PHPackages hybridtm/hybridtm - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. hybridtm/hybridtm ActiveLibrary[Utility & Helpers](/categories/utility) hybridtm/hybridtm ================= HybridTM — PHP threat-modeling compiler that generates Threagile YAML from a PHP DSL and #\[DataFlow\] code attributes. 00PHP Since Apr 9Pushed 2mo agoCompare [ Source](https://github.com/dzentota/hybridtm)[ Packagist](https://packagist.org/packages/hybridtm/hybridtm)[ RSS](/packages/hybridtm-hybridtm/feed)WikiDiscussions main Synced 2w ago READMEChangelogDependenciesVersions (1)Used By (0) HybridTM ======== [](#hybridtm) **HybridTM** is a PHP threat-modeling compiler that generates [Threagile](https://threagile.io)-compatible YAML from two sources: - A **PHP DSL file** that declares the system infrastructure (assets, trust boundaries, data types). - **PHP 8 attributes** (`#[DataFlow]`, `#[Mitigation]`, etc.) placed directly in application source code. The compiler statically analyses the code (no execution) and merges both inputs into a single Threagile YAML file ready for risk analysis. --- Problem Statement ----------------- [](#problem-statement) Existing threat-modeling approaches have well-known failure modes: - **PyTM / traditional TMaC** — the threat model lives in a separate file disconnected from the real codebase. It drifts within weeks, generates false positives, and requires a dedicated security engineer to maintain. - **Manual TMiC (Threatspec-style)** — developers are expected to write security annotations by hand while also delivering features. In practice, annotations are skipped, incomplete, or added retroactively. HybridTM's answer to both problems: 1. **Externalise threat analysis.** We do not implement threat rules ourselves. We compile to [Threagile YAML](https://threagile.io) and let Threagile's mature, maintained engine do the risk scoring, DFD rendering, and report generation. 2. **Automate annotation.** The `#[DataFlow]` attribute is intentionally rich and strict — it contains everything Threagile needs. This makes it unsuitable for hand-writing but ideal for generation by an AI coding assistant. The `SKILL.md` file in this repo is a prompt fragment that instructs Copilot, Cursor, or Claude Code to add the right attributes automatically whenever a developer touches code that crosses a service boundary. The result is a **Continuous Threat Modeling** pipeline: annotations are generated by AI, compiled by HybridTM, and analysed by Threagile — all in CI/CD, with no dedicated security-engineer bottleneck. --- Core Architecture ----------------- [](#core-architecture) The pipeline has four independent layers: ``` ┌─────────────────────────────────────────────────────────┐ │ 1. AI Copilot Skill (SKILL.md) │ │ System-prompt fragment that instructs the IDE AI │ │ to emit #[DataFlow] attributes on every cross- │ │ service method automatically. │ └───────────────────────────┬─────────────────────────────┘ │ generates ┌─────────────▼──────────────┐ │ src/**/*.php │ │ #[AssetId('web-app')] │ │ #[DataFlow( │ │ target: 'db', │ │ protocol: Protocol::… , │ │ dataSent: […], │ │ )] │ └─────────────┬──────────────┘ │ ┌─────────────────▼──────────────────┐ │ 2. Infrastructure DSL │ │ threat-model.php │ │ TechnicalAsset / DataAsset / │ │ TrustBoundary declarations │ └─────────────────┬──────────────────┘ │ ┌─────────────────▼──────────────────┐ │ 3. AST Compiler (bin/hybridtm) │ │ • Parses DSL (require) │ │ • Parses PHP source (AST only, │ │ no execution) │ │ • Cross-reference validation │ │ • Merges both graphs │ └─────────────────┬──────────────────┘ │ ┌─────────────────▼──────────────────┐ │ 4. Threagile YAML │ │ threagile.yaml │ │ → DFD diagram │ │ → Risk report (PDF / JSON) │ │ → Risk tracking │ └────────────────────────────────────┘ ``` LayerFilesResponsibilityAI Skill`SKILL.md`Teaches the IDE AI which attribute to write and whenInfrastructure DSL`threat-model.php`, `src/DSL/`Declares nodes, data assets, trust zonesPHP 8 Attributes`src/**/*.php`, `src/Attributes/`Annotates actual code with data-flow factsAST Compiler`bin/hybridtm`, `src/Compiler/`, `src/Yaml/`Merges layers, validates refs, emits YAML--- Documentation ------------- [](#documentation) - **[New Projects Guide](docs/new-projects.md)** — step-by-step guide for adding HybridTM from day one: DSL design, attribute annotation, CI/CD setup, AI agent integration. - **[Enterprise Adoption Guide](docs/enterprise-adoption.md)** — phased rollout strategy for existing applications: audit, as-is model, incremental annotation, governance. - **[Reference](docs/reference.md)** — complete reference for CLI, DSL classes, all attributes, and every enum value. - **CLI Wizard (`init`)** — interactive threat-model bootstrap with ASCII UI: `php bin/hybridtm init --out=threat-model.php`. > Russian translations: [new-projects.ru.md](docs/new-projects.ru.md) · [enterprise-adoption.ru.md](docs/enterprise-adoption.ru.md) · [reference.ru.md](docs/reference.ru.md) --- Installation ------------ [](#installation) ``` composer require hybridtm/hybridtm ``` Requirements: PHP ≥ 8.2 --- Quick Start ----------- [](#quick-start) ### 0. Bootstrap with the wizard (recommended) [](#0-bootstrap-with-the-wizard-recommended) If you are starting from scratch, use the interactive wizard to generate a baseline `threat-model.php`: ``` php bin/hybridtm init --out=threat-model.php ``` The wizard asks for model metadata, data assets, technical assets, trust boundaries, and communication links, then writes a ready-to-edit DSL file. --- ### 1. Write an infrastructure DSL file [](#1-write-an-infrastructure-dsl-file) ```