Threat Dragon version 2.0
API
OWASP Threat Dragon
At present it there is a minimal application programming interface for Threat Dragon . This API is used to access threat models stored by repository providers such as github, bitbucket or gitlab.
APIs protected by authorisation, including threat model Create, Read, Update (but no Delete):
| Path | Action | Description |
|---|---|---|
/api/logout |
POST | Logout from provider when already authorised |
/api/token/refresh |
POST | Refresh the access token |
/api/threatmodel/repos |
GET | List repositories for the authorised user |
/api/threatmodel/:organisation/:repo/branches |
GET | List branches for a given repository |
/api/threatmodel/:organisation/:repo/:branch/models |
GET | List models for a given branch and repository |
/api/threatmodel/:organisation/:repo/:branch/:model/data |
GET | Reads the threat model contents for a given model |
/api/threatmodel/:organisation/:repo/:branch/:model/create |
PUT | Create a new model in the branch and repository |
/api/threatmodel/:organisation/:repo/:branch/:model/update |
PUT | Update a model in the branch and repository |
APIs with no authorisation:
| Path | Action | Description |
|---|---|---|
/ |
GET | Provides the Threat Dragon Single Page Application |
/healthz |
GET | Health check that provides server statistics such as uptime |
/api/login/:provider |
GET | Login to a repository provider |
/api/logout |
GET | Logout that will always succeed |
/api/oauth/return |
GET | OAuth return request |
/api/oauth/:provider |
GET | Provides access and refresh tokens if authorised |
/api/threatmodel/organization |
GET | Provides repository provider hostname |
Support for CI/CD pipelines is being worked on, and this API may include:
- project status
- pdf report output
- threat diagram provider (for embedding in other reports)
- unmitigated threat list
- mitigated threat list
- statistics