ATM

CodeQL adaptive threat modeling

Private beta for JavaScript security researchers

Adaptive threat modeling (ATM) is an extension for CodeQL which semi-automatically boosts your JavaScript security queries to find more security vulnerabilities.

When you write a CodeQL security query you specify where tainted input enters a system and the sinks where the tainted input can do damage. But taint specifications are often incomplete, which means even the best queries miss vulnerabilities.

Adaptive threat modeling (ATM) for CodeQL addresses this problem by semi-automatically boosting taint specifications using machine learning. The boosted query produces a ranked list of additional results for your inspection.

With ATM, your JavaScript and TypeScript queries will identify more security problems. For example, we used ATM in the GitHub Security Lab to find 118 new NoSQL injection vulnerabilities across 50 JavaScript projects.

ATM is free for security research on open-source codebases.

Interested? Please sign up for our private beta. We’d love to get your feedback!

Register for the private beta

By joining this private beta program you accept the GitHub pre-release program terms and conditions.