AI Threat Modeler

Overview

AI Threat Modeler is a capability that leverages Claude Code to perform comprehensive threat modeling of GitHub repositories. It operates through three distinct phases: Ingestion, Prioritization, and Analysis. The system is designed to find as many code issues and application threats as possible while ensuring all findings are high fidelity and verified with confidence scores.

Architecture

The system follows a pipeline architecture that flows from an AWS SQS Queue through the Threat Modeler Container, into Claude Code Analysis, and finally to Jira Reporting. Each stage transforms and enriches the data before passing it downstream.

AWS SQS Queue
    |
    v
Threat Modeler
    |
    ├── Clone to tmpfs
    ├── Trufflehog (secret detection)
    ├── Manifest & Dependency Graph
    |
    v
Prioritization Engine
    |
    ├── File Scoring
    ├── Penalty Signals
    ├── Dependency Analysis
    |
    v
Claude Code Analysis
    |
    ├── Threat Modeling
    ├── Secure Code Review
    ├── Confidence Scoring
    |
    v
Findings → Operator Triage → Jira

Phase 1 — Ingestion

  • Review requests are picked up from an AWS SQS Queue
  • Repository is cloned to tmpfs (in-memory filesystem for speed and security)
  • Secrets are detected using Trufflehog and automatically redacted before analysis
  • A file manifest is built cataloging all files in the repository
  • A dependency graph is constructed mapping relationships between components

Phase 2 — Prioritization

This phase intelligently decides what matters most for security analysis, approximating what an experienced security engineer would instinctively reach for first when dropped into an unknown codebase.

  1. Build a file manifest of the entire repository
  2. Score each file by security relevance (authentication, authorization, input handling, crypto, network, data access)
  3. Apply penalty signals — deprioritize files unlikely to yield findings (generated code, vendored dependencies, test fixtures, static assets)
  4. Build a dependency graph to understand how components interact
  5. Produce a prioritized send list — the optimal order in which files should be analyzed

Phase 3 — Analysis

  • Claude Code is prompted to take the role of an experienced security engineer performing threat modeling and secure code review
  • Performs thorough analysis of repository code for threats
  • Evaluates against common vulnerability patterns, insecure coding practices, and architectural weaknesses
  • Finds as many code issues and application threats as possible
  • Ensures findings are NOT false positives — high fidelity is the priority
  • Each finding is verified with a confidence score before being reported

Example finding:

{
  "title": "Insecure Direct Object Reference in User API",
  "severity": "High",
  "confidence": 0.92,
  "file": "src/api/users.py",
  "line": 87,
  "category": "Broken Access Control",
  "description": "User ID from request path is used directly to query user records without verifying the authenticated user has access to the requested resource.",
  "remediation": "Add authorization check to verify the authenticated user matches the requested user ID or has admin privileges.",
  "references": ["CWE-639", "OWASP A01:2021"]
}

Post-Analysis and Reporting

  • Confidence level is adjustable — operators can set the threshold for which findings get reported
  • Findings are reported to Jira one by one after they are triaged by the operator
  • Each finding includes severity, confidence score, affected file, description, and remediation guidance
  • Train of thought, high-level actions, and the analysis plan are visible in the user interface for full transparency

Security Controls

  • Repository is cloned to tmpfs — never persisted to disk
  • Secrets are detected and redacted before any code reaches the AI
  • Trufflehog integration ensures API keys, tokens, and credentials are stripped
  • Analysis runs in isolated containers
  • No source code is stored beyond the analysis session

Key Advantages

  • Approximates an experienced security engineer's instincts through intelligent prioritization
  • High-fidelity findings with confidence scoring eliminate false positive noise
  • Full transparency — operators can see the AI's reasoning process
  • Seamless Jira integration for finding triage and tracking
  • Scales to analyze any repository size through intelligent file prioritization