/owasp-threat-dragon-gitlab

OWASP Threat Dragon with Gitlab Integration

Primary LanguageJavaScriptApache License 2.0Apache-2.0

OWASP Threat Dragon

This project is a fork of the original OWASP Threat Dragon web application by Mike Goodwin with Gitlab integration instead of Github. You can use it with the Gitlab.com or your own instance of Gitlab.

Gitlab will be used as the OAuth provider for authentication and for model storage. For integration with Gitlab, an application must be created in Gitlab. Refer to this for detailed instructions. The Redirect URL is the externally accessible url your users will be redirected to after authentication (Ex: http://192.168.56.100:3000/oauth/gitlab). For local test deployments, you can use http://127.0.0.1:3000/oauth/gitlab.

Environment variables:

  • CLIENT_ID : Application ID of the application in Gitlab
  • CLIENT_SECRET : Application Secret of the application in Gitlab
  • CALLBACK_URL : URL of Threat Dragon Application Gitlab will redirect to aka Reditect URL of your application
  • GITLAB_URL : BaseUrl of your Gitlab instance
  • SESSION_SECRET : Session secret for all user sessions
  • ENCRYPTION_KEY : 256-bit Encryption key used to encrypt the stored sessions
  • PORT: Port in which Threat Dragon Listens on (Default: 3000)

Run a fully automated set up of Threat Dragon and Gitlab using docker:

This is intended for development and testing. Uses run.sh ,apptoken.py to obtain OAuth creadentials from Gitlab and start the application. Gitlab takes a while to startup, so please be patient.

  1. Clone the respository
git clone https://github.com/appsecco/owasp-threat-dragon-gitlab.git
cd owasp-threat-dragon-gitlab
  1. Create .env file like the following
GITLAB_USER=root
GITLAB_PASSWORD=Sup3r_s3cur3_P4ssw0rd
CALLBACK_URL=http://127.0.0.1:3000/oauth/gitlab
APPLICATION_NAME=owasp-td-gitlab
GITLAB_ROOT_PASSWORD=Sup3r_s3cur3_P4ssw0rd
SESSION_SECRET=IO2oifsj029r892ohSFIH9infs
ENCRYPTION_KEY=VvB0iJHbXviWJyRsKeypTjNgxJ6ho8mT
  1. Start the application with automated setup
docker-compose up

Access the applications on your system:

  1. Threat Dragon: http://127.0.0.1:3000
  2. Gitlab Server: http://127.0.0.1:3080

Run using docker with existing Gitlab Server:

  1. Clone the respository
git clone https://github.com/appsecco/owasp-threat-dragon-gitlab.git
cd owasp-threat-dragon-gitlab
  1. Create .env file like the following
GITLAB_URL=https://gitlab.com
CLIENT_ID=5803ee75eac86cf99fcd61cbcb4f6ede2304b84181fd5e3fca356
CLIENT_SECRET=bc2f7f5474e6c9855613a8a2be141dbb2a05f83f5f96855613ab9
CALLBACK_URL=http://127.0.0.1:3000/oauth/gitlab
SESSION_SECRET=IO2oifsj029r892ohSFIH9infs
ENCRYPTION_KEY=VvB0iJHbXviWJyRsKeypTjNgxJ6ho8mT
  1. Build the image and start the container
docker build -t td-gitlab . 
  1. Start the container
docker run -p 3000:3000  --env-file .env --name td-gitlab td-gitlab

Visit http://127.0.0.1:3000 to access the application

Run locally without docker:

  1. Clone the respository
git clone https://github.com/appsecco/owasp-threat-dragon-gitlab.git
cd owasp-threat-dragon-gitlab
  1. Setup Environment variables:
export GITLAB_URL=https://gitlab.com
export CLIENT_ID=5803ee75eac86cf99fcd61cbcb4f6ede2304b84181fd5e3fca356
export CLIENT_SECRET=bc2f7f5474e6c9855613a8a2be141dbb2a05f83f5f96855613ab9
export CALLBACK_URL=http://127.0.0.1:3000/oauth/gitlab
export SESSION_SECRET=IO2oifsj029r892ohSFIH9infs
export ENCRYPTION_KEY=VvB0iJHbXviWJyRsKeypTjNgxJ6ho8mT
  1. Install dependencies:
npm install
  1. Start Threat Dragon:
npm start

Visit http://127.0.0.1:3000 to access the application

For documentation on how to use Threat Dragon, refer to the Official Documentation at http://docs.threatdragon.org/

Please feel free to make a pull request or tweet to me @pingsns for improvements and suggestions.