The problem: Every security framework says you should threat model. Almost nobody does it consistently. A proper PASTA assessment takes days per application. Most teams produce one for an audit, shove it in Confluence, and never touch it again.
How it works:
Two-phase approach:
Static discovery (no AI): Walks the repo tree and collects tech stack (package.json, requirements.txt, go.mod), infrastructure configs (Terraform, Docker, K8s), API endpoints, auth mechanisms, and data flow patterns. Files are prioritized by security relevance — routes and auth middleware get read before utility files.
AI reasoning (Claude API): The collected context plus a STRIDE attack pattern database (~40 patterns across API, auth, database, and storage categories) gets sent to Claude in 3 focused calls. Covers business objectives, attack surfaces, kill chain scenarios, and risk scoring following the full 7-stage PASTA framework.
Output: Markdown with Mermaid data flow diagrams, JSON for CI/CD integration, HTML for stakeholders, optional PDF.
Remediation: Optionally creates GitHub Issues for findings and AI-generated fix PRs for critical/high vulnerabilities. Deduplication built in so you don't get duplicate issues on repeat runs.
Setup is 6 lines of YAML:
- name: Generate Threat Model uses: cybrking/thr8@v1 with: anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }} github-token: ${{ secrets.GITHUB_TOKEN }} create-issues: 'true' auto-fix: 'true' Costs about $0.05-0.15 per run (3 Claude API calls). Supports JS/TS, Python, Go, Java, Ruby with popular frameworks. Open source, MIT license.
What I'd like feedback on:
How realistic are the kill chain scenarios compared to manual assessments? Is the STRIDE pattern database missing common patterns? How would you use this in your pipeline — every PR, weekly, or just on pushes to main?