Add threat-models as a property to config file and inputs

There's a lot of changes here, but it's pretty formulaic. It follows the approach used by the `queries` input and config property. `threat-models` can appear as an input or in the config file. If it appears in the input, then we need to either merge it with the threat-models in the config (if prefixed with `+`) or overwrite it. There's no danger if someone uses `threat-models` with an older CLI since the CLI can handle configs with extra properties.
2025-12-06 07:48:17 +08:00 · 2023-04-20 11:59:55 -07:00
44 changed files with 534 additions and 142 deletions
--- a/init/action.yml
+++ b/init/action.yml
@@ -45,17 +45,22 @@ inputs:
    description: Path where CodeQL databases should be created. If not specified, a temporary directory will be used.
    required: false
  queries:
-    description: Comma-separated list of additional queries to run. By default, this overrides the same setting in a configuration file; prefix with "+" to use both sets of queries.
+    description: Comma-separated list of additional queries to run. By default, this overrides the same setting in a configuration file; prefix with "+" to combine both sets of queries.
    required: false
  packs:
    description: >-
      [Experimental] Comma-separated list of packs to run. Reference a pack in the format `scope/name[@version]`. If `version` is not
      specified, then the latest version of the pack is used. By default, this overrides the same setting in a
-      configuration file; prefix with "+" to use both sets of packs.
+      configuration file; prefix with "+" to combine both sets of packs.

      This input is only available in single-language analyses. To use packs in multi-language
      analyses, you must specify packs in the codeql-config.yml file.
    required: false
+  threat-models:
+    description: >-
+      [Experimental] Comma-separated list of threat models to include in this analysis. By default, this overrides the same setting in a
+      configuration file; prefix with "+" to combine both sets of threat-models.
+    required: false
  external-repository-token:
    description: A token for fetching external config files and queries if they reside in a private repository in the same GitHub instance that is running this action.
    required: false
--- a/lib/analysis-paths.test.js
+++ b/lib/analysis-paths.test.js
@@ -29,6 +29,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const path = __importStar(require("path"));
 const ava_1 = __importDefault(require("ava"));
 const analysisPaths = __importStar(require("./analysis-paths"));
+const config_utils_1 = require("./config-utils");
 const testing_utils_1 = require("./testing-utils");
 const util = __importStar(require("./util"));
 (0, testing_utils_1.setupTests)(ava_1.default);
@@ -48,11 +49,7 @@ const util = __importStar(require("./util"));
            debugMode: false,
            debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
            debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-            augmentationProperties: {
-                injectedMlQueries: false,
-                packsInputCombines: false,
-                queriesInputCombines: false,
-            },
+            augmentationProperties: config_utils_1.defaultAugmentationProperties,
            trapCaches: {},
            trapCacheDownloadTime: 0,
        };
@@ -78,11 +75,7 @@ const util = __importStar(require("./util"));
            debugMode: false,
            debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
            debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-            augmentationProperties: {
-                injectedMlQueries: false,
-                packsInputCombines: false,
-                queriesInputCombines: false,
-            },
+            augmentationProperties: config_utils_1.defaultAugmentationProperties,
            trapCaches: {},
            trapCacheDownloadTime: 0,
        };
@@ -108,11 +101,7 @@ const util = __importStar(require("./util"));
        debugMode: false,
        debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
        debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-        augmentationProperties: {
-            injectedMlQueries: false,
-            packsInputCombines: false,
-            queriesInputCombines: false,
-        },
+        augmentationProperties: config_utils_1.defaultAugmentationProperties,
        trapCaches: {},
        trapCacheDownloadTime: 0,
    };
--- a/lib/analysis-paths.test.js.map
+++ b/lib/analysis-paths.test.js.map
@@ -1 +1 @@
-{"version":3,"file":"analysis-paths.test.js","sourceRoot":"","sources":["../src/analysis-paths.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AAEvB,gEAAkD;AAClD,mDAA6C;AAC7C,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,YAAY,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC7B,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,WAAW,EAAE,EAAE;YACf,KAAK,EAAE,EAAE;YACT,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,EAAE;YACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;YACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,kBAAkB,CAAC;YACpD,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,sBAAsB,EAAE;gBACtB,iBAAiB,EAAE,KAAK;gBACxB,kBAAkB,EAAE,KAAK;gBACzB,oBAAoB,EAAE,KAAK;aAC5B;YACD,UAAU,EAAE,EAAE;YACd,qBAAqB,EAAE,CAAC;SACzB,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,eAAe,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAChC,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,KAAK,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YACrC,WAAW,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YAC3C,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,EAAE;YACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;YACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,kBAAkB,CAAC;YACpD,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,sBAAsB,EAAE;gBACtB,iBAAiB,EAAE,KAAK;gBACxB,kBAAkB,EAAE,KAAK;gBACzB,oBAAoB,EAAE,KAAK;aAC5B;YACD,UAAU,EAAE,EAAE;YACd,qBAAqB,EAAE,CAAC;SACzB,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CACF,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EACjC,gGAAgG,CACjG,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,kBAAkB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,oBAAoB,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG;QACb,SAAS,EAAE,EAAE;QACb,OAAO,EAAE,EAAE;QACX,WAAW,EAAE,EAAE;QACf,KAAK,EAAE,EAAE;QACT,iBAAiB,EAAE,EAAE;QACrB,OAAO;QACP,SAAS,EAAE,EAAE;QACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;QACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,kBAAkB,CAAC;QACrD,KAAK,EAAE,EAAE;QACT,SAAS,EAAE,KAAK;QAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;QACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;QACnD,sBAAsB,EAAE;YACtB,iBAAiB,EAAE,KAAK;YACxB,kBAAkB,EAAE,KAAK;YACzB,oBAAoB,EAAE,KAAK;SAC5B;QACD,UAAU,EAAE,EAAE;QACd,qBAAqB,EAAE,CAAC;KACzB,CAAC;IACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;IACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;IACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,oBAAoB,CAAC,CAAC;IAC9D,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;AACrD,CAAC,CAAC,CAAC"}
+{"version":3,"file":"analysis-paths.test.js","sourceRoot":"","sources":["../src/analysis-paths.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AAEvB,gEAAkD;AAClD,iDAA+D;AAC/D,mDAA6C;AAC7C,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,YAAY,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC7B,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,WAAW,EAAE,EAAE;YACf,KAAK,EAAE,EAAE;YACT,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,EAAE;YACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;YACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,kBAAkB,CAAC;YACpD,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,sBAAsB,EAAE,4CAA6B;YACrD,UAAU,EAAE,EAAE;YACd,qBAAqB,EAAE,CAAC;SACzB,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,eAAe,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAChC,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,KAAK,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YACrC,WAAW,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YAC3C,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,EAAE;YACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;YACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,kBAAkB,CAAC;YACpD,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,sBAAsB,EAAE,4CAA6B;YACrD,UAAU,EAAE,EAAE;YACd,qBAAqB,EAAE,CAAC;SACzB,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CACF,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EACjC,gGAAgG,CACjG,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,kBAAkB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,oBAAoB,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG;QACb,SAAS,EAAE,EAAE;QACb,OAAO,EAAE,EAAE;QACX,WAAW,EAAE,EAAE;QACf,KAAK,EAAE,EAAE;QACT,iBAAiB,EAAE,EAAE;QACrB,OAAO;QACP,SAAS,EAAE,EAAE;QACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;QACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,kBAAkB,CAAC;QACrD,KAAK,EAAE,EAAE;QACT,SAAS,EAAE,KAAK;QAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;QACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;QACnD,sBAAsB,EAAE,4CAA6B;QACrD,UAAU,EAAE,EAAE;QACd,qBAAqB,EAAE,CAAC;KACzB,CAAC;IACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;IACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;IACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,oBAAoB,CAAC,CAAC;IAC9D,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;AACrD,CAAC,CAAC,CAAC"}
--- a/lib/analyze.test.js
+++ b/lib/analyze.test.js
@@ -33,6 +33,7 @@ const yaml = __importStar(require("js-yaml"));
 const sinon = __importStar(require("sinon"));
 const analyze_1 = require("./analyze");
 const codeql_1 = require("./codeql");
+const config_utils_1 = require("./config-utils");
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
@@ -115,11 +116,7 @@ const util = __importStar(require("./util"));
                debugMode: false,
                debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
                debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-                augmentationProperties: {
-                    injectedMlQueries: false,
-                    packsInputCombines: false,
-                    queriesInputCombines: false,
-                },
+                augmentationProperties: config_utils_1.defaultAugmentationProperties,
                trapCaches: {},
                trapCacheDownloadTime: 0,
            };
@@ -215,11 +212,7 @@ function createBaseConfig(tmpDir) {
        debugMode: false,
        debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
        debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-        augmentationProperties: {
-            injectedMlQueries: false,
-            packsInputCombines: false,
-            queriesInputCombines: false,
-        },
+        augmentationProperties: config_utils_1.defaultAugmentationProperties,
        trapCaches: {},
        trapCacheDownloadTime: 0,
    };
--- a/lib/analyze.test.js.map
+++ b/lib/analyze.test.js.map
--- a/lib/codeql.js
+++ b/lib/codeql.js
@@ -743,6 +743,23 @@ async function generateCodeScanningConfig(codeql, config, features, logger) {
            augmentedConfig.packs["javascript"].push(packString);
        }
    }
+    // Inject the threat-models from the input
+    if (config.augmentationProperties.threatModelsInput) {
+        if (config.augmentationProperties.threatModelsInputCombines) {
+            // threat-models input combines with threat-models from the config file
+            // (if any were defined).
+            augmentedConfig["threat-models"] = (augmentedConfig["threat-models"] || []).concat(config.augmentationProperties.threatModelsInput);
+        }
+        else {
+            // threat-models input overrides threat-models from the config file
+            augmentedConfig["threat-models"] =
+                config.augmentationProperties.threatModelsInput;
+        }
+    }
+    if (Array.isArray(augmentedConfig["threat-models"]) &&
+        !augmentedConfig["threat-models"].length) {
+        delete augmentedConfig["threat-models"];
+    }
    logger.info(`Writing augmented user configuration file to ${codeScanningConfigFile}`);
    logger.startGroup("Augmented user configuration file contents");
    logger.info(yaml.dump(augmentedConfig));
--- a/lib/codeql.js.map
+++ b/lib/codeql.js.map
--- a/lib/codeql.test.js
+++ b/lib/codeql.test.js
@@ -83,6 +83,7 @@ ava_1.default.beforeEach(() => {
        debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
        debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
        augmentationProperties: {
+            threatModelsInputCombines: false,
            injectedMlQueries: false,
            packsInputCombines: false,
            queriesInputCombines: false,
@@ -447,6 +448,7 @@ for (const isBundleVersionInUrl of [true, false]) {
            ...stubConfig,
            tempDir,
            augmentationProperties: {
+                threatModelsInputCombines: false,
                injectedMlQueries: false,
                queriesInputCombines: false,
                packsInputCombines: false,
@@ -491,11 +493,13 @@ const injectedConfigMacro = ava_1.default.macro({
    injectedMlQueries: false,
    queriesInputCombines: false,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
 }, {}, {});
 (0, ava_1.default)("injected ML queries", injectedConfigMacro, {
    injectedMlQueries: true,
    queriesInputCombines: false,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
 }, {}, {
    packs: ["codeql/javascript-experimental-atm-queries@~0.4.0"],
 });
@@ -503,6 +507,7 @@ const injectedConfigMacro = ava_1.default.macro({
    injectedMlQueries: true,
    queriesInputCombines: false,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
 }, {
    originalUserInput: {
        packs: { javascript: ["codeql/something-else"] },
@@ -519,6 +524,7 @@ const injectedConfigMacro = ava_1.default.macro({
    injectedMlQueries: true,
    queriesInputCombines: false,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
 }, {
    originalUserInput: {
        packs: { cpp: ["codeql/something-else"] },
@@ -534,6 +540,7 @@ const injectedConfigMacro = ava_1.default.macro({
    queriesInputCombines: false,
    packsInputCombines: false,
    packsInput: ["xxx", "yyy"],
+    threatModelsInputCombines: false,
 }, {}, {
    packs: ["xxx", "yyy"],
 });
@@ -542,6 +549,7 @@ const injectedConfigMacro = ava_1.default.macro({
    queriesInputCombines: false,
    packsInputCombines: true,
    packsInput: ["xxx", "yyy"],
+    threatModelsInputCombines: false,
 }, {
    originalUserInput: {
        packs: {
@@ -558,6 +566,7 @@ const injectedConfigMacro = ava_1.default.macro({
    queriesInputCombines: false,
    packsInputCombines: false,
    packsInput: ["xxx", "yyy"],
+    threatModelsInputCombines: false,
 }, {
    originalUserInput: {
        packs: {
@@ -572,6 +581,7 @@ const injectedConfigMacro = ava_1.default.macro({
    queriesInputCombines: false,
    packsInputCombines: false,
    packsInput: ["xxx", "yyy"],
+    threatModelsInputCombines: false,
 }, {
    originalUserInput: {
        packs: {
@@ -586,6 +596,7 @@ const injectedConfigMacro = ava_1.default.macro({
    injectedMlQueries: false,
    queriesInputCombines: false,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
    queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
 }, {}, {
    queries: [
@@ -601,6 +612,7 @@ const injectedConfigMacro = ava_1.default.macro({
    injectedMlQueries: false,
    queriesInputCombines: false,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
    queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
 }, {
    originalUserInput: {
@@ -620,6 +632,7 @@ const injectedConfigMacro = ava_1.default.macro({
    injectedMlQueries: false,
    queriesInputCombines: true,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
    queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
 }, {
    originalUserInput: {
@@ -642,6 +655,7 @@ const injectedConfigMacro = ava_1.default.macro({
    injectedMlQueries: false,
    queriesInputCombines: true,
    packsInputCombines: true,
+    threatModelsInputCombines: false,
    queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
 }, {}, {
    queries: [
@@ -657,6 +671,7 @@ const injectedConfigMacro = ava_1.default.macro({
    injectedMlQueries: false,
    queriesInputCombines: true,
    packsInputCombines: true,
+    threatModelsInputCombines: false,
    queriesInput: [],
    packsInput: [],
 }, {
@@ -665,6 +680,50 @@ const injectedConfigMacro = ava_1.default.macro({
        queries: [],
    },
 }, {});
+(0, ava_1.default)("threat model from config", injectedConfigMacro, {
+    injectedMlQueries: false,
+    queriesInputCombines: true,
+    packsInputCombines: true,
+    threatModelsInputCombines: false,
+    queriesInput: [],
+    packsInput: [],
+}, {
+    originalUserInput: {
+        "threat-models": ["a", "b"],
+    },
+}, {
+    "threat-models": ["a", "b"],
+});
+(0, ava_1.default)("threat model from input overrides config", injectedConfigMacro, {
+    injectedMlQueries: false,
+    queriesInputCombines: true,
+    packsInputCombines: true,
+    threatModelsInputCombines: false,
+    threatModelsInput: ["a", "b"],
+    queriesInput: [],
+    packsInput: [],
+}, {
+    originalUserInput: {
+        "threat-models": ["c", "d"],
+    },
+}, {
+    "threat-models": ["a", "b"],
+});
+(0, ava_1.default)("threat model from input combines with config", injectedConfigMacro, {
+    injectedMlQueries: false,
+    queriesInputCombines: true,
+    packsInputCombines: true,
+    threatModelsInputCombines: true,
+    threatModelsInput: ["a", "b"],
+    queriesInput: [],
+    packsInput: [],
+}, {
+    originalUserInput: {
+        "threat-models": ["c", "d"],
+    },
+}, {
+    "threat-models": ["c", "d", "a", "b"],
+});
 (0, ava_1.default)("does not pass a code scanning config or qlconfig file to the CLI when CLI config passing is disabled", async (t) => {
    await util.withTmpDir(async (tempDir) => {
        const runnerConstructorStub = stubToolRunnerConstructor();
--- a/lib/codeql.test.js.map
+++ b/lib/codeql.test.js.map
--- a/lib/config-utils.js
+++ b/lib/config-utils.js
@@ -51,9 +51,11 @@ const PACKS_PROPERTY = "packs";
 exports.defaultAugmentationProperties = {
    queriesInputCombines: false,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
    injectedMlQueries: false,
    packsInput: undefined,
    queriesInput: undefined,
+    threatModelsInput: undefined,
 };
 /**
 * A list of queries from https://github.com/github/codeql that
@@ -527,7 +529,7 @@ function shouldAddConfigFileQueries(queriesInput) {
 /**
 * Get the default config for when the user has not supplied one.
 */
-async function getDefaultConfig(languagesInput, rawQueriesInput, rawPacksInput, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger) {
+async function getDefaultConfig(languagesInput, rawQueriesInput, rawPacksInput, rawThreatModelsInput, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger) {
    const languages = await getLanguages(codeQL, languagesInput, repository, logger);
    const queries = {};
    for (const language of languages) {
@@ -537,7 +539,7 @@ async function getDefaultConfig(languagesInput, rawQueriesInput, rawPacksInput,
        };
    }
    await addDefaultQueries(codeQL, languages, queries);
-    const augmentationProperties = calculateAugmentation(rawPacksInput, rawQueriesInput, languages);
+    const augmentationProperties = calculateAugmentation(rawPacksInput, rawQueriesInput, rawThreatModelsInput, languages);
    const packs = augmentationProperties.packsInput
        ? {
            [languages[0]]: augmentationProperties.packsInput,
@@ -581,7 +583,7 @@ async function downloadCacheWithTime(trapCachingEnabled, codeQL, languages, logg
 /**
 * Load the config from the given file.
 */
-async function loadConfig(languagesInput, rawQueriesInput, rawPacksInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger) {
+async function loadConfig(languagesInput, rawQueriesInput, rawPacksInput, rawThreatModelsInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger) {
    let parsedYAML;
    if (isLocal(configFile)) {
        // Treat the config file as relative to the workspace
@@ -621,7 +623,7 @@ async function loadConfig(languagesInput, rawQueriesInput, rawPacksInput, config
    if (!disableDefaultQueries) {
        await addDefaultQueries(codeQL, languages, queries);
    }
-    const augmentationProperties = calculateAugmentation(rawPacksInput, rawQueriesInput, languages);
+    const augmentationProperties = calculateAugmentation(rawPacksInput, rawQueriesInput, rawThreatModelsInput, languages);
    const packs = parsePacks(parsedYAML[PACKS_PROPERTY] ?? {}, rawPacksInput, augmentationProperties.packsInputCombines, languages, configFile, logger);
    // If queries were provided using `with` in the action configuration,
    // they should take precedence over the queries in the config file
@@ -705,17 +707,21 @@ async function loadConfig(languagesInput, rawQueriesInput, rawPacksInput, config
 *     not have exactly one language.
 */
 // exported for testing.
-function calculateAugmentation(rawPacksInput, rawQueriesInput, languages) {
+function calculateAugmentation(rawPacksInput, rawQueriesInput, rawThreatModelsInput, languages) {
    const packsInputCombines = shouldCombine(rawPacksInput);
    const packsInput = parsePacksFromInput(rawPacksInput, languages, packsInputCombines);
    const queriesInputCombines = shouldCombine(rawQueriesInput);
    const queriesInput = parseQueriesFromInput(rawQueriesInput, queriesInputCombines);
+    const threatModelsInputCombines = shouldCombine(rawThreatModelsInput);
+    const threatModelsInput = parseThreatModelsFromInput(rawThreatModelsInput, threatModelsInputCombines);
    return {
        injectedMlQueries: false,
        packsInputCombines,
        packsInput: packsInput?.[languages[0]],
        queriesInput,
        queriesInputCombines,
+        threatModelsInputCombines,
+        threatModelsInput,
    };
 }
 exports.calculateAugmentation = calculateAugmentation;
@@ -801,6 +807,19 @@ function parsePacksFromInput(rawPacksInput, languages, packsInputCombines) {
        }, []),
    };
 }
+function parseThreatModelsFromInput(rawThreatModelsInput, threatModelsInputCombines) {
+    if (!rawThreatModelsInput?.trim()) {
+        return undefined;
+    }
+    rawThreatModelsInput = rawThreatModelsInput.trim();
+    if (threatModelsInputCombines) {
+        rawThreatModelsInput = rawThreatModelsInput.trim().substring(1).trim();
+        if (!rawThreatModelsInput) {
+            throw new Error(getConfigFilePropertyError(undefined, "threat-models", "A '+' was used in the 'threat-models' input to specify that you wished to add some packs to your CodeQL analysis. However, no threat models were specified. Please either remove the '+' or specify some threat models."));
+        }
+    }
+    return rawThreatModelsInput.split(",").map((t) => t.trim());
+}
 /**
 * Validates that this package specification is syntactically correct.
 * It may not point to any real package, but after this function returns
@@ -932,15 +951,15 @@ function dbLocationOrDefault(dbLocation, tempDir) {
 * This will parse the config from the user input if present, or generate
 * a default config. The parsed config is then stored to a known location.
 */
-async function initConfig(languagesInput, queriesInput, packsInput, registriesInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger) {
+async function initConfig(languagesInput, queriesInput, packsInput, threatModelsInput, registriesInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger) {
    let config;
    // If no config file was provided create an empty one
    if (!configFile) {
        logger.debug("No configuration file was provided");
-        config = await getDefaultConfig(languagesInput, queriesInput, packsInput, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger);
+        config = await getDefaultConfig(languagesInput, queriesInput, packsInput, threatModelsInput, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger);
    }
    else {
-        config = await loadConfig(languagesInput, queriesInput, packsInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger);
+        config = await loadConfig(languagesInput, queriesInput, packsInput, threatModelsInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger);
    }
    // When using the codescanning config in the CLI, pack downloads
    // happen in the CLI during the `database init` command, so no need
--- a/lib/config-utils.js.map
+++ b/lib/config-utils.js.map
--- a/lib/config-utils.test.js
+++ b/lib/config-utils.test.js
@@ -102,8 +102,8 @@ function mockListLanguages(languages) {
                return { packs: [] };
            },
        });
-        const config = await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), logger);
-        t.deepEqual(config, await configUtils.getDefaultConfig(languages, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), logger));
+        const config = await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), logger);
+        t.deepEqual(config, await configUtils.getDefaultConfig(languages, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), logger));
    });
 });
 (0, ava_1.default)("loading config saves config", async (t) => {
@@ -128,7 +128,7 @@ function mockListLanguages(languages) {
        t.false(fs.existsSync(configUtils.getPathToParsedConfigFile(tmpDir)));
        // Sanity check that getConfig returns undefined before we have called initConfig
        t.deepEqual(await configUtils.getConfig(tmpDir, logger), undefined);
-        const config1 = await configUtils.initConfig("javascript,python", undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), logger);
+        const config1 = await configUtils.initConfig("javascript,python", undefined, undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), logger);
        // The saved config file should now exist
        t.true(fs.existsSync(configUtils.getPathToParsedConfigFile(tmpDir)));
        // And that same newly-initialised config should now be returned by getConfig
@@ -144,7 +144,7 @@ function mockListLanguages(languages) {
 (0, ava_1.default)("load input outside of workspace", async (t) => {
    return await util.withTmpDir(async (tmpDir) => {
        try {
-            await configUtils.initConfig(undefined, undefined, undefined, undefined, "../input", undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(undefined, undefined, undefined, undefined, undefined, "../input", undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            throw new Error("initConfig did not throw error");
        }
        catch (err) {
@@ -157,7 +157,7 @@ function mockListLanguages(languages) {
        // no filename given, just a repo
        const configFile = "octo-org/codeql-config@main";
        try {
-            await configUtils.initConfig(undefined, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(undefined, undefined, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            throw new Error("initConfig did not throw error");
        }
        catch (err) {
@@ -171,7 +171,7 @@ function mockListLanguages(languages) {
        const configFile = "input";
        t.false(fs.existsSync(path.join(tmpDir, configFile)));
        try {
-            await configUtils.initConfig(languages, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            throw new Error("initConfig did not throw error");
        }
        catch (err) {
@@ -247,7 +247,7 @@ function mockListLanguages(languages) {
        };
        const languages = "javascript";
        const configFilePath = createConfigFile(inputFileContents, tmpDir);
-        const actualConfig = await configUtils.initConfig(languages, undefined, undefined, undefined, configFilePath, undefined, false, false, "my-artifact", "my-db", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+        const actualConfig = await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, configFilePath, undefined, false, false, "my-artifact", "my-db", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        // Should exactly equal the object we constructed earlier
        t.deepEqual(actualConfig, expectedConfig);
    });
@@ -286,7 +286,7 @@ function mockListLanguages(languages) {
        fs.mkdirSync(path.join(tmpDir, "foo"));
        const languages = "javascript";
        const configFilePath = createConfigFile(inputFileContents, tmpDir);
-        await configUtils.initConfig(languages, undefined, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+        await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        // Check resolve queries was called correctly
        t.deepEqual(resolveQueriesArgs.length, 1);
        t.deepEqual(resolveQueriesArgs[0].queries, [
@@ -332,7 +332,7 @@ function queriesToResolvedQueryForm(queries) {
            },
        });
        const languages = "javascript";
-        const config = await configUtils.initConfig(languages, undefined, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+        const config = await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        // Check resolveQueries was called correctly
        // It'll be called once for the default queries
        // and once for `./foo` from the config file.
@@ -368,7 +368,7 @@ function queriesToResolvedQueryForm(queries) {
            },
        });
        const languages = "javascript";
-        const config = await configUtils.initConfig(languages, testQueries, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+        const config = await configUtils.initConfig(languages, testQueries, undefined, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        // Check resolveQueries was called correctly
        // It'll be called once for the default queries and once for `./override`,
        // but won't be called for './foo' from the config file.
@@ -403,7 +403,7 @@ function queriesToResolvedQueryForm(queries) {
            },
        });
        const languages = "javascript";
-        const config = await configUtils.initConfig(languages, testQueries, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+        const config = await configUtils.initConfig(languages, testQueries, undefined, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        // Check resolveQueries was called correctly
        // It'll be called once for `./workflow-query`,
        // but won't be called for the default one since that was disabled
@@ -432,7 +432,7 @@ function queriesToResolvedQueryForm(queries) {
            },
        });
        const languages = "javascript";
-        const config = await configUtils.initConfig(languages, testQueries, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+        const config = await configUtils.initConfig(languages, testQueries, undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        // Check resolveQueries was called correctly:
        // It'll be called once for the default queries,
        // and then once for each of the two queries from the workflow
@@ -474,7 +474,7 @@ function queriesToResolvedQueryForm(queries) {
            },
        });
        const languages = "javascript";
-        const config = await configUtils.initConfig(languages, testQueries, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+        const config = await configUtils.initConfig(languages, testQueries, undefined, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        // Check resolveQueries was called correctly
        // It'll be called once for the default queries,
        // once for each of additional1 and additional2,
@@ -516,7 +516,7 @@ function queriesToResolvedQueryForm(queries) {
            },
        });
        try {
-            await configUtils.initConfig(languages, queries, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(languages, queries, undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            t.fail("initConfig did not throw error");
        }
        catch (err) {
@@ -562,7 +562,7 @@ function queriesToResolvedQueryForm(queries) {
        fs.mkdirSync(path.join(tmpDir, "foo/bar/dev"), { recursive: true });
        const configFile = "octo-org/codeql-config/config.yaml@main";
        const languages = "javascript";
-        await configUtils.initConfig(languages, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+        await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        t.assert(spyGetContents.called);
    });
 });
@@ -572,7 +572,7 @@ function queriesToResolvedQueryForm(queries) {
        mockGetContents(dummyResponse);
        const repoReference = "octo-org/codeql-config/config.yaml@main";
        try {
-            await configUtils.initConfig(undefined, undefined, undefined, undefined, repoReference, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(undefined, undefined, undefined, undefined, undefined, repoReference, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            throw new Error("initConfig did not throw error");
        }
        catch (err) {
@@ -588,7 +588,7 @@ function queriesToResolvedQueryForm(queries) {
        mockGetContents(dummyResponse);
        const repoReference = "octo-org/codeql-config/config.yaml@main";
        try {
-            await configUtils.initConfig(undefined, undefined, undefined, undefined, repoReference, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(undefined, undefined, undefined, undefined, undefined, repoReference, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            throw new Error("initConfig did not throw error");
        }
        catch (err) {
@@ -608,7 +608,7 @@ function queriesToResolvedQueryForm(queries) {
            },
        });
        try {
-            await configUtils.initConfig(undefined, undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(undefined, undefined, undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            throw new Error("initConfig did not throw error");
        }
        catch (err) {
@@ -620,7 +620,7 @@ function queriesToResolvedQueryForm(queries) {
    return await util.withTmpDir(async (tmpDir) => {
        const languages = "rubbish,english";
        try {
-            await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            throw new Error("initConfig did not throw error");
        }
        catch (err) {
@@ -651,7 +651,7 @@ function queriesToResolvedQueryForm(queries) {
        const configFile = path.join(tmpDir, "codeql-config.yaml");
        fs.writeFileSync(configFile, inputFileContents);
        const languages = "javascript";
-        const { packs } = await configUtils.initConfig(languages, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+        const { packs } = await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        t.deepEqual(packs, {
            [languages_1.Language.javascript]: ["a/b@1.2.3"],
        });
@@ -688,7 +688,7 @@ function queriesToResolvedQueryForm(queries) {
        fs.writeFileSync(configFile, inputFileContents);
        fs.mkdirSync(path.join(tmpDir, "foo"));
        const languages = "javascript,python,cpp";
-        const { packs, queries } = await configUtils.initConfig(languages, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example" }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+        const { packs, queries } = await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example" }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        t.deepEqual(packs, {
            [languages_1.Language.javascript]: ["a/b@1.2.3"],
            [languages_1.Language.python]: ["c/d@1.2.3"],
@@ -734,7 +734,7 @@ function doInvalidInputTest(testName, inputFileContents, expectedErrorMessageGen
            const inputFile = path.join(tmpDir, configFile);
            fs.writeFileSync(inputFile, inputFileContents, "utf8");
            try {
-                await configUtils.initConfig(languages, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+                await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
                throw new Error("initConfig did not throw error");
            }
            catch (err) {
@@ -991,7 +991,7 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
                    return { packs: [] };
                },
            });
-            const { packs } = await configUtils.initConfig("javascript", queriesInput, packsInput, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)(isMlPoweredQueriesEnabled ? [feature_flags_1.Feature.MlPoweredQueriesEnabled] : []), (0, logging_1.getRunnerLogger)(true));
+            const { packs } = await configUtils.initConfig("javascript", queriesInput, packsInput, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)(isMlPoweredQueriesEnabled ? [feature_flags_1.Feature.MlPoweredQueriesEnabled] : []), (0, logging_1.getRunnerLogger)(true));
            if (expectedVersionString !== undefined) {
                t.deepEqual(packs, {
                    [languages_1.Language.javascript]: [
@@ -1046,58 +1046,87 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
 // CLI 2.12.1+.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.12.1", true, undefined, "security-experimental", "~0.4.0");
 const calculateAugmentationMacro = ava_1.default.macro({
-    exec: async (t, _title, rawPacksInput, rawQueriesInput, languages, expectedAugmentationProperties) => {
-        const actualAugmentationProperties = configUtils.calculateAugmentation(rawPacksInput, rawQueriesInput, languages);
+    exec: async (t, _title, rawPacksInput, rawQueriesInput, rawThreatModelsInput, languages, expectedAugmentationProperties) => {
+        const actualAugmentationProperties = configUtils.calculateAugmentation(rawPacksInput, rawQueriesInput, rawThreatModelsInput, languages);
        t.deepEqual(actualAugmentationProperties, expectedAugmentationProperties);
    },
    title: (_, title) => `Calculate Augmentation: ${title}`,
 });
-(0, ava_1.default)(calculateAugmentationMacro, "All empty", undefined, undefined, [languages_1.Language.javascript], {
+(0, ava_1.default)(calculateAugmentationMacro, "All empty", undefined, undefined, undefined, [languages_1.Language.javascript], {
    queriesInputCombines: false,
    queriesInput: undefined,
    packsInputCombines: false,
    packsInput: undefined,
+    threatModelsInputCombines: false,
+    threatModelsInput: undefined,
    injectedMlQueries: false,
 });
-(0, ava_1.default)(calculateAugmentationMacro, "With queries", undefined, " a, b , c, d", [languages_1.Language.javascript], {
+(0, ava_1.default)(calculateAugmentationMacro, "With queries", undefined, " a, b , c, d", undefined, [languages_1.Language.javascript], {
    queriesInputCombines: false,
    queriesInput: [{ uses: "a" }, { uses: "b" }, { uses: "c" }, { uses: "d" }],
    packsInputCombines: false,
    packsInput: undefined,
+    threatModelsInputCombines: false,
+    threatModelsInput: undefined,
    injectedMlQueries: false,
 });
-(0, ava_1.default)(calculateAugmentationMacro, "With queries combining", undefined, "   +   a, b , c, d ", [languages_1.Language.javascript], {
+(0, ava_1.default)(calculateAugmentationMacro, "With queries combining", undefined, "   +   a, b , c, d ", undefined, [languages_1.Language.javascript], {
    queriesInputCombines: true,
    queriesInput: [{ uses: "a" }, { uses: "b" }, { uses: "c" }, { uses: "d" }],
    packsInputCombines: false,
    packsInput: undefined,
+    threatModelsInputCombines: false,
+    threatModelsInput: undefined,
    injectedMlQueries: false,
 });
-(0, ava_1.default)(calculateAugmentationMacro, "With packs", "   codeql/a , codeql/b   , codeql/c  , codeql/d  ", undefined, [languages_1.Language.javascript], {
+(0, ava_1.default)(calculateAugmentationMacro, "With packs", "   codeql/a , codeql/b   , codeql/c  , codeql/d  ", undefined, undefined, [languages_1.Language.javascript], {
    queriesInputCombines: false,
    queriesInput: undefined,
    packsInputCombines: false,
    packsInput: ["codeql/a", "codeql/b", "codeql/c", "codeql/d"],
+    threatModelsInputCombines: false,
+    threatModelsInput: undefined,
    injectedMlQueries: false,
 });
-(0, ava_1.default)(calculateAugmentationMacro, "With packs combining", "   +   codeql/a, codeql/b, codeql/c, codeql/d", undefined, [languages_1.Language.javascript], {
+(0, ava_1.default)(calculateAugmentationMacro, "With packs combining", "   +   codeql/a, codeql/b, codeql/c, codeql/d", undefined, undefined, [languages_1.Language.javascript], {
    queriesInputCombines: false,
    queriesInput: undefined,
    packsInputCombines: true,
    packsInput: ["codeql/a", "codeql/b", "codeql/c", "codeql/d"],
+    threatModelsInputCombines: false,
+    threatModelsInput: undefined,
+    injectedMlQueries: false,
+});
+(0, ava_1.default)(calculateAugmentationMacro, "With threat model", undefined, undefined, "   a , b   , c  , d  ", [languages_1.Language.javascript], {
+    queriesInputCombines: false,
+    queriesInput: undefined,
+    packsInput: undefined,
+    packsInputCombines: false,
+    threatModelsInput: ["a", "b", "c", "d"],
+    threatModelsInputCombines: false,
+    injectedMlQueries: false,
+});
+(0, ava_1.default)(calculateAugmentationMacro, "With threat model combining", undefined, undefined, " +  a , b   , c  , d  ", [languages_1.Language.javascript], {
+    queriesInput: undefined,
+    queriesInputCombines: false,
+    packsInput: undefined,
+    packsInputCombines: false,
+    threatModelsInput: ["a", "b", "c", "d"],
+    threatModelsInputCombines: true,
    injectedMlQueries: false,
 });
 const calculateAugmentationErrorMacro = ava_1.default.macro({
-    exec: async (t, _title, rawPacksInput, rawQueriesInput, languages, expectedError) => {
-        t.throws(() => configUtils.calculateAugmentation(rawPacksInput, rawQueriesInput, languages), { message: expectedError });
+    exec: async (t, _title, rawPacksInput, rawQueriesInput, rawThreatModelsInput, languages, expectedError) => {
+        t.throws(() => configUtils.calculateAugmentation(rawPacksInput, rawQueriesInput, rawThreatModelsInput, languages), { message: expectedError });
    },
    title: (_, title) => `Calculate Augmentation Error: ${title}`,
 });
-(0, ava_1.default)(calculateAugmentationErrorMacro, "Plus (+) with nothing else (queries)", undefined, "   +   ", [languages_1.Language.javascript], /The workflow property "queries" is invalid/);
-(0, ava_1.default)(calculateAugmentationErrorMacro, "Plus (+) with nothing else (packs)", "   +   ", undefined, [languages_1.Language.javascript], /The workflow property "packs" is invalid/);
-(0, ava_1.default)(calculateAugmentationErrorMacro, "Packs input with multiple languages", "   +  a/b, c/d ", undefined, [languages_1.Language.javascript, languages_1.Language.java], /Cannot specify a 'packs' input in a multi-language analysis/);
-(0, ava_1.default)(calculateAugmentationErrorMacro, "Packs input with no languages", "   +  a/b, c/d ", undefined, [], /No languages specified/);
-(0, ava_1.default)(calculateAugmentationErrorMacro, "Invalid packs", " a-pack-without-a-scope ", undefined, [languages_1.Language.javascript], /"a-pack-without-a-scope" is not a valid pack/);
+(0, ava_1.default)(calculateAugmentationErrorMacro, "Plus (+) with nothing else (queries)", undefined, "   +   ", undefined, [languages_1.Language.javascript], /The workflow property "queries" is invalid/);
+(0, ava_1.default)(calculateAugmentationErrorMacro, "Plus (+) with nothing else (packs)", "   +   ", undefined, undefined, [languages_1.Language.javascript], /The workflow property "packs" is invalid/);
+(0, ava_1.default)(calculateAugmentationErrorMacro, "Packs input with multiple languages", "   +  a/b, c/d ", undefined, undefined, [languages_1.Language.javascript, languages_1.Language.java], /Cannot specify a 'packs' input in a multi-language analysis/);
+(0, ava_1.default)(calculateAugmentationErrorMacro, "Packs input with no languages", "   +  a/b, c/d ", undefined, undefined, [], /No languages specified/);
+(0, ava_1.default)(calculateAugmentationErrorMacro, "Invalid packs", " a-pack-without-a-scope ", undefined, undefined, [languages_1.Language.javascript], /"a-pack-without-a-scope" is not a valid pack/);
+(0, ava_1.default)(calculateAugmentationErrorMacro, "Invalid threat-models", undefined, undefined, "   + ", [languages_1.Language.javascript], /A '\+' was used in the 'threat-models'/);
 (0, ava_1.default)("downloadPacks-no-registries", async (t) => {
    return await util.withTmpDir(async (tmpDir) => {
        const packDownloadStub = sinon.stub();
--- a/lib/config-utils.test.js.map
+++ b/lib/config-utils.test.js.map
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -128,7 +128,7 @@ async function run() {
        toolsDownloadDurationMs = initCodeQLResult.toolsDownloadDurationMs;
        toolsVersion = initCodeQLResult.toolsVersion;
        toolsSource = initCodeQLResult.toolsSource;
-        config = await (0, init_1.initConfig)((0, actions_util_1.getOptionalInput)("languages"), (0, actions_util_1.getOptionalInput)("queries"), (0, actions_util_1.getOptionalInput)("packs"), registriesInput, (0, actions_util_1.getOptionalInput)("config-file"), (0, actions_util_1.getOptionalInput)("db-location"), getTrapCachingEnabled(), 
+        config = await (0, init_1.initConfig)((0, actions_util_1.getOptionalInput)("languages"), (0, actions_util_1.getOptionalInput)("queries"), (0, actions_util_1.getOptionalInput)("packs"), (0, actions_util_1.getOptionalInput)("threat-models"), registriesInput, (0, actions_util_1.getOptionalInput)("config-file"), (0, actions_util_1.getOptionalInput)("db-location"), getTrapCachingEnabled(), 
        // Debug mode is enabled if:
        // - The `init` Action is passed `debug: true`.
        // - Actions step debugging is enabled (e.g. by [enabling debug logging for a rerun](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow),
--- a/lib/init-action.js.map
+++ b/lib/init-action.js.map
--- a/lib/init.js
+++ b/lib/init.js
@@ -48,9 +48,9 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
    return { codeql, toolsDownloadDurationMs, toolsSource, toolsVersion };
 }
 exports.initCodeQL = initCodeQL;
-async function initConfig(languagesInput, queriesInput, packsInput, registriesInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger) {
+async function initConfig(languagesInput, queriesInput, packsInput, threatModelsInput, registriesInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger) {
    logger.startGroup("Load language configuration");
-    const config = await configUtils.initConfig(languagesInput, queriesInput, packsInput, registriesInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger);
+    const config = await configUtils.initConfig(languagesInput, queriesInput, packsInput, threatModelsInput, registriesInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger);
    analysisPaths.printPathFiltersWarning(config, logger);
    logger.endGroup();
    return config;
--- a/lib/init.js.map
+++ b/lib/init.js.map
@@ -1 +1 @@
-{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,yEAA2D;AAC3D,kEAAoD;AAEpD,gEAAkD;AAElD,qCAA+C;AAC/C,4DAA8C;AAI9C,mDAAwE;AACxE,6CAA+B;AAE/B,IAAY,WAKX;AALD,WAAY,WAAW;IACrB,kCAAmB,CAAA;IACnB,8BAAe,CAAA;IACf,sCAAuB,CAAA;IACvB,oCAAqB,CAAA;AACvB,CAAC,EALW,WAAW,GAAX,mBAAW,KAAX,mBAAW,QAKtB;AAEM,KAAK,UAAU,UAAU,CAC9B,UAA8B,EAC9B,UAA4B,EAC5B,OAAe,EACf,OAA2B,EAC3B,iBAA2C,EAC3C,MAAc;IAOd,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,uBAAuB,EAAE,WAAW,EAAE,YAAY,EAAE,GAClE,MAAM,IAAA,oBAAW,EACf,UAAU,EACV,UAAU,EACV,OAAO,EACP,OAAO,EACP,iBAAiB,EACjB,MAAM,EACN,IAAI,CACL,CAAC;IACJ,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;IAC5B,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,uBAAuB,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC;AACxE,CAAC;AA3BD,gCA2BC;AAEM,KAAK,UAAU,UAAU,CAC9B,cAAkC,EAClC,YAAgC,EAChC,UAA8B,EAC9B,eAAmC,EACnC,UAA8B,EAC9B,UAA8B,EAC9B,kBAA2B,EAC3B,SAAkB,EAClB,iBAAyB,EACzB,iBAAyB,EACzB,UAAyB,EACzB,OAAe,EACf,MAAc,EACd,aAAqB,EACrB,aAAiC,EACjC,UAAoC,EACpC,QAA2B,EAC3B,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,UAAU,CACzC,cAAc,EACd,YAAY,EACZ,UAAU,EACV,eAAe,EACf,UAAU,EACV,UAAU,EACV,kBAAkB,EAClB,SAAS,EACT,iBAAiB,EACjB,iBAAiB,EACjB,UAAU,EACV,OAAO,EACP,MAAM,EACN,aAAa,EACb,aAAa,EACb,UAAU,EACV,QAAQ,EACR,MAAM,CACP,CAAC;IACF,aAAa,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AA5CD,gCA4CC;AAEM,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,MAA0B,EAC1B,UAAkB,EAClB,WAA+B,EAC/B,eAAmC,EACnC,QAA2B,EAC3B,UAAoC,EACpC,MAAc;IAEd,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAErD,IAAI;QACF,wFAAwF;QACxF,qBAAqB;QACrB,8FAA8F;QAC9F,2FAA2F;QAC3F,IAAI,oBAAwC,CAAC;QAC7C,IAAI,YAAgC,CAAC;QACrC,IAAI,MAAM,IAAI,CAAC,0BAA0B,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE;YAC3D,CAAC,EAAE,oBAAoB,EAAE,YAAY,EAAE;gBACrC,MAAM,WAAW,CAAC,kBAAkB,CAClC,eAAe,EACf,MAAM,EACN,MAAM,CAAC,OAAO,EACd,MAAM,CACP,CAAC,CAAC;SACN;QACD,MAAM,WAAW,CAAC,eAAe,CAC/B;YACE,YAAY,EAAE,UAAU,CAAC,IAAI;YAC7B,sBAAsB,EAAE,oBAAoB;SAC7C;QAED,0BAA0B;QAC1B,KAAK,IAAI,EAAE,CACT,MAAM,MAAM,CAAC,mBAAmB,CAC9B,MAAM,EACN,UAAU,EACV,WAAW,EACX,QAAQ,EACR,YAAY,EACZ,MAAM,CACP,CACJ,CAAC;KACH;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,YAAY,CAAC,CAAC,CAAC,CAAC;KACvB;IACD,OAAO,MAAM,IAAA,uCAAuB,EAAC,MAAM,CAAC,CAAC;AAC/C,CAAC;AAjDD,0BAiDC;AAED;;;;;;;;GAQG;AACH,SAAS,YAAY,CAAC,CAAM;IAC1B,IAAI,CAAC,CAAC,CAAC,YAAY,KAAK,CAAC,EAAE;QACzB,OAAO,CAAC,CAAC;KACV;IAED;IACE,2BAA2B;IAC3B,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,8BAA8B,CAAC;QACnD,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,uCAAuC,CAAC,EAC5D;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CACvB,sDAAsD,CAAC,CAAC,OAAO,EAAE,CAClE,CAAC;KACH;IAED;IACE,+EAA+E;IAC/E,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,wCAAwC,CAAC;QAC7D,gEAAgE;QAChE,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,qBAAqB,CAAC,EAC1C;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;KACtC;IAED,OAAO,CAAC,CAAC;AACX,CAAC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAEjE,IAAI;QACF,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE;gBACvE,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,mBAAmB,CAAC;aAC9C,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAC7C,CAAC,IAAI,EAAE,CAAC;SACV;QACD,MAAM,MAAM,GAAG,0BAA0B,CAAC;QAC1C,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;gBAC/D,IAAI;gBACJ,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE;gBACpE,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,OAAO,CACZ,gFAAgF,CAAC,IAAI;YACnF,qGAAqG;YACrG,oGAAoG;YACpG,iDAAiD,CACpD,CAAC;QACF,OAAO;KACR;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAzCD,8CAyCC"}
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,yEAA2D;AAC3D,kEAAoD;AAEpD,gEAAkD;AAElD,qCAA+C;AAC/C,4DAA8C;AAI9C,mDAAwE;AACxE,6CAA+B;AAE/B,IAAY,WAKX;AALD,WAAY,WAAW;IACrB,kCAAmB,CAAA;IACnB,8BAAe,CAAA;IACf,sCAAuB,CAAA;IACvB,oCAAqB,CAAA;AACvB,CAAC,EALW,WAAW,GAAX,mBAAW,KAAX,mBAAW,QAKtB;AAEM,KAAK,UAAU,UAAU,CAC9B,UAA8B,EAC9B,UAA4B,EAC5B,OAAe,EACf,OAA2B,EAC3B,iBAA2C,EAC3C,MAAc;IAOd,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,uBAAuB,EAAE,WAAW,EAAE,YAAY,EAAE,GAClE,MAAM,IAAA,oBAAW,EACf,UAAU,EACV,UAAU,EACV,OAAO,EACP,OAAO,EACP,iBAAiB,EACjB,MAAM,EACN,IAAI,CACL,CAAC;IACJ,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;IAC5B,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,uBAAuB,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC;AACxE,CAAC;AA3BD,gCA2BC;AAEM,KAAK,UAAU,UAAU,CAC9B,cAAkC,EAClC,YAAgC,EAChC,UAA8B,EAC9B,iBAAqC,EACrC,eAAmC,EACnC,UAA8B,EAC9B,UAA8B,EAC9B,kBAA2B,EAC3B,SAAkB,EAClB,iBAAyB,EACzB,iBAAyB,EACzB,UAAyB,EACzB,OAAe,EACf,MAAc,EACd,aAAqB,EACrB,aAAiC,EACjC,UAAoC,EACpC,QAA2B,EAC3B,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,UAAU,CACzC,cAAc,EACd,YAAY,EACZ,UAAU,EACV,iBAAiB,EACjB,eAAe,EACf,UAAU,EACV,UAAU,EACV,kBAAkB,EAClB,SAAS,EACT,iBAAiB,EACjB,iBAAiB,EACjB,UAAU,EACV,OAAO,EACP,MAAM,EACN,aAAa,EACb,aAAa,EACb,UAAU,EACV,QAAQ,EACR,MAAM,CACP,CAAC;IACF,aAAa,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AA9CD,gCA8CC;AAEM,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,MAA0B,EAC1B,UAAkB,EAClB,WAA+B,EAC/B,eAAmC,EACnC,QAA2B,EAC3B,UAAoC,EACpC,MAAc;IAEd,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAErD,IAAI;QACF,wFAAwF;QACxF,qBAAqB;QACrB,8FAA8F;QAC9F,2FAA2F;QAC3F,IAAI,oBAAwC,CAAC;QAC7C,IAAI,YAAgC,CAAC;QACrC,IAAI,MAAM,IAAI,CAAC,0BAA0B,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE;YAC3D,CAAC,EAAE,oBAAoB,EAAE,YAAY,EAAE;gBACrC,MAAM,WAAW,CAAC,kBAAkB,CAClC,eAAe,EACf,MAAM,EACN,MAAM,CAAC,OAAO,EACd,MAAM,CACP,CAAC,CAAC;SACN;QACD,MAAM,WAAW,CAAC,eAAe,CAC/B;YACE,YAAY,EAAE,UAAU,CAAC,IAAI;YAC7B,sBAAsB,EAAE,oBAAoB;SAC7C;QAED,0BAA0B;QAC1B,KAAK,IAAI,EAAE,CACT,MAAM,MAAM,CAAC,mBAAmB,CAC9B,MAAM,EACN,UAAU,EACV,WAAW,EACX,QAAQ,EACR,YAAY,EACZ,MAAM,CACP,CACJ,CAAC;KACH;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,YAAY,CAAC,CAAC,CAAC,CAAC;KACvB;IACD,OAAO,MAAM,IAAA,uCAAuB,EAAC,MAAM,CAAC,CAAC;AAC/C,CAAC;AAjDD,0BAiDC;AAED;;;;;;;;GAQG;AACH,SAAS,YAAY,CAAC,CAAM;IAC1B,IAAI,CAAC,CAAC,CAAC,YAAY,KAAK,CAAC,EAAE;QACzB,OAAO,CAAC,CAAC;KACV;IAED;IACE,2BAA2B;IAC3B,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,8BAA8B,CAAC;QACnD,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,uCAAuC,CAAC,EAC5D;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CACvB,sDAAsD,CAAC,CAAC,OAAO,EAAE,CAClE,CAAC;KACH;IAED;IACE,+EAA+E;IAC/E,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,wCAAwC,CAAC;QAC7D,gEAAgE;QAChE,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,qBAAqB,CAAC,EAC1C;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;KACtC;IAED,OAAO,CAAC,CAAC;AACX,CAAC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAEjE,IAAI;QACF,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE;gBACvE,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,mBAAmB,CAAC;aAC9C,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAC7C,CAAC,IAAI,EAAE,CAAC;SACV;QACD,MAAM,MAAM,GAAG,0BAA0B,CAAC;QAC1C,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;gBAC/D,IAAI;gBACJ,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE;gBACpE,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,OAAO,CACZ,gFAAgF,CAAC,IAAI;YACnF,qGAAqG;YACrG,oGAAoG;YACpG,iDAAiD,CACpD,CAAC;QACF,OAAO;KACR;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAzCD,8CAyCC"}
--- a/lib/trap-caching.test.js
+++ b/lib/trap-caching.test.js
@@ -33,6 +33,7 @@ const ava_1 = __importDefault(require("ava"));
 const sinon = __importStar(require("sinon"));
 const actionsUtil = __importStar(require("./actions-util"));
 const codeql_1 = require("./codeql");
+const configUtils = __importStar(require("./config-utils"));
 const languages_1 = require("./languages");
 const testing_utils_1 = require("./testing-utils");
 const trap_caching_1 = require("./trap-caching");
@@ -94,11 +95,7 @@ const testConfigWithoutTmpDir = {
    debugMode: false,
    debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
    debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-    augmentationProperties: {
-        injectedMlQueries: false,
-        packsInputCombines: false,
-        queriesInputCombines: false,
-    },
+    augmentationProperties: configUtils.defaultAugmentationProperties,
    trapCaches: {
        javascript: "/some/cache/dir",
    },
@@ -119,11 +116,7 @@ function getTestConfigWithTempDir(tmpDir) {
        debugMode: false,
        debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
        debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-        augmentationProperties: {
-            injectedMlQueries: false,
-            packsInputCombines: false,
-            queriesInputCombines: false,
-        },
+        augmentationProperties: configUtils.defaultAugmentationProperties,
        trapCaches: {
            javascript: path.resolve(tmpDir, "jsCache"),
            ruby: path.resolve(tmpDir, "rubyCache"),
--- a/lib/trap-caching.test.js.map
+++ b/lib/trap-caching.test.js.map
--- a/lib/util.test.js
+++ b/lib/util.test.js
@@ -33,6 +33,7 @@ const github = __importStar(require("@actions/github"));
 const ava_1 = __importDefault(require("ava"));
 const sinon = __importStar(require("sinon"));
 const api = __importStar(require("./api-client"));
+const config_utils_1 = require("./config-utils");
 const logging_1 = require("./logging");
 const testing_utils_1 = require("./testing-utils");
 const util = __importStar(require("./util"));
@@ -241,11 +242,7 @@ for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {
                debugMode: false,
                debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
                debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-                augmentationProperties: {
-                    injectedMlQueries: false,
-                    packsInputCombines: false,
-                    queriesInputCombines: false,
-                },
+                augmentationProperties: config_utils_1.defaultAugmentationProperties,
                trapCaches: {},
                trapCacheDownloadTime: 0,
            };
--- a/lib/util.test.js.map
+++ b/lib/util.test.js.map
--- a/queries/.cache/data/17/bd/17bd99d2be870a62a10c01563195dedb396d1073
+++ b/queries/.cache/data/17/bd/17bd99d2be870a62a10c01563195dedb396d1073
@@ -0,0 +1,30 @@
+ #      Precompiled CodeQL query
+---
+format:
+- 202210190
+creator: "2.12.0"
+name: "binary-planting.ql"
+dbscheme: "4d00210ca570d55c4833af11d3372b774dbc63f2"
+stages:
+- cached: "eab2ee2a0540ade3989ca6057981f91dca87e8dd"
+  debugInfo: "fecaa121855b37cb5060daceb1adc2e02056f801"
+- cached: "e3d73e04276e1e7d870422c3d0b20a77b26134bd"
+  debugInfo: "fecaa121855b37cb5060daceb1adc2e02056f801"
+- cached: "4d38c88bc217c78abc64ea4bde9d82e4fb9dceb5"
+  debugInfo: "fecaa121855b37cb5060daceb1adc2e02056f801"
+- cached: "f5fe3c8ecd3c4f7f23db589fc5beedd3b98350c8"
+  debugInfo: "fecaa121855b37cb5060daceb1adc2e02056f801"
+- cached: "6b91c5ace67fc41b3fc7b66fbe4f1656e5021299"
+  debugInfo: "fecaa121855b37cb5060daceb1adc2e02056f801"
+- cached: "e12de1ddade327e68a2446986356414403060359"
+  debugInfo: "fecaa121855b37cb5060daceb1adc2e02056f801"
+- cached: "27e1a12ac46e3b189b87c28330e49073e43901d6"
+  debugInfo: "fecaa121855b37cb5060daceb1adc2e02056f801"
+results:
+  nodes:
+    resultArranger: "1\"nd\"ei12"
+  edges:
+    resultArranger: "2\"pred\"ei12\"succ\"ei12"
+  '#select':
+    resultArranger: "40ei12\"source\"ei12\"sink\"ei120s"
+inputsDigest: "17bd99d2be870a62a10c01563195dedb396d1073"
--- a/queries/.cache/data/18/0d/180d77cb5041c05f39bbe8ae402fd801e1bed99d
+++ b/queries/.cache/data/18/0d/180d77cb5041c05f39bbe8ae402fd801e1bed99d
@@ -0,0 +1,30 @@
+ #      Precompiled CodeQL query
+---
+format:
+- 202210190
+creator: "2.12.0"
+name: "binary-planting.ql"
+dbscheme: "4d00210ca570d55c4833af11d3372b774dbc63f2"
+stages:
+- cached: "eab2ee2a0540ade3989ca6057981f91dca87e8dd"
+  debugInfo: "fecaa121855b37cb5060daceb1adc2e02056f801"
+- cached: "e3d73e04276e1e7d870422c3d0b20a77b26134bd"
+  debugInfo: "fecaa121855b37cb5060daceb1adc2e02056f801"
+- cached: "4d38c88bc217c78abc64ea4bde9d82e4fb9dceb5"
+  debugInfo: "fecaa121855b37cb5060daceb1adc2e02056f801"
+- cached: "f5fe3c8ecd3c4f7f23db589fc5beedd3b98350c8"
+  debugInfo: "fecaa121855b37cb5060daceb1adc2e02056f801"
+- cached: "6b91c5ace67fc41b3fc7b66fbe4f1656e5021299"
+  debugInfo: "fecaa121855b37cb5060daceb1adc2e02056f801"
+- cached: "e12de1ddade327e68a2446986356414403060359"
+  debugInfo: "fecaa121855b37cb5060daceb1adc2e02056f801"
+- cached: "ed12e9ba01052a2f5f25e424440b0348fb968160"
+  debugInfo: "fecaa121855b37cb5060daceb1adc2e02056f801"
+results:
+  nodes:
+    resultArranger: "1\"nd\"ei12"
+  edges:
+    resultArranger: "2\"pred\"ei12\"succ\"ei12"
+  '#select':
+    resultArranger: "40ei12\"source\"ei12\"sink\"ei120s"
+inputsDigest: "180d77cb5041c05f39bbe8ae402fd801e1bed99d"
--- a/queries/.cache/data/27/e1/27e1a12ac46e3b189b87c28330e49073e43901d6
+++ b/queries/.cache/data/27/e1/27e1a12ac46e3b189b87c28330e49073e43901d6
--- a/queries/.cache/data/4d/38/4d38c88bc217c78abc64ea4bde9d82e4fb9dceb5
+++ b/queries/.cache/data/4d/38/4d38c88bc217c78abc64ea4bde9d82e4fb9dceb5
--- a/queries/.cache/data/6b/91/6b91c5ace67fc41b3fc7b66fbe4f1656e5021299
+++ b/queries/.cache/data/6b/91/6b91c5ace67fc41b3fc7b66fbe4f1656e5021299
--- a/queries/.cache/data/e1/2d/e12de1ddade327e68a2446986356414403060359
+++ b/queries/.cache/data/e1/2d/e12de1ddade327e68a2446986356414403060359
--- a/queries/.cache/data/e3/d7/e3d73e04276e1e7d870422c3d0b20a77b26134bd
+++ b/queries/.cache/data/e3/d7/e3d73e04276e1e7d870422c3d0b20a77b26134bd
--- a/queries/.cache/data/ea/b2/eab2ee2a0540ade3989ca6057981f91dca87e8dd
+++ b/queries/.cache/data/ea/b2/eab2ee2a0540ade3989ca6057981f91dca87e8dd
--- a/queries/.cache/data/ed/12/ed12e9ba01052a2f5f25e424440b0348fb968160
+++ b/queries/.cache/data/ed/12/ed12e9ba01052a2f5f25e424440b0348fb968160
--- a/queries/.cache/data/f5/fe/f5fe3c8ecd3c4f7f23db589fc5beedd3b98350c8
+++ b/queries/.cache/data/f5/fe/f5fe3c8ecd3c4f7f23db589fc5beedd3b98350c8
--- a/queries/.cache/data/fe/ca/fecaa121855b37cb5060daceb1adc2e02056f801
+++ b/queries/.cache/data/fe/ca/fecaa121855b37cb5060daceb1adc2e02056f801
--- a/queries/.cache/lock
+++ b/queries/.cache/lock
--- a/queries/.cache/size
+++ b/queries/.cache/size
--- a/src/analysis-paths.test.ts
+++ b/src/analysis-paths.test.ts
@@ -3,6 +3,7 @@ import * as path from "path";
 import test from "ava";

 import * as analysisPaths from "./analysis-paths";
+import { defaultAugmentationProperties } from "./config-utils";
 import { setupTests } from "./testing-utils";
 import * as util from "./util";

@@ -24,11 +25,7 @@ test("emptyPaths", async (t) => {
      debugMode: false,
      debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
      debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-      augmentationProperties: {
-        injectedMlQueries: false,
-        packsInputCombines: false,
-        queriesInputCombines: false,
-      },
+      augmentationProperties: defaultAugmentationProperties,
      trapCaches: {},
      trapCacheDownloadTime: 0,
    };
@@ -55,11 +52,7 @@ test("nonEmptyPaths", async (t) => {
      debugMode: false,
      debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
      debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-      augmentationProperties: {
-        injectedMlQueries: false,
-        packsInputCombines: false,
-        queriesInputCombines: false,
-      },
+      augmentationProperties: defaultAugmentationProperties,
      trapCaches: {},
      trapCacheDownloadTime: 0,
    };
@@ -89,11 +82,7 @@ test("exclude temp dir", async (t) => {
    debugMode: false,
    debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
    debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-    augmentationProperties: {
-      injectedMlQueries: false,
-      packsInputCombines: false,
-      queriesInputCombines: false,
-    },
+    augmentationProperties: defaultAugmentationProperties,
    trapCaches: {},
    trapCacheDownloadTime: 0,
  };
--- a/src/analyze.test.ts
+++ b/src/analyze.test.ts
@@ -13,7 +13,11 @@ import {
  QueriesStatusReport,
 } from "./analyze";
 import { CodeQL, setCodeQL } from "./codeql";
-import { Config, QueriesWithSearchPath } from "./config-utils";
+import {
+  Config,
+  QueriesWithSearchPath,
+  defaultAugmentationProperties,
+} from "./config-utils";
 import { Feature } from "./feature-flags";
 import { Language } from "./languages";
 import { getRunnerLogger } from "./logging";
@@ -111,11 +115,7 @@ test("status report fields and search path setting", async (t) => {
        debugMode: false,
        debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
        debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-        augmentationProperties: {
-          injectedMlQueries: false,
-          packsInputCombines: false,
-          queriesInputCombines: false,
-        },
+        augmentationProperties: defaultAugmentationProperties,
        trapCaches: {},
        trapCacheDownloadTime: 0,
      };
@@ -258,11 +258,7 @@ function createBaseConfig(tmpDir: string): Config {
    debugMode: false,
    debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
    debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-    augmentationProperties: {
-      injectedMlQueries: false,
-      packsInputCombines: false,
-      queriesInputCombines: false,
-    },
+    augmentationProperties: defaultAugmentationProperties,
    trapCaches: {},
    trapCacheDownloadTime: 0,
  };
--- a/src/codeql.test.ts
+++ b/src/codeql.test.ts
@@ -69,6 +69,7 @@ test.beforeEach(() => {
    debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
    debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
    augmentationProperties: {
+      threatModelsInputCombines: false,
      injectedMlQueries: false,
      packsInputCombines: false,
      queriesInputCombines: false,
@@ -682,6 +683,7 @@ test("databaseInitCluster() without injected codescanning config", async (t) =>
      ...stubConfig,
      tempDir,
      augmentationProperties: {
+        threatModelsInputCombines: false,
        injectedMlQueries: false,
        queriesInputCombines: false,
        packsInputCombines: false,
@@ -762,6 +764,7 @@ test(
    injectedMlQueries: false,
    queriesInputCombines: false,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
  },
  {},
  {}
@@ -774,6 +777,7 @@ test(
    injectedMlQueries: true,
    queriesInputCombines: false,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
  },
  {},
  {
@@ -788,6 +792,7 @@ test(
    injectedMlQueries: true,
    queriesInputCombines: false,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
  },
  {
    originalUserInput: {
@@ -811,6 +816,7 @@ test(
    injectedMlQueries: true,
    queriesInputCombines: false,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
  },
  {
    originalUserInput: {
@@ -833,6 +839,7 @@ test(
    queriesInputCombines: false,
    packsInputCombines: false,
    packsInput: ["xxx", "yyy"],
+    threatModelsInputCombines: false,
  },
  {},
  {
@@ -848,6 +855,7 @@ test(
    queriesInputCombines: false,
    packsInputCombines: true,
    packsInput: ["xxx", "yyy"],
+    threatModelsInputCombines: false,
  },
  {
    originalUserInput: {
@@ -871,6 +879,7 @@ test(
    queriesInputCombines: false,
    packsInputCombines: false,
    packsInput: ["xxx", "yyy"],
+    threatModelsInputCombines: false,
  },
  {
    originalUserInput: {
@@ -892,6 +901,7 @@ test(
    queriesInputCombines: false,
    packsInputCombines: false,
    packsInput: ["xxx", "yyy"],
+    threatModelsInputCombines: false,
  },
  {
    originalUserInput: {
@@ -913,6 +923,7 @@ test(
    injectedMlQueries: false,
    queriesInputCombines: false,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
    queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
  },
  {},
@@ -935,6 +946,7 @@ test(
    injectedMlQueries: false,
    queriesInputCombines: false,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
    queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
  },
  {
@@ -961,6 +973,7 @@ test(
    injectedMlQueries: false,
    queriesInputCombines: true,
    packsInputCombines: false,
+    threatModelsInputCombines: false,
    queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
  },
  {
@@ -990,6 +1003,7 @@ test(
    injectedMlQueries: false,
    queriesInputCombines: true,
    packsInputCombines: true,
+    threatModelsInputCombines: false,
    queriesInput: [{ uses: "xxx" }, { uses: "yyy" }],
  },
  {},
@@ -1012,6 +1026,7 @@ test(
    injectedMlQueries: false,
    queriesInputCombines: true,
    packsInputCombines: true,
+    threatModelsInputCombines: false,
    queriesInput: [],
    packsInput: [],
  },
@@ -1024,6 +1039,71 @@ test(
  {}
 );

+test(
+  "threat model from config",
+  injectedConfigMacro,
+  {
+    injectedMlQueries: false,
+    queriesInputCombines: true,
+    packsInputCombines: true,
+    threatModelsInputCombines: false,
+    queriesInput: [],
+    packsInput: [],
+  },
+  {
+    originalUserInput: {
+      "threat-models": ["a", "b"],
+    },
+  },
+  {
+    "threat-models": ["a", "b"],
+  }
+);
+
+test(
+  "threat model from input overrides config",
+  injectedConfigMacro,
+  {
+    injectedMlQueries: false,
+    queriesInputCombines: true,
+    packsInputCombines: true,
+    threatModelsInputCombines: false,
+    threatModelsInput: ["a", "b"],
+    queriesInput: [],
+    packsInput: [],
+  },
+  {
+    originalUserInput: {
+      "threat-models": ["c", "d"],
+    },
+  },
+  {
+    "threat-models": ["a", "b"],
+  }
+);
+
+test(
+  "threat model from input combines with config",
+  injectedConfigMacro,
+  {
+    injectedMlQueries: false,
+    queriesInputCombines: true,
+    packsInputCombines: true,
+    threatModelsInputCombines: true,
+    threatModelsInput: ["a", "b"],
+    queriesInput: [],
+    packsInput: [],
+  },
+  {
+    originalUserInput: {
+      "threat-models": ["c", "d"],
+    },
+  },
+  {
+    "threat-models": ["c", "d", "a", "b"],
+  }
+);
+
 test("does not pass a code scanning config or qlconfig file to the CLI when CLI config passing is disabled", async (t: ExecutionContext<unknown>) => {
  await util.withTmpDir(async (tempDir) => {
    const runnerConstructorStub = stubToolRunnerConstructor();
--- a/src/codeql.ts
+++ b/src/codeql.ts
@@ -1134,6 +1134,7 @@ async function generateCodeScanningConfig(
  if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
    delete augmentedConfig.packs;
  }
+
  if (config.augmentationProperties.injectedMlQueries) {
    // We need to inject the ML queries into the original user input before
    // we pass this on to the CLI, to make sure these get run.
@@ -1148,6 +1149,28 @@ async function generateCodeScanningConfig(
      augmentedConfig.packs["javascript"].push(packString);
    }
  }
+
+  // Inject the threat-models from the input
+  if (config.augmentationProperties.threatModelsInput) {
+    if (config.augmentationProperties.threatModelsInputCombines) {
+      // threat-models input combines with threat-models from the config file
+      // (if any were defined).
+      augmentedConfig["threat-models"] = (
+        augmentedConfig["threat-models"] || []
+      ).concat(config.augmentationProperties.threatModelsInput);
+    } else {
+      // threat-models input overrides threat-models from the config file
+      augmentedConfig["threat-models"] =
+        config.augmentationProperties.threatModelsInput;
+    }
+  }
+  if (
+    Array.isArray(augmentedConfig["threat-models"]) &&
+    !augmentedConfig["threat-models"].length
+  ) {
+    delete augmentedConfig["threat-models"];
+  }
+
  logger.info(
    `Writing augmented user configuration file to ${codeScanningConfigFile}`
  );
--- a/src/config-utils.test.ts
+++ b/src/config-utils.test.ts
@@ -105,6 +105,7 @@ test("load empty config", async (t) => {
      undefined,
      undefined,
      undefined,
+      undefined,
      false,
      false,
      "",
@@ -126,6 +127,7 @@ test("load empty config", async (t) => {
        undefined,
        undefined,
        undefined,
+        undefined,
        false,
        false,
        "",
@@ -176,6 +178,7 @@ test("loading config saves config", async (t) => {
      undefined,
      undefined,
      undefined,
+      undefined,
      false,
      false,
      "",
@@ -212,6 +215,7 @@ test("load input outside of workspace", async (t) => {
        undefined,
        undefined,
        undefined,
+        undefined,
        "../input",
        undefined,
        false,
@@ -252,6 +256,7 @@ test("load non-local input with invalid repo syntax", async (t) => {
        undefined,
        undefined,
        undefined,
+        undefined,
        configFile,
        undefined,
        false,
@@ -293,6 +298,7 @@ test("load non-existent input", async (t) => {
        undefined,
        undefined,
        undefined,
+        undefined,
        configFile,
        undefined,
        false,
@@ -400,6 +406,7 @@ test("load non-empty input", async (t) => {
      undefined,
      undefined,
      undefined,
+      undefined,
      configFilePath,
      undefined,
      false,
@@ -471,6 +478,7 @@ test("Default queries are used", async (t) => {
      undefined,
      undefined,
      undefined,
+      undefined,
      configFilePath,
      undefined,
      false,
@@ -550,6 +558,7 @@ test("Queries can be specified in config file", async (t) => {
      undefined,
      undefined,
      undefined,
+      undefined,
      configFilePath,
      undefined,
      false,
@@ -628,6 +637,7 @@ test("Queries from config file can be overridden in workflow file", async (t) =>
      testQueries,
      undefined,
      undefined,
+      undefined,
      configFilePath,
      undefined,
      false,
@@ -704,6 +714,7 @@ test("Queries in workflow file can be used in tandem with the 'disable default q
      testQueries,
      undefined,
      undefined,
+      undefined,
      configFilePath,
      undefined,
      false,
@@ -773,6 +784,7 @@ test("Multiple queries can be specified in workflow file, no config file require
      undefined,
      undefined,
      undefined,
+      undefined,
      false,
      false,
      "",
@@ -859,6 +871,7 @@ test("Queries in workflow file can be added to the set of queries without overri
      testQueries,
      undefined,
      undefined,
+      undefined,
      configFilePath,
      undefined,
      false,
@@ -943,6 +956,7 @@ test("Invalid queries in workflow file handled correctly", async (t) => {
        undefined,
        undefined,
        undefined,
+        undefined,
        false,
        false,
        "",
@@ -1013,6 +1027,7 @@ test("API client used when reading remote config", async (t) => {
      undefined,
      undefined,
      undefined,
+      undefined,
      configFile,
      undefined,
      false,
@@ -1044,6 +1059,7 @@ test("Remote config handles the case where a directory is provided", async (t) =
        undefined,
        undefined,
        undefined,
+        undefined,
        repoReference,
        undefined,
        false,
@@ -1083,6 +1099,7 @@ test("Invalid format of remote config handled correctly", async (t) => {
        undefined,
        undefined,
        undefined,
+        undefined,
        repoReference,
        undefined,
        false,
@@ -1128,6 +1145,7 @@ test("No detected languages", async (t) => {
        undefined,
        undefined,
        undefined,
+        undefined,
        false,
        false,
        "",
@@ -1160,6 +1178,7 @@ test("Unknown languages", async (t) => {
        undefined,
        undefined,
        undefined,
+        undefined,
        false,
        false,
        "",
@@ -1215,6 +1234,7 @@ test("Config specifies packages", async (t) => {
      undefined,
      undefined,
      undefined,
+      undefined,
      configFile,
      undefined,
      false,
@@ -1276,6 +1296,7 @@ test("Config specifies packages for multiple languages", async (t) => {
      undefined,
      undefined,
      undefined,
+      undefined,
      configFile,
      undefined,
      false,
@@ -1348,6 +1369,7 @@ function doInvalidInputTest(
          undefined,
          undefined,
          undefined,
+          undefined,
          configFile,
          undefined,
          false,
@@ -1934,6 +1956,7 @@ const mlPoweredQueriesMacro = test.macro({
        undefined,
        undefined,
        undefined,
+        undefined,
        false,
        false,
        "",
@@ -2105,12 +2128,14 @@ const calculateAugmentationMacro = test.macro({
    _title: string,
    rawPacksInput: string | undefined,
    rawQueriesInput: string | undefined,
+    rawThreatModelsInput: string | undefined,
    languages: Language[],
    expectedAugmentationProperties: configUtils.AugmentationProperties
  ) => {
    const actualAugmentationProperties = configUtils.calculateAugmentation(
      rawPacksInput,
      rawQueriesInput,
+      rawThreatModelsInput,
      languages
    );
    t.deepEqual(actualAugmentationProperties, expectedAugmentationProperties);
@@ -2123,12 +2148,15 @@ test(
  "All empty",
  undefined,
  undefined,
+  undefined,
  [Language.javascript],
  {
    queriesInputCombines: false,
    queriesInput: undefined,
    packsInputCombines: false,
    packsInput: undefined,
+    threatModelsInputCombines: false,
+    threatModelsInput: undefined,
    injectedMlQueries: false,
  } as configUtils.AugmentationProperties
 );
@@ -2138,12 +2166,15 @@ test(
  "With queries",
  undefined,
  " a, b , c, d",
+  undefined,
  [Language.javascript],
  {
    queriesInputCombines: false,
    queriesInput: [{ uses: "a" }, { uses: "b" }, { uses: "c" }, { uses: "d" }],
    packsInputCombines: false,
    packsInput: undefined,
+    threatModelsInputCombines: false,
+    threatModelsInput: undefined,
    injectedMlQueries: false,
  } as configUtils.AugmentationProperties
 );
@@ -2153,12 +2184,15 @@ test(
  "With queries combining",
  undefined,
  "   +   a, b , c, d ",
+  undefined,
  [Language.javascript],
  {
    queriesInputCombines: true,
    queriesInput: [{ uses: "a" }, { uses: "b" }, { uses: "c" }, { uses: "d" }],
    packsInputCombines: false,
    packsInput: undefined,
+    threatModelsInputCombines: false,
+    threatModelsInput: undefined,
    injectedMlQueries: false,
  } as configUtils.AugmentationProperties
 );
@@ -2168,12 +2202,15 @@ test(
  "With packs",
  "   codeql/a , codeql/b   , codeql/c  , codeql/d  ",
  undefined,
+  undefined,
  [Language.javascript],
  {
    queriesInputCombines: false,
    queriesInput: undefined,
    packsInputCombines: false,
    packsInput: ["codeql/a", "codeql/b", "codeql/c", "codeql/d"],
+    threatModelsInputCombines: false,
+    threatModelsInput: undefined,
    injectedMlQueries: false,
  } as configUtils.AugmentationProperties
 );
@@ -2183,12 +2220,51 @@ test(
  "With packs combining",
  "   +   codeql/a, codeql/b, codeql/c, codeql/d",
  undefined,
+  undefined,
  [Language.javascript],
  {
    queriesInputCombines: false,
    queriesInput: undefined,
    packsInputCombines: true,
    packsInput: ["codeql/a", "codeql/b", "codeql/c", "codeql/d"],
+    threatModelsInputCombines: false,
+    threatModelsInput: undefined,
+    injectedMlQueries: false,
+  } as configUtils.AugmentationProperties
+);
+
+test(
+  calculateAugmentationMacro,
+  "With threat model",
+  undefined,
+  undefined,
+  "   a , b   , c  , d  ",
+  [Language.javascript],
+  {
+    queriesInputCombines: false,
+    queriesInput: undefined,
+    packsInput: undefined,
+    packsInputCombines: false,
+    threatModelsInput: ["a", "b", "c", "d"],
+    threatModelsInputCombines: false,
+    injectedMlQueries: false,
+  } as configUtils.AugmentationProperties
+);
+
+test(
+  calculateAugmentationMacro,
+  "With threat model combining",
+  undefined,
+  undefined,
+  " +  a , b   , c  , d  ",
+  [Language.javascript],
+  {
+    queriesInput: undefined,
+    queriesInputCombines: false,
+    packsInput: undefined,
+    packsInputCombines: false,
+    threatModelsInput: ["a", "b", "c", "d"],
+    threatModelsInputCombines: true,
    injectedMlQueries: false,
  } as configUtils.AugmentationProperties
 );
@@ -2199,6 +2275,7 @@ const calculateAugmentationErrorMacro = test.macro({
    _title: string,
    rawPacksInput: string | undefined,
    rawQueriesInput: string | undefined,
+    rawThreatModelsInput: string | undefined,
    languages: Language[],
    expectedError: RegExp | string
  ) => {
@@ -2207,6 +2284,7 @@ const calculateAugmentationErrorMacro = test.macro({
        configUtils.calculateAugmentation(
          rawPacksInput,
          rawQueriesInput,
+          rawThreatModelsInput,
          languages
        ),
      { message: expectedError }
@@ -2220,6 +2298,7 @@ test(
  "Plus (+) with nothing else (queries)",
  undefined,
  "   +   ",
+  undefined,
  [Language.javascript],
  /The workflow property "queries" is invalid/
 );
@@ -2229,6 +2308,7 @@ test(
  "Plus (+) with nothing else (packs)",
  "   +   ",
  undefined,
+  undefined,
  [Language.javascript],
  /The workflow property "packs" is invalid/
 );
@@ -2238,6 +2318,7 @@ test(
  "Packs input with multiple languages",
  "   +  a/b, c/d ",
  undefined,
+  undefined,
  [Language.javascript, Language.java],
  /Cannot specify a 'packs' input in a multi-language analysis/
 );
@@ -2247,6 +2328,7 @@ test(
  "Packs input with no languages",
  "   +  a/b, c/d ",
  undefined,
+  undefined,
  [],
  /No languages specified/
 );
@@ -2256,10 +2338,21 @@ test(
  "Invalid packs",
  " a-pack-without-a-scope ",
  undefined,
+  undefined,
  [Language.javascript],
  /"a-pack-without-a-scope" is not a valid pack/
 );

+test(
+  calculateAugmentationErrorMacro,
+  "Invalid threat-models",
+  undefined,
+  undefined,
+  "   + ",
+  [Language.javascript],
+  /A '\+' was used in the 'threat-models'/
+);
+
 test("downloadPacks-no-registries", async (t) => {
  return await util.withTmpDir(async (tmpDir) => {
    const packDownloadStub = sinon.stub();
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@@ -63,6 +63,10 @@ export interface UserConfig {
  // Set of query filters to include and exclude extra queries based on
  // codeql query suite `include` and `exclude` properties
  "query-filters"?: QueryFilter[];
+
+  // The set of threat models to consider for this analysis. If left unset,
+  // the "standard" threat model will be used.
+  "threat-models"?: string[];
 }

 export type QueryFilter = ExcludeQueryFilter | IncludeQueryFilter;
@@ -241,10 +245,22 @@ export interface AugmentationProperties {
   * Whether or not the packs input combines with the packs in the config.
   */
  packsInputCombines: boolean;
+
  /**
   * The packs input from the `with` block of the action declaration
   */
  packsInput?: string[];
+
+  /**
+   * Whether or not the threat-models input combines with the threat-model in the config.
+   */
+  threatModelsInputCombines: boolean;
+
+  /**
+   * The threat-modesl input from the `with` block of the action declaration
+   */
+  threatModelsInput?: string[];
+
  /**
   * Whether we injected ML queries into this configuration.
   */
@@ -258,9 +274,11 @@ export interface AugmentationProperties {
 export const defaultAugmentationProperties: AugmentationProperties = {
  queriesInputCombines: false,
  packsInputCombines: false,
+  threatModelsInputCombines: false,
  injectedMlQueries: false,
  packsInput: undefined,
  queriesInput: undefined,
+  threatModelsInput: undefined,
 };
 export type Packs = Partial<Record<Language, string[]>>;

@@ -1057,6 +1075,7 @@ export async function getDefaultConfig(
  languagesInput: string | undefined,
  rawQueriesInput: string | undefined,
  rawPacksInput: string | undefined,
+  rawThreatModelsInput: string | undefined,
  dbLocation: string | undefined,
  trapCachingEnabled: boolean,
  debugMode: boolean,
@@ -1088,6 +1107,7 @@ export async function getDefaultConfig(
  const augmentationProperties = calculateAugmentation(
    rawPacksInput,
    rawQueriesInput,
+    rawThreatModelsInput,
    languages
  );
  const packs = augmentationProperties.packsInput
@@ -1164,6 +1184,7 @@ async function loadConfig(
  languagesInput: string | undefined,
  rawQueriesInput: string | undefined,
  rawPacksInput: string | undefined,
+  rawThreatModelsInput: string | undefined,
  configFile: string,
  dbLocation: string | undefined,
  trapCachingEnabled: boolean,
@@ -1230,6 +1251,7 @@ async function loadConfig(
  const augmentationProperties = calculateAugmentation(
    rawPacksInput,
    rawQueriesInput,
+    rawThreatModelsInput,
    languages
  );
  const packs = parsePacks(
@@ -1370,6 +1392,7 @@ async function loadConfig(
 export function calculateAugmentation(
  rawPacksInput: string | undefined,
  rawQueriesInput: string | undefined,
+  rawThreatModelsInput: string | undefined,
  languages: Language[]
 ): AugmentationProperties {
  const packsInputCombines = shouldCombine(rawPacksInput);
@@ -1384,12 +1407,20 @@ export function calculateAugmentation(
    queriesInputCombines
  );

+  const threatModelsInputCombines = shouldCombine(rawThreatModelsInput);
+  const threatModelsInput = parseThreatModelsFromInput(
+    rawThreatModelsInput,
+    threatModelsInputCombines
+  );
+
  return {
    injectedMlQueries: false, // filled in later
    packsInputCombines,
    packsInput: packsInput?.[languages[0]],
    queriesInput,
    queriesInputCombines,
+    threatModelsInputCombines,
+    threatModelsInput,
  };
 }

@@ -1512,6 +1543,31 @@ function parsePacksFromInput(
  };
 }

+function parseThreatModelsFromInput(
+  rawThreatModelsInput: string | undefined,
+  threatModelsInputCombines: boolean
+): string[] | undefined {
+  if (!rawThreatModelsInput?.trim()) {
+    return undefined;
+  }
+
+  rawThreatModelsInput = rawThreatModelsInput.trim();
+  if (threatModelsInputCombines) {
+    rawThreatModelsInput = rawThreatModelsInput.trim().substring(1).trim();
+    if (!rawThreatModelsInput) {
+      throw new Error(
+        getConfigFilePropertyError(
+          undefined,
+          "threat-models",
+          "A '+' was used in the 'threat-models' input to specify that you wished to add some packs to your CodeQL analysis. However, no threat models were specified. Please either remove the '+' or specify some threat models."
+        )
+      );
+    }
+  }
+
+  return rawThreatModelsInput.split(",").map((t) => t.trim());
+}
+
 /**
 * Validates that this package specification is syntactically correct.
 * It may not point to any real package, but after this function returns
@@ -1687,6 +1743,7 @@ export async function initConfig(
  languagesInput: string | undefined,
  queriesInput: string | undefined,
  packsInput: string | undefined,
+  threatModelsInput: string | undefined,
  registriesInput: string | undefined,
  configFile: string | undefined,
  dbLocation: string | undefined,
@@ -1712,6 +1769,7 @@ export async function initConfig(
      languagesInput,
      queriesInput,
      packsInput,
+      threatModelsInput,
      dbLocation,
      trapCachingEnabled,
      debugMode,
@@ -1731,6 +1789,7 @@ export async function initConfig(
      languagesInput,
      queriesInput,
      packsInput,
+      threatModelsInput,
      configFile,
      dbLocation,
      trapCachingEnabled,
--- a/src/init-action.ts
+++ b/src/init-action.ts
@@ -251,6 +251,7 @@ async function run() {
      getOptionalInput("languages"),
      getOptionalInput("queries"),
      getOptionalInput("packs"),
+      getOptionalInput("threat-models"),
      registriesInput,
      getOptionalInput("config-file"),
      getOptionalInput("db-location"),
--- a/src/init.ts
+++ b/src/init.ts
@@ -54,6 +54,7 @@ export async function initConfig(
  languagesInput: string | undefined,
  queriesInput: string | undefined,
  packsInput: string | undefined,
+  threatModelsInput: string | undefined,
  registriesInput: string | undefined,
  configFile: string | undefined,
  dbLocation: string | undefined,
@@ -75,6 +76,7 @@ export async function initConfig(
    languagesInput,
    queriesInput,
    packsInput,
+    threatModelsInput,
    registriesInput,
    configFile,
    dbLocation,
--- a/src/trap-caching.test.ts
+++ b/src/trap-caching.test.ts
@@ -79,11 +79,7 @@ const testConfigWithoutTmpDir: Config = {
  debugMode: false,
  debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
  debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-  augmentationProperties: {
-    injectedMlQueries: false,
-    packsInputCombines: false,
-    queriesInputCombines: false,
-  },
+  augmentationProperties: configUtils.defaultAugmentationProperties,
  trapCaches: {
    javascript: "/some/cache/dir",
  },
@@ -105,11 +101,7 @@ function getTestConfigWithTempDir(tmpDir: string): configUtils.Config {
    debugMode: false,
    debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
    debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-    augmentationProperties: {
-      injectedMlQueries: false,
-      packsInputCombines: false,
-      queriesInputCombines: false,
-    },
+    augmentationProperties: configUtils.defaultAugmentationProperties,
    trapCaches: {
      javascript: path.resolve(tmpDir, "jsCache"),
      ruby: path.resolve(tmpDir, "rubyCache"),
--- a/src/util.test.ts
+++ b/src/util.test.ts
@@ -7,7 +7,7 @@ import test from "ava";
 import * as sinon from "sinon";

 import * as api from "./api-client";
-import { Config } from "./config-utils";
+import { Config, defaultAugmentationProperties } from "./config-utils";
 import { getRunnerLogger } from "./logging";
 import { getRecordingLogger, LoggedMessage, setupTests } from "./testing-utils";
 import * as util from "./util";
@@ -299,11 +299,7 @@ for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {
        debugMode: false,
        debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
        debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-        augmentationProperties: {
-          injectedMlQueries: false,
-          packsInputCombines: false,
-          queriesInputCombines: false,
-        },
+        augmentationProperties: defaultAugmentationProperties,
        trapCaches: {},
        trapCacheDownloadTime: 0,
      };