OpenAI GPT-4 | 最新的 | |
| 克勞德 3 | 最新的 |
| 模型 | 輸入 | 輸出 |
|---|---|---|
| OpenAI GPT-3.5 | 項目.md | PROJECT_SECURITY.md 或作為拉取要求 |
| 人類克勞德 2 | 項目.md | PROJECT_SECURITY.md 或作為拉取要求 |
| OpenAI GPT-4 | 項目.md | PROJECT_SECURITY.md 或作為拉取要求 |
| 人類克勞德 3 作品 | 項目.md | PROJECT_SECURITY.md 或作為拉取要求 |
| 模型 | 輸入 | 輸出 |
|---|---|---|
| OpenAI GPT-3.5 | 架構.md | ARCHITECTURE_SECURITY.md |
| 人類克勞德 2 | 架構.md | ARCHITECTURE_SECURITY.md |
| OpenAI GPT-4 | 架構.md | ARCHITECTURE_SECURITY.md |
| 人類克勞德 3 作品 | 架構.md | ARCHITECTURE_SECURITY.md |
| 模型 | 輸入 | 輸出 |
|---|---|---|
| OpenAI GPT-3.5 | 0001_STORE_DIET_INTRODUCTIONS.md 或問題 | 0001_STORE_DIET_INTRODUCTIONS_SECURITY.md 或作為問題評論 |
| 人類克勞德 2 | 0001_STORE_DIET_INTRODUCTIONS.md 或問題 | 0001_STORE_DIET_INTRODUCTIONS_SECURITY.md 或作為問題評論 |
| OpenAI GPT-4 | 0001_STORE_DIET_INTRODUCTIONS.md 或問題 | 0001_STORE_DIET_INTRODUCTIONS_SECURITY.md 或作為問題評論 |
| 人類克勞德 3 作品 | 0001_STORE_DIET_INTRODUCTIONS.md 或問題 | 0001_STORE_DIET_INTRODUCTIONS_SECURITY.md 或作為問題評論 |
| 模型 | 輸入 | 輸出 |
|---|---|---|
| OpenAI GPT-4 | 架構.md | ARCHITECTURE_REVIEW.md |
| 人類克勞德 3 作品 | 架構.md | ARCHITECTURE_REVIEW.md |
將這樣的步驟加入您的工作流程:
- uses : xvnpw/[email protected] # You can change this to use a specific version.
with :
# Type of feature, one of: project, architecture, user-story
# Default: ''
# Required
type : ' project '
# Provider name, one of: openai, openrouter
# Default: 'openai'
provider : ' openai '
# Paths to input files formatted as json array
# Default: ''
input_files : ' ["PROJECT.md"] '
# Path to output file
# Default: ''
output_file : ' PROJECT_SECURITY.md '
# For USER STORY only! paths to architecture files formatted as json array
# Default: ''
input_architecture_files : ' ["ARCHITECTURE.md"] '
# For USER STORY only! path to architecture threat model
# Default: ''
input_architecture_threat_model_file : ' ARCHITECTURE_SECURITY.md '
# For USER STORY only! suffix that will be added to input file name to create output file
# Default: '_SECURITY'
user_story_output_suffix : ' _SECURITY '
# Type of OpenAI GPT model
# Default: gpt-4
# For openai models check: https://platform.openai.com/account/rate-limits
# For openrouter models check: https://openrouter.ai/docs#models
model : ' gpt-3.5-turbo-16k '
# Sampling temperature for a model
# Default: 0
temperature : ' 0.3 '
# Review input files using LLM
# Default: false
review : true
# Verbose log messages
# Default: false
verbose : true
# Debug log messages
# Default: false
debug : true
# Prompt templates directory
# Default: '/app/templates'
# By default action will use prompt templates build-in docker image. You can specify your own without forking action.
templates_dir : ' ./templates '
env :
# OpenAI API key
# Optional. Only if want to use openai provider
# Get a key from https://platform.openai.com/account/api-keys
# Add it to secrets in your repository settings
OPENAI_API_KEY : ${{ secrets.OPENAI_API_KEY }}
# Open Router API key
# Optional. Only if want to use openrouter provider
# Get a key from https://openrouter.ai/keys
# Add it to secrets in your repository settings
OPENROUTER_API_KEY : ${{ secrets.OPENROUTER_API_KEY }} 目前支援:
操作將根據輸入產生output_file 。使用其他操作您可以:
如果您的輸入檔很大,您需要將model變更為具有更大上下文的模型,例如gpt-3.5-turbo-16k 。
如果更改輸入文件,請記住更改觸發器:
on :
push :
branches :
- main
paths :
- ' project-desc-1.md '
- ' project-desc-2.md '範例(拉取請求方法):
on :
push :
branches :
- main
paths :
- ' PROJECT.md '
jobs :
project_ai_devsecops_job :
runs-on : ubuntu-latest
permissions :
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository. Also permission to create/update
# pull requests.
contents : write
pull-requests : write
name : Run ai threat modeling action for project analysis
steps :
- name : Checkout repo
uses : actions/checkout@v3
- name : Generate project security requirements
uses : xvnpw/[email protected]
with :
type : ' project '
input_files : ' ["PROJECT.md"] '
output_file : ' PROJECT_SECURITY.md '
temperature : 0
verbose : true
env :
OPENAI_API_KEY : ${{ secrets.OPENAI_API_KEY }}
# Will use peter-evans/create-pull-request to create or update pull request
- name : Create Pull Request
uses : peter-evans/create-pull-request@v5
with :
branch : create-pull-request/project
title : (AI Generated) High Level Security and Privacy Requirements
body : Automated pull request based on your changes to project. Please review it carefully.
labels : ' security, ai '有關觸發器和模型的詳細信息,請查看高級安全性和隱私要求。
範例(直接推送到儲存庫):
on :
push :
branches :
- main
paths :
- ' ARCHITECTURE.md '
jobs :
architecture_ai_tm_job :
runs-on : ubuntu-latest
permissions :
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
contents : write
name : Will run ai threat modeling action for architecture analysis
steps :
- name : Checkout repo
uses : actions/checkout@v3
- name : Generate architecture threat model
uses : xvnpw/[email protected]
with :
type : ' architecture '
input_files : ' ["ARCHITECTURE.md"] '
output_file : ' ARCHITECTURE_SECURITY.md '
temperature : 0
verbose : true
env :
OPENAI_API_KEY : ${{ secrets.OPENAI_API_KEY }}
# Will use add-and-commit action to push output_file directly into repository
- name : Commit changes
uses : EndBug/add-and-commit@v9
with :
message : ' Project architecture threat model '
add : ' ARCHITECTURE_SECURITY.md '最有用的用法是處理 github 問題。但您也可以根據對特定目錄的更改產生輸出(我在研究中就是這樣做的)。
使用者故事功能需要兩個新參數:
input_architecture_files - 輸入架構檔案路徑的 json 數組,例如["arch-1.md","arch-2.md"]input_architecture_threat_model_file - 架構威脅模型的路徑,例如ARCHITECTURE_SECURITY.md和一個可選的:
user_story_output_suffix - 將會加入輸入檔名以建立輸出檔的後綴,例如_SECURITY 對於使用者故事,建置是在特定目錄發生變更時觸發的。首先,它需要找出哪些文件被更改並單獨處理它們。
如您所見,我們不使用input_files參數。這次我們觀察整個目錄的變化:
on :
push :
branches :
- main
paths :
- ' user-stories/*.md '
- ' !user-stories/*_SECURITY.md '對於您自己的目錄,您需要調整paths配置。這同樣適用於使用add: 'user-stories/'提交變更。
範例(直接推送到儲存庫):
on :
push :
branches :
- main
paths :
- ' user-stories/*.md '
- ' !user-stories/*_SECURITY.md '
jobs :
user_story_ai_tm_job :
runs-on : ubuntu-latest
permissions :
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
contents : write
name : Will run ai threat modeling action for user story analysis
steps :
- name : Checkout repo
uses : actions/checkout@v3
- name : Check which files were changed
id : files_check
uses : lots0logs/[email protected]
with :
token : ${{ secrets.GITHUB_TOKEN }}
- name : Printing
run : |
echo "${{ steps.files_check.outputs.all }}"
- name : Generate user story security acceptance criteria
uses : xvnpw/[email protected]
with :
type : ' user-story '
input_files : " ${{ steps.files_check.outputs.all }} "
input_architecture_files : ' ["ARCHITECTURE.md"] '
input_architecture_threat_model_file : " ARCHITECTURE_SECURITY.md "
user_story_output_suffix : " _SECURITY "
temperature : 0
verbose : true
model : " gpt-3.5-turbo-16k "
env :
OPENAI_API_KEY : ${{ secrets.OPENAI_API_KEY }}
- name : Commit changes
uses : EndBug/add-and-commit@v9
with :
message : ' User stories: security acceptance criteria '
add : ' user-stories/ ' 在這種情況下,我們只考慮具有特定標籤的故事:
if : contains(github.event.issue.labels.*.name, 'ai-threat-modeling')使用 peter-evans/find-comment 和 peter-evans/create-or-update-comment 操作新增(或更新)評論。
範例(對問題的評論):
name : Run ai threat modeling action for user story in issue analysis
on :
issues :
types :
- labeled
- edited
jobs :
user_story_issue_ai_devsecops :
name : Run ai threat modeling action for user story in issue analysis
if : contains(github.event.issue.labels.*.name, 'ai-threat-modeling')
runs-on : ubuntu-latest
permissions :
issues : write
contents : write
steps :
- name : Checkout repo
uses : actions/checkout@v3
- uses : actions/github-script@v6
id : set-result
with :
result-encoding : string
retries : 3
script : |
const issue = await github.rest.issues.get({
issue_number: ${{ github.event.issue.number }},
owner: "${{ github.repository_owner }}",
repo: "${{ github.event.repository.name }}",
});
const body = issue.data.body;
const fs = require('fs');
fs.writeFile('${{ github.workspace }}/issue_body.md', body, (err) => {
if (err) throw err;
console.log('Data written to file');
});
return JSON.stringify(body);
- name : Generate user story security acceptance criteria
uses : xvnpw/[email protected]
with :
type : ' user-story '
input_files : ' ["issue_body.md"] '
input_architecture_files : ' ["ARCHITECTURE.md"] '
input_architecture_threat_model_file : " ARCHITECTURE_SECURITY.md "
temperature : 0
verbose : true
model : " gpt-3.5-turbo-16k "
env :
OPENAI_API_KEY : ${{ secrets.OPENAI_API_KEY }}
- name : Find Comment
uses : peter-evans/find-comment@v2
id : fc
with :
issue-number : ${{ github.event.issue.number }}
comment-author : ' github-actions[bot] '
body-includes : (AI Generated) Security Related Acceptance Criteria
- name : Add comment
uses : peter-evans/create-or-update-comment@v3
with :
comment-id : ${{ steps.fc.outputs.comment-id }}
issue-number : ${{ github.event.issue.number }}
body-path : ${{ github.workspace }}/issue_body_SECURITY.md
edit-mode : replace範例(直接推送到儲存庫):
on :
push :
branches :
- main
paths :
- ' ARCHITECTURE.md '
workflow_dispatch :
jobs :
architecture_ai_review_job :
runs-on : ubuntu-latest
permissions :
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
contents : write
name : Run ai threat modeling action for architecture review
steps :
- name : Checkout repo
uses : actions/checkout@v3
- name : Generate architecture review
uses : xvnpw/[email protected]
with :
type : ' architecture ' # will create threat model
input_files : ' ARCHITECTURE.md '
output_file : ' ARCHITECTURE_REVIEW.md '
review : true
temperature : 0.2
verbose : true
model : ' gpt-4 '
env :
OPENAI_API_KEY : ${{ secrets.OPENAI_API_KEY }}
- name : Commit changes
uses : EndBug/add-and-commit@v9
with :
message : ' Project architecture review '
add : ' ARCHITECTURE_REVIEW.md '
pull : ' --rebase --autostash '透過新增和提交,您可以輕鬆地將output_file提交到儲存庫中:
- name : Commit changes
uses : EndBug/add-and-commit@v9
with :
message : ' Project architecture threat model '
add : ' ARCHITECTURE_SECURITY.md '如果更改輸出文件,請記得更改提交文件:
- name : Commit changes
uses : EndBug/add-and-commit@v9
with :
message : ' Project security requirements '
add : ' project-sec-reqs.md '透過建立拉取請求,您可以使用output_file建立新的拉取請求:
- name : Create Pull Request
uses : peter-evans/create-pull-request@v5
with :
branch : create-pull-request/project
title : (AI Generated) High Level Security and Privacy Requirements
body : Automated pull request based on your changes to project. Please review it carefully.
labels : ' security, ai '在這種模式下,還需要調整工作流程的權限:
permissions :
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
# It has also permission to pull requests
contents : write
pull-requests : write還可以更改操作設定。
您可能想要調整提示。為此,您不需要 fork 操作,而是將範本目錄提供到目標儲存庫中:
cd $HOME / < projects > # your directory with repositories
git clone [email protected]:xvnpw/ai-threat-modeling-action.git
cp -r ai-threat-modeling-action/templates < target-repo > /
cd < target-repo > /templates
# edit templates在工作流程文件中新增:
uses : xvnpw/[email protected]
with :
...
templates_dir : ' ./templates ' ./templates - 是相對於
該計畫最初是對法學碩士能力的研究,但隨著時間的推移,它的改進超出了簡單的 PoC。在版本 1 中,它可用於使用直接推送、PR 或問題來審查 github 中的文件。不保證進一步的開發或修復。如果您打算在公司中使用它,最好分叉它並根據您的需求進行調整。
分叉這個物品。編輯文件並發布動作:
git add .
git commit -m "My first action is ready"
git tag -a -m "My first action release" v1
git push --follow-tags
該項目使用OpenAI API。預設情況下,根據 API 資料使用政策,您的資料不會用於學習:
OpenAI 不會使用客戶透過我們的 API 提交的資料來訓練或改進我們的模型,除非您明確決定為此目的與我們分享您的資料。您可以選擇共享資料。
OpenRouter 在每個模型的設定中描述了隱私和過濾。
