Note that this repository has been migrated from Mike Goodwin's original , which has the issues and pull requests from June 2016 up to June 2020.
OWASP Threat Dragon
Threat Dragon is a free, open-source, cross-platform threat modelling application including system diagramming and a rule engine to auto-generate threats/mitigations. It is an OWASP Incubator Project and follows the values and principles of the threat modeling manifesto. The roadmap for the project is a great UX, a powerful rule engine and integration with other development lifecycle tools.
The application comes in two variants:
A web application: For the web application, models files are stored in GitHub (other storage will become available). We are currently maintaining a working protoype in synch with the master code branch.
A desktop application: This is based on Electron. There are installers available for both Windows and Mac OSX, as well as rpm and debian packages for Linux. For this variant models are stored on the local filesystem.
End user help is available for both variants.
This repository contains the core files and modules that are shared between both the web and desktop variant.
Code of Conduct
We ask that everyone who contributes to the Threat Dragon project follow the Code of Conduct.
Installing and building
Clone the repo and run
There are a number of test scripts included in
package.json. For example:
npm run test-client-chrome
The main test script runs tests on PhantomJS and FireFox (and also lints the code):
npm run build-templates
and one to bundle and minify the core CSS:
npm run bundle-css
Both of these can be run together using
npm run build
Pull requests, feature requests, bug reports and feedback of any kind are very welcome, please refer to the page for contributors.
We are trying to keep the test coverage relatively high, so please try to include tests in any PRs and make PRs on the development branch. There are some developer notes to help get started.
If you find a vulnerability in this project please let us know ASAP and we will fix it as a priority. For secure disclosure, please see the security policy.