OWASP Threat Dragon is a free, open-source, cross-platform threat modeling application. It is used to draw threat modeling diagrams and to list threats for elements in the diagram. Mike Goodwin created Threat Dragon as an open source community project that provides an intuitive and accessible way to model threats.
Threat Dragon is designed to be accessible for various types of teams, with an emphasis on flexibility and simplicity. It is an OWASP Lab Project and follows the values and principles of the threat modeling manifesto.
There are documentation pages to guide you and the production release area, conforming to semver, contains the Threat Dragon 1.x releases. The next version of Threat Dragon 2.0 is still in development, but you can try the snapshot on our website. Also well worth watching the video provided by the OWASP Spotlight series.
Threat Dragon was originally written using AngularJS version 1.x, which is reaching end of life. All versions 1.x are using the AngularJS implementation. Future versions (2.x+) are using Vue.js. The main branch is now for version 2.x+, which is currently unreleased. For more information on building/running version 1.x, please see the legacy-v1.x branch.
The release area has the version 1.x downloads and this will migrate to version 2.x during 2022.
There is a good overview of threat modeling and risk assessment from OWASP, and this expands on what the Threat Dragon project aims for:
- ease of use and accessible
- designing a data flow diagram
- suggesting threats
- entering mitigations and counter measures
Mike Goodwin is the founder and creator of this project, and this repository has been migrated from Mike Goodwin's original which has the issues and pull requests from October 2015 up to June 2020. Since then the project team has continued development, culminating with release version 1.6.1. The project is now going through a substantial changes which will see version 2.0 released in 2022.
Threat Dragon is primarily a web application, with threat model files stored in GitHub. Over time other storage methods will become available.
There is also a desktop version of Threat Dragon which stores the threat model files on the local filesystem rather than in a repository. The releases provide installers for Windows, Mac OSX and Linux.
End user help is available for both the existing version 1.x and upcoming version 2.x.
After many years using AngularJS and JointJS, Threat Dragon is migrating development to Vue and antv/g6 drawing library. This version will be ready later in 2022, until then use the latest version of Threat Dragon 1.x.
- which includes the node package manager npm - and then Install pnpm
To get the code navigate to a target directory and use command
git clone https://github.com/owasp/threat-dragon.git
This downloads the code into a threat-dragon directory and the application code is in two sub-folders,
one for the back-end application (td.server) and one for the front-end (td.vue).
Pnpm (rather than npm) is used to install from the top directory of the project : pnpm install
Threat Dragon uses GitHub to store threat models, so you need to go to your GitHub account and register it as a GitHub application. There is a step by step guide on how to do this.
You will also have to provide other environment variables, again following the documentation on this.
If running Threat Dragon locally then the front-end to server communication will
probably need to be HTTP rather than HTTPS.
Specify this using environment variable SERVER_API_PROTOCOL=http in the dotenv file or the command line.
When running on Windows, and during development, the front-end and back-end
can be started separately in "watch" mode using commands : pnpm dev:server and pnpm dev:vue.
Alternatively, if running on Linux or MacOS, start both the back-end server and the front-end application
from the top directory using : pnpm start.
With both front and back end running, access with a browser at http://localhost:8080/
If using pnpm start, stop both the back-end server and the front-end application
from the top directory with command pnpm stop. Otherwise break out of both the server and vue front-end.
To run Threat Dragon in a docker container, first configure your environment using dotenv and run from the top directory of the project:
docker build -t owasp-threat-dragon:dev .docker run -it --rm -p 8080:3000 -v $(pwd)/.env:/app/.env owasp-threat-dragon:dev
Using http port 8080 and accessing Threat Dragon on http://localhost:8080/.
Threat Dragon maintains a docker image on Dockerhub.
Each release is tagged as v{major}.{minor}.{patch}, eg v1.6.0:
docker pull threatdragon/owasp-threat-dragon:v1.6.0
Do not use the latest tag (which is the default), as it could be a development release
Alternatively, you can use the stable tag, which will always be the latest official release.
docker pull threatdragon/owasp-threat-dragon:stabledocker run -it --rm -p 8080:3000 -v $(pwd)/.env:/app/.env threatdragon/owasp-threat-dragon:stable
Assuming that you are using http port 8080 and accessing Threat Dragon on http://localhost:8080/.
Pull requests, feature requests, bug reports and feedback of any kind are very welcome, please refer to the page for contributors.
There are some developer notes to help get started with this project. We are trying to keep the test coverage relatively high, so please try to update tests in your pull requests.
If you find a vulnerability in this project please let us know ASAP and we will fix it as a priority. For secure disclosure, please see the security policy.
- Mike Goodwin (mike.goodwin@owasp.org)
- Jon Gadsden (jon.gadsden@owasp.org)
- Leo Reading (leo.reading@owasp.org)