OWASP Threat Dragon is a free, open-source, cross-platform threat modeling application. It is used to draw threat modeling diagrams and to list threats for elements in the diagram.
Threat Dragon is designed to be accessible for various types of teams, with an emphasis on flexibility and simplicity. It is an OWASP Lab Project and follows the values and principles of the threat modeling manifesto.
Mike Goodwin is the founder and creator of this project, and this repository has been migrated from Mike Goodwin's original which has the issues and pull requests from October 2015 up to June 2020. Since then the project team has continued development, culminating with release version 1.6.0. The project is now going through a substantial changes which will see version 2.0 released early 2022.
Threat Dragon is primarily a web application, with threat model files stored in GitHub. Over time other storage methods will become available.
There is also a desktop version of Threat Dragon which stores the threat model files on the local filesystem rather than in a repository. Each release provides installers for both Windows, Mac OSX and Linux, as well as rpm and debian packages.
End user help is available for both variants.
Install git and node.js - which includes the node package manager npm. To get the code navigate to a target directory and use command
git clone --recursive https://github.com/owasp/threat-dragon.git
This downloads the code into a threat-dragon directory and the application code is in two sub-folders,
one for the back-end application (td.server) and one for the front-end (td.vue).
To install from the top directory of the project:
cd td.server
npm install
cd -
Threat Dragon uses GitHub to store threat models, so you need to go to your GitHub account and register it as a GitHub application. There is a step by step guide on how to do this.
You will also have to provide other environment variables, again following the documentation on this
To start the back-end server from the top directory:
cd td.server
npm run start:dev
To run the front-end application from the top directory:
cd td.vue
npm run serve
With both front and back end running, access with a browser at http://localhost:8080/
To run Threat Dragon in a docker container, first configure your environment using dotenv and run from the top directory of the project:
docker build -t owasp-threat-dragon:dev .docker run -it --rm -p 3000:3000 -v $(pwd)/.env:/app/.env owasp-threat-dragon:dev
Pull requests, feature requests, bug reports and feedback of any kind are very welcome, please refer to the page for contributors.
We are trying to keep the test coverage relatively high, so please try to update tests in any PRs and make PRs on the development branch. There are some developer notes to help get started with this project.
If you find a vulnerability in this project please let us know ASAP and we will fix it as a priority. For secure disclosure, please see the security policy.
- Mike Goodwin ([email protected])
- Jon Gadsden ([email protected])
- Leo Reading ([email protected])