Cheat sheet for getting started
OWASP Threat Dragon for threat modelling
-
Install and run the Docker image
docker run
--interactive
--tty
--rm
--port 8080:3000
--volume $(pwd)/.env:/app/.env
threatdragon/owasp-threat-dragon:stable -
Access the OWASP Threat Dragon user interface at
http://localhost:8080 -
Use the interface to create models, diagrams, assets, trust boundaries, and threats.
Bandit for linting Python
- Install bandit:
pip install bandit bandit_sarif_formatter - Generate a configuration:
bandit-config-generator --out <config_path> - Edit the configuration file stored at
<config_path>according to your codebase. - Scan your codebase:
bandit --recursive <codebase_path> --format sarif --output <report_path> --config <config_path> - Validate the resulting warnings using a SARIF explorer (for example, the SARIF Viewer extension for Visual Studio Code).
flawfinder for linting C
- Install flawfinder:
pip install flawfinder - Recursively scan your codebase:
flawfinder --sarif <codebase_path> > <report_path> - Validate the resulting warnings using a SARIF explorer (for example, the SARIF Viewer extension for Visual Studio Code).
Semgrep for linting any supported languages
- Install Semgrep:
pip install semgrep - Scan your codebase:
semgrep scan --sarif --config auto --output <report_path> <codebase_path> - Validate the resulting warnings using a SARIF explorer (for example, the SARIF Viewer extension for Visual Studio Code).
OSV-Scanner for scanning dependencies in any supported language
- Download any release of OSV-Scanner from its GitHub page.
- Scan your lock file:
osv-scanner --lockfile <lockfile_path> - Validate the resulting warnings.
Gitleaks for scanning secrets in Git repositories and codebases
- Download any release of OSV-Scanner from its GitHub releases.
- Scan:
gitleaks --no-banner detect --report-format sarif --source <codebase_path> --report-path <report_path> --redact - Validate the resulting warnings using a SARIF explorer (for example, the SARIF Viewer extension for Visual Studio Code).