{"id":13539869,"url":"https://github.com/awslabs/threat-composer","last_synced_at":"2026-06-04T04:00:25.650Z","repository":{"id":155661914,"uuid":"631748902","full_name":"awslabs/threat-composer","owner":"awslabs","description":"A simple threat modeling tool to help humans to reduce time-to-value when threat modeling","archived":false,"fork":false,"pushed_at":"2026-06-04T02:06:26.000Z","size":9538,"stargazers_count":745,"open_issues_count":23,"forks_count":118,"subscribers_count":21,"default_branch":"main","last_synced_at":"2026-06-04T03:11:32.207Z","etag":null,"topics":["threat-modeling","threat-modeling-tool","threat-modelling-tool","threatmodeling","threatmodelling","vscode-extension"],"latest_commit_sha":null,"homepage":"https://awslabs.github.io/threat-composer/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/awslabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-04-24T01:07:44.000Z","updated_at":"2026-06-04T01:54:30.000Z","dependencies_parsed_at":null,"dependency_job_id":"ade0c99f-5d04-4308-85a7-126a32f118e1","html_url":"https://github.com/awslabs/threat-composer","commit_stats":null,"previous_names":[],"tags_count":84,"template":false,"template_full_name":"amazon-archives/__template_Apache-2.0","purl":"pkg:github/awslabs/threat-composer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awslabs%2Fthreat-composer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awslabs%2Fthreat-composer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awslabs%2Fthreat-composer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awslabs%2Fthreat-composer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/awslabs","download_url":"https://codeload.github.com/awslabs/threat-composer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awslabs%2Fthreat-composer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33888302,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-04T02:00:06.755Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["threat-modeling","threat-modeling-tool","threat-modelling-tool","threatmodeling","threatmodelling","vscode-extension"],"created_at":"2024-08-01T09:01:33.253Z","updated_at":"2026-06-04T04:00:25.632Z","avatar_url":"https://github.com/awslabs.png","language":"TypeScript","funding_links":[],"categories":["TypeScript","vscode-extension","Projects using Projen"],"sub_categories":["Official"],"readme":"# Threat Composer\n\nAn ecosystem of threat modeling tools to help humans reduce time-to-value when threat modeling.\n\n![Animated gif of Full mode](/docs/threat-composer.gif)\n\n**[Live Demo](https://awslabs.github.io/threat-composer)** | **[Documentation](#documentation)** | **[Getting Started](#getting-started)**\n\n## What is Threat Composer?\n\nThreat Composer is a threat modeling ecosystem that helps you identify security issues and develop strategies to address them in the context of your system. The various tools has been designed to support the iterative and non-linear nature of real-world threat modeling.\n\n### Why Threat Composer?\n\n1. **Helps you get started quickly** - The AI-assisted CLI and MCP Server analyze your source code to generate a starter threat model, so you never face a blank page. Human expertise and participation remain essential to refine, validate, and evolve the threat model for your specific context\n2. **Makes threat identification easier** - Uses [\"Threat Grammar\"](https://catalog.workshops.aws/threatmodel/en-US/what-can-go-wrong/threat-grammar) to help you iteratively write useful threats, with full examples for inspiration\n3. **Provides quality insights** - Includes an insights dashboard to help identify areas for improvement\n4. **Supports non-linear workflows** - Designed for how threat modeling actually works in practice\n5. **Enables iteration** - Supports \"living\" threat models that evolve with your system\n\n## Key Features\n\n- **Threat Statement Composition**: Structured threat grammar with adaptive suggestions\n- **Visual Diagrams**: Architecture and data flow diagram support\n- **Assumptions Tracking**: Document and link assumptions to threats and mitigations\n- **Insights Dashboard**: Quality metrics and improvement suggestions\n- **Threat \u0026 Mitigation Packs**: Reusable threat and mitigation libraries (self-hosted)\n- **Multiple Export Formats**: JSON, Markdown, DOCX, and PDF\n- **Workspace Management**: Work on multiple threat models simultaneously\n- **Version Control Friendly**: JSON format works seamlessly with Git\n\n## Threat Composer Ecosystem\n\nThreat Composer is available in multiple complementary tools to fit your workflow:\n\n### šŸŒ Web Application\n**Hosted or Self-Hosted Static Website**\n\n![Status: Stable](https://img.shields.io/badge/Status-Stable-green)\n\n- **GitHub Pages**: [Try the live demo](https://awslabs.github.io/threat-composer)\n- **Self-Hosted**: Deploy to your AWS account with full customization\n- **Features**: Full threat modeling capabilities, browser-based storage, import/export\n\nšŸ“– [Web App Documentation](./docs/WEB-APP.md)\n\n### šŸ¤– AI-Powered CLI \u0026 MCP Server\n\n**Automated Threat Modeling** \n\n![Status: Experimental](https://img.shields.io/badge/Status-Experimental-orange)\n\n- **CLI**: Analyze codebases and generate starter threat models automatically\n- **MCP Server**: Workflow management and schema validation for AI assistants\n- Uses AWS Bedrock with multi-agent architecture\n- **Note**: Bedrock inference costs apply - see [pricing](https://aws.amazon.com/bedrock/pricing/)\n\nšŸ“– [AI/CLI/MCP Documentation](./docs/AI-CLI-MCP.md)\n\n### šŸ”Œ VS Code Extension\n**Native Threat Modeling in Your IDE**\n\n![Status: Stable](https://img.shields.io/badge/Status-Stable-green)\n\n- Edit Threat Composer `.tc.json` files directly in VS Code\n- Integrated with AWS Toolkit extension\n- Full-featured editor with version control support\n\nšŸ“– [VS Code Extension Documentation](./docs/VSCODE-EXTENSION.md)\n\n### šŸ§© Browser Extension\n**View Threat Models on the Web**\n\n![Status: Experimental](https://img.shields.io/badge/Status-Experimental-orange)\n\n- One-click viewing of Threat Composer `.tc.json` files on GitHub, GitLab, Bitbucket and Amazon CodeCatalyst\n- Available for Chrome and Firefox\n\nšŸ“– [Browser Extension Documentation](./docs/BROWSER-EXTENSION.md)\n\n\n## Getting Started\n\n### Try It Now\n\n**Web Application**: Visit the [live demo](https://awslabs.github.io/threat-composer?mode=Full) to start threat modeling immediately in your browser.\n\n**VS Code**: Install the [AWS Toolkit extension](https://marketplace.visualstudio.com/items?itemName=AmazonWebServices.aws-toolkit-vscode) to view and edit local `.tc.json` files.\n\n### Use the AI CLI \u0026 MCP Server\n\nGenerate threat models automatically from your codebase with the CLI, or integrate with AI assistants using the MCP server:\n\n```bash\n# Install with uv (provides both CLI and MCP server)\nuv tool install --from \"git+https://github.com/awslabs/threat-composer.git#subdirectory=packages/threat-composer-ai\" threat-composer-ai\n\n# Use the CLI to analyze your codebase\nthreat-composer-ai-cli /path/to/your/code\n```\n\n**MCP Server Configuration** (for Kiro, Cline, Claude Desktop, etc.):\n\n```json\n{\n \"mcpServers\": {\n \"threat-composer-ai\": {\n \"command\": \"threat-composer-ai-mcp\",\n \"env\": {\n \"AWS_PROFILE\": \"your-profile-name\",\n \"AWS_REGION\": \"us-west-2\"\n }\n }\n }\n}\n```\n\nOr run directly with uvx (no installation required):\n\n```json\n{\n \"mcpServers\": {\n \"threat-composer-ai\": {\n \"command\": \"uvx\",\n \"args\": [\n \"--from\",\n \"git+https://github.com/awslabs/threat-composer.git#subdirectory=packages/threat-composer-ai\",\n \"threat-composer-ai-mcp\"\n ]\n }\n }\n}\n```\n\nThe MCP server provides tools for starting workflows, monitoring progress, managing sessions, and validating threat models against the Threat Composer schema.\n\n**šŸ’” Best Experience**: For the best experience when using the CLI from VS Code/Kiro terminal or when using AI assistants via MCP, install the [AWS Toolkit extension](https://marketplace.visualstudio.com/items?itemName=AmazonWebServices.aws-toolkit-vscode) which includes the Threat Composer VS Code extension. This allows you to view and edit the generated `.tc.json` files directly in your IDE with full visual editing capabilities.\n\nSee [AI/CLI/MCP Documentation](./docs/AI-CLI-MCP.md) for complete installation and usage instructions.\n\n### Self-Host the Web Application\n\nDeploy Threat Composer to your AWS account:\n\n```bash\ngit clone https://github.com/awslabs/threat-composer.git\ncd threat-composer\n./scripts/deployDev.sh\n```\n\nSee [Web App Documentation](./docs/WEB-APP.md) for detailed deployment options including CI/CD setup.\n\n\n## Example Threat Model\n\nWe've included an example threat model of the Threat Composer Web App itself. This provides a reference point for getting started.\n\nTo view it, switch to the **Example** workspace in the application. Note: Changes in the Example workspace are not saved.\n\n## Documentation\n\n### User Guides\n- **[Web Application](./docs/WEB-APP.md)** - Deployment, configuration, and customization\n- **[VS Code Extension](./docs/VSCODE-EXTENSION.md)** - Installation and usage in VS Code\n- **[Browser Extension](./docs/BROWSER-EXTENSION.md)** - View threat models on GitHub and CodeCatalyst\n- **[AI/CLI/MCP](./docs/AI-CLI-MCP.md)** - Automated threat modeling with AI\n\n### Developer Resources\n- **[Development Guide](./docs/DEVELOPMENT.md)** - Setup, architecture, and contribution guidelines\n- **[Contributing Guidelines](./CONTRIBUTING.md)** - How to contribute to the project\n- **[Code of Conduct](./CODE_OF_CONDUCT.md)** - Community guidelines\n\n### Learning Resources\n- **[Threat Modeling for Builders - AWS Skill Builder](https://explore.skillbuilder.aws/learn/course/external/view/elearning/13274/threat-modeling-the-right-way-for-builders-workshop)** - Free eLearning course\n- **[How to Approach Threat Modeling - AWS Security Blog](https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/)** - Best practices and tips\n- **[Threat Modeling Workshop](https://catalog.workshops.aws/threatmodel/)** - Hands-on workshop materials\n\n## Feedback \u0026 Support\n\nWe value your input!\n\n- **Feedback Survey**: [Share your thoughts](https://www.pulse.aws/survey/3AGEAOXZ)\n- **Bug Reports \u0026 Feature Requests**: [GitHub Issues](https://github.com/awslabs/threat-composer/issues)\n- **Discussions**: [GitHub Discussions](https://github.com/awslabs/threat-composer/discussions)\n\n## Quick Links\n\n### For Users\n- [Live Demo](https://awslabs.github.io/threat-composer)\n- [AWS Toolkit for VS Code](https://marketplace.visualstudio.com/items?itemName=AmazonWebServices.aws-toolkit-vscode)\n\n### For Developers\n- [Development Setup](./docs/DEVELOPMENT.md#getting-started)\n- [Repository Structure](./docs/DEVELOPMENT.md#repository-structure)\n- [Contributing Guide](./CONTRIBUTING.md)\n- [API Documentation](./packages/threat-composer/README.md)\n\n## Repository Structure\n\nThis is a monorepo containing multiple packages:\n\n| Package | Description | Documentation |\n|---------|-------------|---------------|\n| [threat-composer](./packages/threat-composer/) | Core UI components library | [README](./packages/threat-composer/README.md) |\n| [threat-composer-app](./packages/threat-composer-app/) | Web application (SPA) | [README](./packages/threat-composer-app/README.md) |\n| [threat-composer-app-browser-extension](./packages/threat-composer-app-browser-extension/) | Browser extension | [README](./packages/threat-composer-app-browser-extension/README.md) |\n| [threat-composer-infra](./packages/threat-composer-infra/) | AWS CDK infrastructure | [README](./packages/threat-composer-infra/README.md) |\n| [threat-composer-ai](./packages/threat-composer-ai/) | AI CLI \u0026 MCP server (Experimental) | [README](./packages/threat-composer-ai/README.md) |\n\n## Contributing\n\nContributions are welcome! Please see our [Contributing Guidelines](./CONTRIBUTING.md) for details on:\n\n- Code of conduct\n- Development setup\n- Pull request process\n- Coding standards\n\n## Security\n\nSee [CONTRIBUTING](./CONTRIBUTING.md#security-issue-notifications) for information on reporting security issues.\n\n## License\n\nThis project is licensed under the Apache-2.0 License. See the [LICENSE](./LICENSE) file for details.\n\n## Acknowledgments\n\nBuilt with:\n- [React](https://react.dev/) and [CloudScape Design System](https://cloudscape.design/)\n- [AWS CDK](https://aws.amazon.com/cdk/) and [AWS Prototyping SDK](https://aws.github.io/aws-pdk/)\n- [Projen](https://projen.io/) for project management\n- [Strands](https://github.com/awslabs/strands) for AI agent orchestration\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fawslabs%2Fthreat-composer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fawslabs%2Fthreat-composer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fawslabs%2Fthreat-composer/lists"}