Skip to content

docs: add TITO threat modeling integration guide#2481

Closed
Leathal1 wants to merge 1 commit intosemgrep:mainfrom
Leathal1:add-tito-integration
Closed

docs: add TITO threat modeling integration guide#2481
Leathal1 wants to merge 1 commit intosemgrep:mainfrom
Leathal1:add-tito-integration

Conversation

@Leathal1
Copy link

@Leathal1 Leathal1 commented Feb 2, 2026

Summary

Adds an integration guide for TITO (Threat In, Threat Out), an open-source threat modeling tool that integrates with Semgrep.

What TITO Does With Semgrep

TITO calls Semgrep as a subprocess and enriches the SAST findings with:

  • STRIDE-LM threat classification — Maps each finding to Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege, Lateral Movement, and Malware categories
  • MITRE ATT&CK technique mapping — Every finding gets ATT&CK technique IDs
  • Multi-step attack path analysis — Chains individual findings into realistic attack scenarios
  • Interactive 3D visualizations — Three.js and D3.js threat model diagrams

Integration Details

  • TITO invokes semgrep as a subprocess (no bundling or redistribution of Semgrep rules)
  • Sets SEMGREP_INTEGRATION_NAME=tito per integration guidelines
  • Available as a GitHub Action: Leathal1/TITO
  • MIT licensed, fully open source

Placement

Added to docs/kb/integrations/ alongside existing integration guides (DefectDojo, etc.)

Links

docs: add TITO threat modeling integration guide
25fde87 
TITO (Threat In, Threat Out) is an open-source threat modeling tool that
integrates with Semgrep to enrich SAST findings with:
- STRIDE-LM threat classification
- MITRE ATT&CK technique mapping
- Multi-step attack path analysis
- Interactive 3D visualizations

GitHub: https://github.com/Leathal1/TITO
@netlify
Copy link

netlify bot commented Feb 2, 2026

👷 Deploy request for semgrep-docs-prod pending review.

Visit the deploys page to approve it

Name Link
🔨 Latest commit 25fde87

@CLAassistant
Copy link

CLAassistant commented Feb 2, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

Steven Leath seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@LewisArdern
Copy link
Contributor

LewisArdern commented Feb 6, 2026
edited
Loading

Hi @Leathal1 this seems like a really interesting project however our integration docs are for how you can leverage Semgrep results in third-party applications like defect dojo.

We won't be accepting this time, but we appreciate you for leveraging Semgrep in your project!

@LewisArdern LewisArdern closed this Feb 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Leathal1 @CLAassistant @LewisArdern