@floriann Where I disagree is that a threat model is meant to answer the question “did we build what we meant to build.” All the repo has is what we DID build. Generally, what we intended is only implied by what we did.Could we answer the question “is this software complete?” by looking only at artefacts in the repo?We can read and understand it. We can imagine use cases that are implied. We can decide if we think the use cases we imagined are covered by the code we see.I assert that it is not possible to look only at artefacts in the repo and determine whether the software is feature complete.Therefore it is also not possible to determine if the features of the software in the repo are “correct” with respect to what we intended to build. To make a simple example: if there is no authentication visible in the code, is that intentional (it’s a public thing), is it needed but not built yet, or is it needed and is provided elsewhere by other infrastructure (like a proxy)?The artefacts in a repository are unlikely to hold that answer. And while they MIGHT, I don’t think that is so common that it supports a statement like “you can threat model using only the artefacts in the repo.”
