docs: add threat model document#1328
Conversation
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
✅
|
| Descriptor | Linter | Files | Fixed | Errors | Warnings | Elapsed time |
|---|---|---|---|---|---|---|
| ✅ ACTION | actionlint | 23 | 0 | 0 | 0.29s | |
| ✅ DOCKERFILE | hadolint | 3 | 0 | 0 | 0.33s | |
| ✅ JSON | npm-package-json-lint | yes | no | no | 0.86s | |
| ✅ JSON | prettier | 28 | 6 | 0 | 0 | 1.05s |
| ✅ JSON | v8r | 28 | 0 | 0 | 13.73s | |
| ✅ MARKDOWN | markdownlint | 12 | 0 | 0 | 0 | 1.56s |
| ✅ MARKDOWN | markdown-table-formatter | 12 | 0 | 0 | 0 | 0.3s |
| ✅ REPOSITORY | checkov | yes | no | no | 29.86s | |
| ✅ REPOSITORY | gitleaks | yes | no | no | 1.27s | |
| ✅ REPOSITORY | git_diff | yes | no | no | 0.02s | |
| ✅ REPOSITORY | grype | yes | no | no | 56.95s | |
| osv-scanner | yes | 1 | no | 1.1s | ||
| ✅ REPOSITORY | secretlint | yes | no | no | 2.91s | |
| ✅ REPOSITORY | syft | yes | no | no | 2.26s | |
| ✅ REPOSITORY | trivy | yes | no | no | 15.43s | |
| ✅ REPOSITORY | trivy-sbom | yes | no | no | 0.33s | |
| ✅ REPOSITORY | trufflehog | yes | no | no | 5.37s | |
| lychee | 94 | 1 | 0 | 9.28s | ||
| ✅ YAML | prettier | 32 | 0 | 0 | 0 | 1.67s |
| ✅ YAML | v8r | 32 | 0 | 0 | 13.79s | |
| ✅ YAML | yamllint | 32 | 0 | 0 | 1.81s |
Detailed Issues
⚠️ SPELL / lychee - 1 error
📝 Summary
---------------------
🔍 Total..........140
🔗 Unique.........116
✅ Successful.....133
⏳ Timeouts.........0
🔀 Redirected......17
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........1
⛔ Unsupported......1
Errors in .github/TOOL_VERSION_ISSUE_TEMPLATE.md
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads (at 38:7) | Rejected status code: 403 Forbidden
Hint: Followed 17 redirects. You might want to consider replacing redirecting URLs with the resolved URLs. Use verbose mode (`-v`/`-vv`) to see redirection details.
Hint: You can configure accepted/rejected response codes with `-a` or `--accept`
⚠️ REPOSITORY / osv-scanner - 1 error
Scanning dir .
Starting filesystem walk for root: /
Scanned .devcontainer/cpp/requirements.txt file and found 20 packages
Scanned package-lock.json file and found 73 packages
Scanned test/rust/workspace/cargo/Cargo.lock file and found 1 package
Scanned test/rust/workspace/test/Cargo.lock file and found 1 package
Scanned test/rust/workspace/cortex-m/Cargo.lock file and found 20 packages
Scanned test/rust/workspace/clippy/Cargo.lock file and found 1 package
Scanned test/rust/workspace/cortex-mf/Cargo.lock file and found 20 packages
End status: 88 dirs visited, 295 inodes visited, 7 Extract calls, 57.786542ms elapsed, 57.786871ms wall time
Total 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.
+-----------------------------------+------+-----------+------------+---------+---------------+------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
+-----------------------------------+------+-----------+------------+---------+---------------+------------------------------------------+
| https://osv.dev/RUSTSEC-2026-0110 | | crates.io | bare-metal | 0.2.5 | -- | test/rust/workspace/cortex-m/Cargo.lock |
| https://osv.dev/RUSTSEC-2026-0110 | | crates.io | bare-metal | 0.2.5 | -- | test/rust/workspace/cortex-mf/Cargo.lock |
+-----------------------------------+------+-----------+------------+---------+---------------+------------------------------------------+
Notices
📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)
See detailed reports in MegaLinter artifacts
You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:
- oxsecurity/megalinter/flavors/salesforce@v9.5.0 (59 linters)
- oxsecurity/megalinter/flavors/javascript@v9.5.0 (62 linters)
Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)
- Documentation: Custom Flavors
- Command:
npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository
There was a problem hiding this comment.
Pull request overview
This PR adds an automatically generated threat model document (Markdown + PDF) and a generated data-flow diagram (PNG) to the documentation build pipeline, based on a new SBDL threat model.
Changes:
- Added an SBDL threat model source file (
docs/threat-model.sbdl). - Added a Jinja2 template to render a full threat model document (
docs/templates/threat-model.md.j2) and extended the document-generation workflow to produce the MD/PDF plus a DFD image. - Improved table formatting in the shared document-control partial.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| docs/threat-model.sbdl | Introduces the threat model data (trust boundaries, actors, data flows, threats, mitigations) in SBDL. |
| docs/templates/threat-model.md.j2 | Adds a document template to render the threat model, including threat details and an RPN-based summary. |
| docs/templates/partials/document-control.md.j2 | Adjusts the document control table formatting for better readability. |
| .github/workflows/wc-document-generation.yml | Installs Graphviz and adds steps to generate the threat model MD/PDF and DFD diagram during document builds. |
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
This reverts commit 5a52d2b.
| * | ||
| !.devcontainer/ |
|
| * | ||
| !.devcontainer/ |



🚀 Hey, I have created a Pull Request
Description of changes
This pull request adds automated generation of a comprehensive threat model document (including PDF and diagram) to the documentation build workflow. It introduces a new Jinja2 template for the threat model, updates the workflow to install required dependencies, and ensures the threat model is built and exported alongside other documents. Minor formatting improvements are also included.
Threat modeling automation:
docs/templates/threat-model.md.j2) for generating a detailed threat model document from the SBDL model, including methodology, system decomposition, threat analysis, and risk summaries..github/workflows/wc-document-generation.yml) to:graphvizfor diagram rendering.Formatting improvements:
docs/templates/partials/document-control.md.j2for improved readability.✔️ Checklist