threat-model-spec

module

v0.5.0 Latest Latest Go to latest Published: Apr 19, 2026 License: MIT

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/grokify/threat-model-spec

Links

Open Source Insights

README ¶

Threat Model Spec

Threat Model Spec is an open-source library for creating security threat modeling diagrams as code. It provides a JSON-based intermediate representation (IR) that can be rendered to D2 diagrams and STIX 2.1 for threat intelligence sharing.

Architecture

                         ┌──────────────────────┐
                         │     ThreatModel      │
                         │  (Canonical Source)  │
                         └──────────┬───────────┘
                                    │
       ┌────────────────────────────┼───────────────────────────┐
       │              │             │             │             │
       ▼              ▼             ▼             ▼             ▼
  ┌─────────┐   ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐
  │   DFD   │   │  Attack  │  │ Sequence │  │  Attack  │  │ Security │
  │ Diagram │   │  Chain   │  │ Diagram  │  │   Tree   │  │ Metadata │
  └────┬────┘   └─────┬────┘  └─────┬────┘  └─────┬────┘  └─────┬────┘
       │              │             │             │             │
       └──────────────┴─────────────┴─────────────┴─────────────┘
                                    │
                    ┌───────────────┼──────────────┐
                    │               │              │
                    ▼               ▼              ▼
               ┌──────────┐   ┌──────────┐   ┌──────────┐
               │    D2    │   │   STIX   │   │ Validate │
               │ Renderer │   │ Exporter │   │          │
               └────┬─────┘   └─────┬────┘   └─────┬────┘
                    │               │              │
                    ▼               ▼              ▼
               ┌──────────┐   ┌──────────┐   ┌──────────┐
               │   .d2    │   │  .json   │   │  pass/   │
               │  → .svg  │   │  STIX    │   │  fail    │
               └──────────┘   │  Bundle  │   └──────────┘
                              └──────────┘

Input: ThreatModel JSON with shared metadata, framework mappings, and multiple diagram views

Outputs:

D2 Diagrams → SVG/PNG via D2 CLI (one per diagram view)
STIX 2.1 Bundles → Threat intelligence sharing
Validation Results → Schema and reference checking

Features

Design-Time Threat Modeling — Proactive security analysis during SDLC with STRIDE/LINDDUN
Risk Assessment — Structured likelihood × impact scoring with categorical risk levels
Asset Inventory — Sensitivity classification and compliance mapping
Scenario Modeling — What-if attack scenarios with preconditions and attack paths
Diagrams-as-Code — Define threat models in JSON, render to D2/SVG
Multiple Diagram Types — DFD, Attack Chain, Sequence, Attack Tree diagrams
Framework Mappings — MITRE ATT&CK, MITRE ATLAS, OWASP Top 10, STRIDE, LINDDUN, CWE, CVSS, CVE
Control Frameworks — NIST CSF, CIS Controls v8, ISO 27001 mappings
Compliance Frameworks — SOC 2, PCI-DSS, HIPAA, GDPR, FedRAMP, and more
Mitigations — Track countermeasures with status (implemented, planned, accepted)
Threat Actors — Document adversary profiles with sophistication and motivation
Network Topology — Map elements to hosts, ports, protocols, and cloud infrastructure
Detection & Response — Define detection capabilities and response actions
STIX 2.1 Export — Share threat intelligence in standard format
D2 Styles — Color-coded STRIDE/LINDDUN annotations, trust boundaries, attack flows
Validation — Type-specific field validation with strict mode
AI Agents — Claude Code plugin for AI-assisted diagram creation

Installation

Go Library

go get github.com/grokify/threat-model-spec

CLI Tool

go install github.com/grokify/threat-model-spec/cmd/tms@latest

Quick Start

Define a Threat Model (JSON)

A ThreatModel is the canonical format containing shared metadata and multiple diagram views:

{
  "id": "websocket-localhost-takeover",
  "title": "WebSocket Localhost Takeover",
  "description": "Attack exploiting missing origin validation",
  "mappings": {
    "mitreAttack": [
      {"tacticId": "TA0001", "techniqueId": "T1189", "techniqueName": "Drive-by Compromise"}
    ],
    "owasp": [
      {"category": "api", "id": "API2:2023", "name": "Broken Authentication"}
    ]
  },
  "diagrams": [
    {
      "type": "attack-chain",
      "title": "Attack Chain",
      "elements": [
        {"id": "attacker", "label": "Attacker", "type": "external-entity"},
        {"id": "victim", "label": "Victim", "type": "process"}
      ],
      "attacks": [
        {"step": 1, "from": "attacker", "to": "victim", "label": "WebSocket to localhost"}
      ]
    }
  ]
}

Single-diagram files (DiagramIR format) are also supported for simpler use cases.

Generate Diagrams

# Generate D2 diagram from ThreatModel
tms generate threat-model.json -o diagram.d2

# Also render to SVG
tms generate threat-model.json -o diagram.d2 --svg

# Export to STIX 2.1
tms generate threat-model.json --stix -o threat-model.stix.json

# Validate only
tms validate threat-model.json

Diagram Types

Type	Description	Key Fields
`dfd`	Data Flow Diagram	elements, boundaries, flows
`attack-chain`	Attack sequence	elements, attacks, targets
`sequence`	Time-ordered messages	actors, messages, phases
`attack-tree`	Hierarchical attack decomposition	attackTree (nodes with AND/OR logic)

Framework Mappings

Threat Frameworks

Framework	Field	Example
MITRE ATT&CK	`mitreAttack`	`{"tacticId": "TA0001", "techniqueId": "T1189"}`
MITRE ATLAS	`mitreAtlas`	`{"tacticId": "AML.TA0002", "techniqueId": "AML.T0024"}`
OWASP	`owasp`	`{"category": "api", "id": "API2:2023"}`
STRIDE	`stride`	`{"category": "S", "name": "Spoofing"}`
LINDDUN	`linddun`	`{"category": "I", "name": "Identifiability"}`
CWE	`cwe`	`{"id": "CWE-346", "name": "Origin Validation Error"}`
CVE	`cve`	`{"id": "CVE-2024-12345"}`
CVSS	`cvss`	`{"version": "3.1", "vector": "CVSS:3.1/..."}`

Control Frameworks

Framework	Field	Example
NIST CSF	`controls.nistCsf`	`{"function": "Protect", "category": "PR.AC"}`
CIS Controls	`controls.cis`	`{"controlId": "16", "safeguardId": "16.4"}`
ISO 27001	`controls.iso27001`	`{"controlId": "A.9.2.3"}`

Compliance Frameworks

Framework	Value	Description
SOC 2	`soc2`	AICPA Service Organization Controls
PCI-DSS	`pci-dss`	Payment Card Industry Data Security
HIPAA	`hipaa`	Health Insurance Portability
GDPR	`gdpr`	General Data Protection Regulation
FedRAMP	`fedramp`	Federal Risk Authorization
NIST SP 800-53	`nist-sp-800-53`	Security Controls Catalog

D2 Style Reference

STRIDE Threat Annotations

Category	Color	Description
S - Spoofing	Red	Identity spoofing
T - Tampering	Yellow	Data tampering
R - Repudiation	Purple	Non-repudiation failures
I - Information Disclosure	Blue	Information leakage
D - Denial of Service	Orange	Availability attacks
E - Elevation of Privilege	Green	Privilege escalation

LINDDUN Privacy Threats

Category	Color	Description
L - Linkability	Indigo	Linking items of interest
I - Identifiability	Blue	Identifying data subjects
N - Non-repudiation	Orange	Unable to deny actions
D - Detectability	Pink	Detecting item existence
Di - Disclosure	Red	Information disclosure
U - Unawareness	Purple	Lack of awareness
Nc - Non-compliance	Brown	Regulatory non-compliance

Trust Boundaries

Type	Color	Use For
`browser`	Blue	Browser sandbox
`localhost`	Purple	Localhost implicit trust
`network`	Green	Network zones
`breached`	Dark red	Compromised boundaries

Mitigation Status

Status	Color	Description
`implemented`	Green	Fully implemented
`partial`	Orange	Partially implemented
`planned`	Blue	Planned for future
`accepted`	Gray	Risk accepted
`transferred`	Light blue	Risk transferred

Security Lifecycle

Mitigations

Track countermeasures for identified threats:

{
  "mitigations": [
    {
      "id": "mit-1",
      "title": "Implement Origin Validation",
      "status": "implemented",
      "threatIds": ["threat-1"],
      "owner": "security-team"
    }
  ]
}

Threat Actors

Document adversary profiles:

{
  "threatActors": [
    {
      "id": "actor-1",
      "name": "External Attacker",
      "type": "criminal",
      "sophistication": "medium",
      "motivations": ["financial"]
    }
  ]
}

Detection & Response

Define detection capabilities:

{
  "detections": [
    {
      "id": "det-1",
      "title": "WebSocket Origin Anomaly",
      "coverage": "full",
      "dataSources": ["logs", "waf"]
    }
  ]
}

AI Agents

The agents/ directory contains specifications for AI-assisted threat model diagram creation:

Agent	Description
`dfd-creator`	Creates Data Flow Diagrams with numbered flows and trust boundaries
`attack-flow-visualizer`	Creates attack chain diagrams with MITRE ATT&CK annotations
`diagram-quality-reviewer`	Reviews diagrams for layout quality and legend clarity

Claude Code Plugin

Install the Claude Code plugin for AI-assisted diagram creation:

claude plugins add ./agents/plugins/claude

Use the /create-dfd command to generate diagrams interactively.

Specification

The Threat Model Specification follows a versioned schema approach similar to OpenAPI.

Version	Schema	Specification
v0.5.0	threat-model.schema.json	specification.md
v0.4.0	threat-model.schema.json	specification.md

Schema URLs

https://github.com/grokify/threat-model-spec/docs/versions/v0.5.0/threat-model.schema.json
https://github.com/grokify/threat-model-spec/docs/versions/v0.5.0/diagram.schema.json

Using the Schema

Reference the schema in your threat model JSON:

{
  "$schema": "https://github.com/grokify/threat-model-spec/docs/versions/v0.5.0/threat-model.schema.json",
  "id": "my-threat-model",
  "title": "My Application Threat Model",
  "diagrams": [...]
}

Requirements

Go 1.24+
D2 v0.6+ for SVG rendering

License

MIT License - see LICENSE

References

Directories ¶

Path	Synopsis
cmd
genschema command Command genschema generates JSON Schema files from Go types.	Command genschema generates JSON Schema files from Go types.
tms command tms (Threat Model Spec) is a CLI for creating security threat modeling diagrams.	tms (Threat Model Spec) is a CLI for creating security threat modeling diagrams.
demo
attacker command Automated Attack Demo with Video Capture	Automated Attack Demo with Video Capture
vulnerable-server command Vulnerable WebSocket Server - Educational Demo	Vulnerable WebSocket Server - Educational Demo
diagram Package diagram provides types for building threat model diagrams that can be rendered to D2 format.	Package diagram provides types for building threat model diagrams that can be rendered to D2 format.
ir Package ir provides the intermediate representation for threat modeling diagrams.	Package ir provides the intermediate representation for threat modeling diagrams.
killchain Package killchain provides types for attack chain frameworks including MITRE ATT&CK and Lockheed Martin Cyber Kill Chain.	Package killchain provides types for attack chain frameworks including MITRE ATT&CK and Lockheed Martin Cyber Kill Chain.
schema Package schema provides embedded JSON Schema files for threat model validation.	Package schema provides embedded JSON Schema files for threat model validation.
stix Package stix provides STIX 2.1 export capabilities for threat models.	Package stix provides STIX 2.1 export capabilities for threat models.
stride Package stride provides types for STRIDE threat modeling.	Package stride provides types for STRIDE threat modeling.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL