Skip to content

Feature/lab2#356

Open
sayfetik wants to merge 2 commits intoinno-devops-labs:mainfrom
sayfetik:feature/lab2
Open

Feature/lab2#356
sayfetik wants to merge 2 commits intoinno-devops-labs:mainfrom
sayfetik:feature/lab2

Conversation

@sayfetik
Copy link

@sayfetik sayfetik commented Feb 11, 2026

Goal

Model the OWASP Juice Shop bkimminich/juice-shop:v19.0.0 deployment and generate an automation-first threat model with Threagile.

Changes

  • added folders labs/lab2/baseline/ and labs/lab2/secure with Threat reports
  • added file labs/lab2/threagile-model.secure.yaml with more secure settings
  • added file labs/submission2.md with my report

Testing

Run Theagile with the baseline model:

docker run --rm --platform=linux/amd64 \
  -v "$(pwd)":/app/work threagile/threagile \
  -model /app/work/labs/lab2/threagile-model.yaml \                  
  -output /app/work/labs/lab2/baseline \
  -generate-risks-excel=false -generate-tags-excel=false

For creating table run:

jq -r '
  def sev: {"critical":5, "elevated":4, "high":3, "medium":2, "low":1};
  def lik: {"very-likely":4, "likely":3, "possible":2, "unlikely":1};
  def imp: {"high":3, "medium":2, "low":1};

  map(. + {
    score: ( (sev[.severity]//0)*100
           + (lik[.exploitation_likelihood]//0)*10
           + (imp[.exploitation_impact]//0) )
  })
  | sort_by(-.score)
  | .[:5]
  | (["| Severity | Category | Asset | Likelihood | Impact |",
      "|---|---|---|---|---|"] +
     (map("| \(.severity) | \(.category) | \(.most_relevant_technical_asset // "") | \(.exploitation_likelihood) | \(.exploitation_impact) |"))
    )[]
' labs/lab2/baseline/risks.json >> labs/submission2.md

Then run wuth secure model:

docker run --rm --platform=linux/amd64 -v "$(pwd)":/app/work threagile/threagile \    
  -model /app/work/labs/lab2/threagile-model.secure.yaml \                   
  -output /app/work/labs/lab2/secure \       
  -generate-risks-excel=false -generate-tags-excel=false

And create a report:

jq -n \                                                                           
  --slurpfile b labs/lab2/baseline/risks.json \
  --slurpfile s labs/lab2/secure/risks.json '
  def tally(x):
    (x | group_by(.category) | map({ (.[0].category): length }) | add) // {};
  (tally($b[0])) as $B |
  (tally($s[0])) as $S |
  (($B + $S) | keys | sort) as $cats |
  [
    "| Category | Baseline | Secure | Δ |",
    "|---|---:|---:|---:|"
  ] + (
    $cats | map(
      "| " + . + " | " +
      (($B[.] // 0) | tostring) + " | " +
      (($S[.] // 0) | tostring) + " | " +
      (((($S[.] // 0) - ($B[.] // 0))) | tostring) + " |"
    )
  ) | .[]'

Artifacts & Screenshots

  • labs/lab2/baseline/risks.json
  • labs/lab2/secure/risks.json
  • Generated PDF reports (report.pdf) and diagrams (*-diagram.png).

Checklist

  • Clear PR title
  • Doc updated is needed
  • No secrets or temporary large files committed
  • Task 1 done — Threagile baseline model + risk analysis
  • Task 2 done — HTTPS variant + risk comparison

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sayfetik