OWASP Threat Dragon is a free, open-source, cross-platform threat modeling application. It is used to draw threat modeling diagrams and to list threats for elements in the diagram. Mike Goodwin created Threat Dragon as an open source community project that provides an intuitive and accessible way to model threats.
Threat Dragon is designed to be accessible for various types of teams, with an emphasis on flexibility and simplicity. It is an OWASP Lab Project and follows the values and principles of the threat modeling manifesto.
You can access the the latest version of Threat Dragon on our website and look through the documentation pages.
Also well worth watching the video provided by the OWASP Spotlight series.
The github release area contains Threat Dragon from version 1.3 to the latest versions 2.x. Previous releases are from Mike Goodwin's original repository.
There is a good overview of threat modeling and risk assessment from OWASP, and this expands on what the Threat Dragon project aims for:
- ease of use and accessible
- designing a data flow diagram
- suggesting threats
- entering mitigations and counter measures
Mike Goodwin is the founder and creator of this project, and this repository has been migrated from Mike Goodwin's original which has the issues and pull requests from October 2015 up to June 2020.
Threat Dragon is primarily a web application. The web application can store threat model files on the local filesystem; in addition access can be configured for :
- GitHub
- Bitbucket
- GitLab
- Github Enterprise
The desktop versions of Threat Dragon stores the threat model files on the local filesystem and do not access external repositories. You can download installers for Windows, MacOS and Linux.
End user help is available for both the latest version 2.x and the previous version 1.x.
Threat Dragon was originally written using AngularJS version 1.x, but this version of Angular reached end of life. This means that versions 1.x of Threat Dragon are no longer actively maintained and versions 2.x have been re-written to use Vue.js.
For more information on building/running version 1.x, please see the legacy-v1.x branch.
Install git and node.js which includes the node package manager npm
Clone the repository using: git clone https://github.com/owasp/threat-dragon.git
This downloads the code into a threat-dragon directory and the application code is in two sub-folders,
one for the back-end application (td.server) and one for the front-end (td.vue).
Install from the top directory of the project using : npm install
The web application variant of Threat Dragon requires some environment variables; follow the documentation on how to set these variables.
If access to external repositories is required, such as GitHub / Bitbucket / GitLab, then you need to go to your to the repository account and register it as a GitHub application. There are step by step guides on how to do this.
If running the web application locally then the front-end to server communication will
probably need to be HTTP rather than HTTPS.
Specify this using environment variable SERVER_API_PROTOCOL=http in the dotenv file or the command line.
When running on Windows, and during development, the front-end and back-end
can be started separately in "watch" mode using commands : npm run dev:server and npm run dev:vue.
Alternatively, if running on Linux or MacOS, start both the back-end server and the front-end application
from the top directory using : npm start.
With both front and back end running, access with a browser at http://localhost:8080/
If using npm start, stop both the back-end server and the front-end application
from the top directory with command npm stop. Otherwise break out of both the server and vue front-end.
To run Threat Dragon in a docker container, first configure your environment using dotenv and run from the top directory of the project:
docker build -t owasp-threat-dragon:dev .docker run -it --rm -p 8080:3000 -v $(pwd)/.env:/app/.env owasp-threat-dragon:dev- or if using Windows:
docker run -it --rm -p 8080:3000 -v %CD%/.env:/app/.env owasp-threat-dragon:dev
Using http port 8080 and accessing Threat Dragon on http://localhost:8080/.
Threat Dragon maintains docker images within the OWASP organisation area on Dockerhub.
Each release is tagged as v{major}.{minor}.{patch}, eg v1.6.0:
docker pull owasp/threat-dragon:v2.0.0
The latest tag (which is the default) may well be a development version
so use the stable tag, which will always be the latest official release:
docker pull threatdragon/owasp-threat-dragon:stable- For MacOS and Linux:
docker run -it --rm -p 8080:3000 -v $(pwd)/.env:/app/.env threatdragon/owasp-threat-dragon:v2.0.0- For Windows:
docker run -it --rm -p 8080:3000 -v %CD%/.env:/app/.env threatdragon/owasp-threat-dragon:v2.0.0
Assuming that you are using http port 8080 and accessing Threat Dragon on http://localhost:8080/.
Pull requests, feature requests, bug reports and feedback of any kind are very welcome, please refer to the page for contributors.
There are some developer notes to help get started with this project. We are trying to keep the test coverage relatively high so include tests in your pull requests.
The easiest way to get in contact with the Threat Dragon community is via the OWASP Slack #project-threat-dragon project channel (you may need to subscribe first).
If you find a vulnerability in this project please let us know ASAP and we will fix it as a priority. For secure disclosure, please see the security policy.
Threat Dragon: making threat modeling less threatening