Code Repository to Threat Model: A Quick Guide

Code Repository to Threat Model: A Quick Guide

This guide shows you how to automatically analyze your codebase and send the results to SecureFlag ThreatCanvas for threat modeling.

Code Repository to Threat Model is a SecureFlag feature integrated into your CI/CD pipeline that automatically examines your repository structure and generates a ThreatCanvas threat model. It identifies security boundaries, components, and potential attack surfaces to help you better understand and secure your application.

How it Works

  1. Code Extraction: The runner scans your repository and extracts information about the architecture.

  2. AI Analysis: AI analyzes the structure and generates a summary that identifies components, boundaries, and integration points.

  3. Send to ThreatCanvas: The summary of the code repository is sent to ThreatCanvas, which builds a threat model. 

Data Protection & Privacy

Your code stays secure throughout the analysis process:
  1. Code extraction happens internally: All code scanning occurs within your CI environment. Your source code never leaves your infrastructure during the extraction phase.

  2. AI analysis uses your own LLM account: The AI analysis is performed using your organization-owned LLM account. Currently, Anthropic is supported, and you control the API key and data processing.

  3. No code is sent to SecureFlag: SecureFlag systems receive only the AI-generated architectural description of your repository, not your actual source code. This includes information such as component and function names, identified boundaries, and integration points, but not code implementation details.

This architecture ensures that sensitive source code remains within your control while still enabling powerful threat modeling capabilities in ThreatCanvas.

Quick Start

Prerequisites

You'll need:
A SecureFlag management account
  1. Your SECUREFLAG_API_KEY
  2. Your SECUREFLAG_MODEL_UUID (the ThreatCanvas model you want to update)
  3. An ANTHROPIC_API_KEY for AI-powered summaries

Get the SecureFlag API Key

As Organization Admin
As User
As Organization Admin
Step 1: Log in to SecureFlag as an Organization Admin, and in the Management Portal, click the Settings icon in the top-right corner of the navigation bar.



Step 2: Scroll to the API Access Tokens section, and select Write threat models as the scope. Enter a name for the API access token, then click Generate. Be sure to save the token displayed in the modal window, as it will not be shown again.



As User
Step 1: Log in to the SecureFlag platform, then click the Settings button in the bottom-left corner, or click the icon with your initial in the top-right corner of the navigation bar.



Step 2: Click the Security tab and find the Generate API Access Token at the bottom. Select Write threat models as the scope. Enter a name for the API access token, then click Generate. Be sure to save the token displayed in the modal window, as it will not be shown again.



 

Get the Model UUID

Step 1: Sign in to SecureFlag and navigate to the ThreatCanvas dashboard.

Step 2: Open ThreatCanvas and either create a new blank model or select an existing model from your list.

Step 3: Configure the model settings as needed. To focus on secure coding concerns, select the “Secure Coding Implementation” risk framework.

Step 4: Click Share Model, choose Organization, and copy the UUID from the end of the URL. It will look something like this: 3f2a9c7e-8b41-4d2a-9f6e-1c7b5a92e4d1.



Get the Anthropic API Key

Provide an Anthropic API key from your organization’s account. If you have permission to create one, sign in to the Claude Console at https://platform.claude.com/ and generate a new API key.

CI/CD Integration

The SecureFlag CI Runner is platform-agnostic and works with any CI/CD system that supports Docker. The examples below show GitHub Actions and GitLab CI configurations, but you can easily adapt these patterns to other platforms like Jenkins, CircleCI, Azure DevOps, Bitbucket Pipelines, or any custom CI/CD setup. 

Customize the Model

You can further customize the threat model directly in the SecureFlag platform by adjusting settings such as the selected risk frameworks. 
Certain configuration parameters can also be passed from your CI/CD pipeline. For example, you can control the level of detail in the generated diagram using environment variables like:
  1. SECUREFLAG_COMPONENT_LIMIT: Provides a hint on the expected number of nodes in the diagram, helping the AI determine how detailed the threat model should be.

  2. SECUREFLAG_REPO_PATH: Specifies an absolute path to restrict the analysis to a specific directory within the repository.

GitHub Actions Setup Example
GitLab CI Setup Example
GitHub Actions Setup Example
Add this workflow to your repository at .github/workflows/secureflag.yml:

# GitHub Actions example for SecureFlag CI Runner
#
# Add this to your repository at: .github/workflows/secureflag.yml
#
# Required secrets (set as repository secrets):
# - SECUREFLAG_API_KEY: SecureFlag API authentication
# - ANTHROPIC_API_KEY: Anthropic API for AI features
#
# Optional variables:
# - SECUREFLAG_REPO_PATH: Absolute path to restrict analysis to a directory (prepend with ${{ github.workspace }})
# - SECUREFLAG_COMPONENT_LIMIT: (for 'model-repo') Hinted number of nodes in TC diagrams

name: SecureFlag CI

on:
  push:
    tags:
      - '*'
  # Run on schedule (configure as needed)
  # schedule:
  #   - cron: '0 0 * * 0'

jobs:
  secureflag_ci:
    name: SecureFlag CI
    runs-on: ubuntu-latest
    container:
      image: registry.gitlab.com/secureflag-community/sf-runner:latest

    env:
      SECUREFLAG_API_KEY: ${{ secrets.SECUREFLAG_API_KEY }}
      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
      SECUREFLAG_COMMANDS: model-repo
      SECUREFLAG_MODEL_UUID: xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    continue-on-error: true

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Run SecureFlag CI Runner
        run: /app/entrypoint.sh

Configure GitHub Secrets:
  1. Go to your repository → Settings → Secrets and variables → Actions
  2. Add SECUREFLAG_API_KEY with your SecureFlag API key
  3. Add SECUREFLAG_MODEL_UUID with your ThreatCanvas model UUID

In this example, the job runs automatically on any tag push (e.g., when you create a release).

GitLab CI Setup Example
Add this to your repository's .gitlab-ci.yml:

# GitLab CI example for SecureFlag CI Runner
#
# Add this to your repository's .gitlab-ci.yml
#
# Required CI/CD variables (set as masked/protected):
# - SECUREFLAG_API_KEY: SecureFlag API authentication
# - ANTHROPIC_API_KEY: Anthropic API for AI features
#
# Optional CI/CD variables:
# - SECUREFLAG_REPO_PATH: Absolute path to restrict analysis to a directory (prepend with $CI_PROJECT_DIR)
# - SECUREFLAG_COMPONENT_LIMIT: (for 'model-repo') Hinted number of nodes in TC diagrams

stages:
  - tests

secureflag_ci:
  stage: tests
  image: registry.gitlab.com/secureflag-community/sf-runner:latest

  variables:
    SECUREFLAG_COMMANDS: model-repo
    SECUREFLAG_MODEL_UUID: xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

  script:
    - /app/entrypoint.sh

  rules:
    # Run on tags
    - if: $CI_COMMIT_TAG
    # Run on schedules
    - if: '$CI_PIPELINE_SOURCE == "schedule"'

  allow_failure: true

Configure GitLab CI/CD Variables:
  1. Go to your project → Settings → CI/CD → Variables
  2. Add SECUREFLAG_API_KEY (mark as Protected and Masked)
  3. Add SECUREFLAG_MODEL_UUID 

In this example, the job runs automatically on:
  1. Any tag push (e.g., when you create a release)
  2. Scheduled pipelines (configure in CI/CD → Schedules)

 



    • Related Articles

    • SecureFlag Analyzer Extension for VS Code

      AI-powered vulnerability detection, right in your IDE. Overview The SecureFlag Analyzer extension integrates into VS Code to deliver real-time security analysis as you code. Powered by advanced LLMs (Anthropic and ChatGPT), it detects potential ...

    • SecureFlag ThreatCanvas for Azure

      Threat model your features with AI-powered tooling. The SecureFlag ThreatCanvas plugin helps you integrate security early in your development lifecycle by automatically generating threat model diagrams from your Azure Boards work item descriptions. ...

    • SecureFlag ThreatCanvas for Jira

      AI-powered threat modelling -- for Jira Cloud and Jira Data Center! SecureFlag ThreatCanvas for Jira Cloud and Jira Data Center enables developers to easily generate threat models from issues describing new features or changes to be made. ...

    • Jira Plugins

      SecureFlag Knowledge Base for Jira Plugins Contextual software security training for Jira issues, powered by the SecureFlag knowledge base. This app responds to issues that mention security vulnerabilities, with a recommended lab and information from ...

    • GitHub Plugin

      SecureFlag Knowledge Base for GitHub Contextual software security microtraining for issues and pull requests, powered by the SecureFlag knowledge base. This app responds to issues and pull requests that mention security vulnerabilities, with a ...