{"id":13532537,"url":"https://github.com/OWASP/threat-dragon","last_synced_at":"2025-04-01T21:30:42.799Z","repository":{"id":39609094,"uuid":"268796991","full_name":"OWASP/threat-dragon","owner":"OWASP","description":"An open source threat modeling tool from OWASP","archived":false,"fork":false,"pushed_at":"2024-04-28T08:20:20.000Z","size":136331,"stargazers_count":814,"open_issues_count":71,"forks_count":214,"subscribers_count":28,"default_branch":"main","last_synced_at":"2024-05-01T11:53:29.665Z","etag":null,"topics":["owasp","owasp-threat-dragon","sdlc","threat-dragon","threat-modeling"],"latest_commit_sha":null,"homepage":"https://owasp.org/www-project-threat-dragon/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OWASP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"contributing.md","funding":null,"license":"license.txt","code_of_conduct":"code_of_conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":"https://owasp.org/donate/?reponame=www-project-threat-dragon\u0026title=OWASP+Threat+Dragon","github":"OWASP"}},"created_at":"2020-06-02T12:37:47.000Z","updated_at":"2024-05-05T06:29:40.548Z","dependencies_parsed_at":"2023-09-22T14:14:50.488Z","dependency_job_id":"688d7d3e-ce86-4fc3-9674-e61e2272f367","html_url":"https://github.com/OWASP/threat-dragon","commit_stats":null,"previous_names":[],"tags_count":39,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Fthreat-dragon","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Fthreat-dragon/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Fthreat-dragon/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Fthreat-dragon/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OWASP","download_url":"https://codeload.github.com/OWASP/threat-dragon/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246712916,"owners_count":20821817,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["owasp","owasp-threat-dragon","sdlc","threat-dragon","threat-modeling"],"created_at":"2024-08-01T07:01:11.698Z","updated_at":"2025-04-01T21:30:42.780Z","avatar_url":"https://github.com/OWASP.png","language":"JavaScript","funding_links":["https://owasp.org/donate/?reponame=www-project-threat-dragon\u0026title=OWASP+Threat+Dragon","https://github.com/sponsors/OWASP"],"categories":["Pre-commit time tools","JavaScript","OWASP Tools","🔧 Utilities \u0026 Miscellaneous"],"sub_categories":["Threat Modeling"],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/owasp/threat-dragon/main/td.vue/src/assets/threatdragon_logo_solid_image.svg\"\n  width=\"200\" alt=\"Threat Dragon Logo\"/\u003e\n\u003c/p\u003e\n\n[![GitHub license](https://img.shields.io/github/license/owasp/threat-dragon.svg)](license.txt)\n[![Build status](https://github.com/OWASP/threat-dragon/actions/workflows/push.yaml/badge.svg?event=push)][build]\n[![GitHub release](https://img.shields.io/github/release/owasp/threat-dragon.svg)](https://github.com/owasp/threat-dragon/releases/latest)\n[![OWASP Lab](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/projects)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9266/badge)](https://www.bestpractices.dev/projects/9266)\n\n# OWASP Threat Dragon\n\n[OWASP][owasp] [Threat Dragon][project] is a free, open-source, cross-platform threat modeling application.\nIt is used to draw threat modeling diagrams and to list threats for elements in the diagram.\n[Mike Goodwin](https://github.com/mike-goodwin) created Threat Dragon as an open source community project\nthat provides an intuitive and accessible way to model threats.\n\nThreat Dragon is designed to be accessible for various types of teams, with an emphasis on flexibility and simplicity.\nIt is an [OWASP Lab Project][project] and follows the values and principles of the [threat modeling manifesto][manifesto].\n\nThis program is free software: you can redistribute it and/or modify it\nunder the terms of the [Apache 2.0 License][license].\n\n## Try Threat Dragon\n\nAccess the latest version of Threat Dragon on [the demo website][demo]\nand refer to the [documentation pages](https://owasp.org/www-project-threat-dragon/docs-2/).\n\nAlso well worth watching the video provided by the\n[OWASP Spotlight](https://www.youtube.com/playlist?list=PLUKo5k_oSrfOTl27gUmk2o-NBKvkTGw0T) series.\n\nThe [github release area][releases] contains Threat Dragon from version 1.3 to the latest versions 2.x.\nPrevious releases are from Mike Goodwin's\n[original repository](https://github.com/mike-goodwin/owasp-threat-dragon-desktop/releases).\n\n## About Threat Dragon\n\nThere is a good overview of\n[threat modeling and risk assessment](https://owasp.org/www-community/Application_Threat_Modeling)\nfrom OWASP, and this expands on what the Threat Dragon project aims for:\n\n- ease of use and accessible\n- designing a data flow diagram\n- suggesting threats\n- entering mitigations and counter measures\n\n[Mike Goodwin](https://github.com/mike-goodwin) is the founder and creator of this project,\nand this repository has been migrated from\nMike Goodwin's [original](https://github.com/mike-goodwin/owasp-threat-dragon)\nwhich has the issues and pull requests from October 2015 up to June 2020.\n\nThreat Dragon is [primarily a web application](https://github.com/OWASP/threat-dragon/releases).\nThe web application can store threat model files on the local filesystem; in addition access can be configured for :\n\n- GitHub\n- Bitbucket\n- GitLab\n- Github Enterprise\n\nThe [desktop versions](https://github.com/OWASP/threat-dragon/releases) of Threat Dragon\nstores the threat model files on the local filesystem and do not access external repositories.\nYou can [download installers](https://github.com/OWASP/threat-dragon/releases) for Windows, MacOS and Linux.\n\nEnd user help is available for both the latest [version 2.x](https://owasp.org/www-project-threat-dragon/docs-2/)\nand the previous [version 1.x](https://owasp.org/www-project-threat-dragon/docs-1/).\n\n### Version 1.x maintenance mode\n\nThreat Dragon was originally written using AngularJS version 1.x, but this version of Angular reached end of life.\nThis means that versions 1.x of Threat Dragon are no longer actively maintained\nand versions 2.x have been re-written to use Vue.js.\n\nFor more information on building/running version 1.x,\nplease see the [legacy-v1.x branch](https://github.com/OWASP/threat-dragon/tree/legacy-v1.x).\n\n### Building version 2.x\n\nInstall [git](https://git-scm.com/downloads) and [node.js][download] which includes the node package manager npm\n\nClone the repository using: `git clone https://github.com/owasp/threat-dragon.git`\n\nThis downloads the code into a `threat-dragon` directory and the application code is in two sub-folders,\none for the back-end application (`td.server`) and one for the front-end (`td.vue`).\n\nInstall from the top directory of the project using : `npm install`\n\n### Environment variables for web application\n\nThe web application variant of Threat Dragon requires some environment variables;\nfollow [the documentation](https://owasp.org/www-project-threat-dragon/docs-2/install-environment/)\non how to set these variables.\n\nIf access to external repositories is required, such as Bitbucket / GitHub  / GitLab,\nthen you need to go to your to the repository account and register the application.\nThere are step by step guides on how to do this for [Bitbucket][bitbucket], [GitHub][github] and [GitLab][gitlab].\n\n### Run the application\n\nWhen running on Windows, and during development, the front-end and server back-end\ncan be started separately in \"watch\" mode using commands : `npm run dev:server` and `npm run dev:vue`.\nAlternatively, if running on Linux or MacOS, start both the back-end server and the front-end application\nfrom the top directory using : `npm start`.\n\nWith both front and back end running, access with a browser at `http://localhost:8080/`\n\n### Stop the application\n\nIf using `npm start`, stop both the back-end server and the front-end application\nfrom the top directory with command `npm stop`. Otherwise break out of both the server and vue front-end.\n\n## Docker (from dockerhub)\n\nThreat Dragon maintains docker images within the OWASP organisation area on Dockerhub.\nEach release is tagged as `v{major}.{minor}.{patch}`, eg `v2.2.0`:\n\n- `docker pull owasp/threat-dragon:v2.2.0`\n\nThe latest tag (which is the default) may well be a development version\nso use the `stable` tag, which will always be the latest official release:\n\n- `docker pull threatdragon/owasp-threat-dragon:stable`\n- For MacOS and Linux:\n- `docker run -it --rm -p 8080:3000 -v $(pwd)/.env:/app/.env threatdragon/owasp-threat-dragon:v2.2.0`\n- For Windows:\n- `docker run -it --rm -p 8080:3000 -v %CD%/.env:/app/.env threatdragon/owasp-threat-dragon:v2.2.0`\n\nAssuming that you are using http port 8080 and accessing Threat Dragon on `http://localhost:8080/`.\n\n### Docker (local build)\n\nTo run Threat Dragon in a docker container that has been built locally,\nfirst configure your [environment using dotenv](https://owasp.org/www-project-threat-dragon/docs-2/install-environment/)\nand run from the top directory of the project:\n\n- `docker build -t owasp-threat-dragon:dev .`\n- `docker run -it --rm -p 8080:3000 -v $(pwd)/.env:/app/.env owasp-threat-dragon:dev`\n- or if using Windows:\n- `docker run -it --rm -p 8080:3000 -v %CD%/.env:/app/.env owasp-threat-dragon:dev`\n\nUsing http port 8080 and accessing Threat Dragon on `http://localhost:8080/`.\n\n### Contributing\n\n[![GitHub contributors](https://img.shields.io/github/contributors/owasp/threat-dragon.svg)](https://github.com/OWASP/threat-dragon/graphs/contributors)\n\nPull requests, feature requests, bug reports and feedback of any kind are very welcome,\nplease refer to the page for [contributors](contributing.md).\n\nThere are some [developer notes][notes] to help get started with this project.\nWe are trying to keep the test coverage relatively high so include tests in your pull requests.\n\nThe easiest way to get in contact with the Threat Dragon community is via the OWASP Slack\n[#project-threat-dragon][td-slack] project channel\n(you may need to [subscribe](https://owasp.org/slack/invite) first).\n\n### Vulnerability disclosure\n\nIf you find a vulnerability in this project please let us know ASAP and we will fix it as a priority.\nFor secure disclosure, please see the [security policy](security.md).\n\n### Project leaders\n\n- [Mike Goodwin](mailto:mike.goodwin@owasp.org)\n- [Jon Gadsden](mailto:jon.gadsden@owasp.org)\n- [Leo Reading](mailto:leo.reading@owasp.org)\n\n----\n\nThreat Dragon: _making threat modeling less threatening_\n\n[build]: https://github.com/OWASP/threat-dragon/actions/workflows/push.yaml\n[bitbucket]: https://owasp.org/www-project-threat-dragon/docs-2/bitbucket-repo/\n[demo]: https://www.threatdragon.com/#/\n[download]: https://nodejs.org/en/download/package-manager\n[github]: https://owasp.org/www-project-threat-dragon/docs-2/github-repo/\n[gitlab]: https://owasp.org/www-project-threat-dragon/docs-2/gitlab-repo/\n[license]: https://github.com/OWASP/threat-dragon/blob/v2.2.0/license.txt\n[manifesto]: https://www.threatmodelingmanifesto.org/\n[notes]: https://owasp.org/www-project-threat-dragon/docs-2/local-development/\n[owasp]: https://www.owasp.org\n[project]: https://owasp.org/www-project-threat-dragon\n[releases]: https://github.com/OWASP/threat-dragon/releases\n[td-slack]: https://owasp.slack.com/messages/CURE8PQ68\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOWASP%2Fthreat-dragon","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FOWASP%2Fthreat-dragon","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOWASP%2Fthreat-dragon/lists"}