STRIDE, DREAD, LINDDUN, PASTA and OWASP Top 10 in one tool. Paste a description, upload a diagram, or build a DFD — get a prioritized threat list in seconds.
Everything now lives on main — a single source of truth. The former feature/enhancements branch has been merged in.
Runs from the main branch. Python 3.11+ required.
git clone \ https://github.com/rootabhi1/\ Automated-Threat-Modelling cd Automated-Threat-Modelling/threat-modeler
# Mac / Linux python3 -m venv .venv source .venv/bin/activate pip install -r requirements.txt # Windows python -m venv .venv .venv\Scripts\activate pip install -r requirements.txt
# Required export INITIAL_ADMIN_EMAIL=admin@example.com export INITIAL_ADMIN_PASSWORD=changeme123 export JWT_SECRET=$(python3 -c \ "import secrets; print(secrets.token_urlsafe(48))") # Optional — enables Claude AI features export ANTHROPIC_API_KEY=sk-ant-...
# Option A — launcher script chmod +x run.sh && ./run.sh # Option B — Python directly python app.py # Option C — with auto-reload uvicorn app:app --reload --port 8000 # Option D — Docker docker compose up --build
curl http://localhost:8000/healthz
→ should return {"status":"ok","version":"2.1"}
· Then open http://localhost:8000/docs for the interactive API explorer.
All features on top of the original — nothing removed or broken.
n component · f flow · b boundary · a auto-layout · Ctrl+S save · ? help overlay.Full Swagger docs at http://localhost:8000/docs after starting the server.
Most problems are solved by setting the 3 required env vars and activating the venv.
Set ANTHROPIC_API_KEY=sk-ant-... — the app works without it (rules-based analysis runs, diagram upload returns a stub), but Claude Vision, AI fixes, and executive report narration need the key.
export ANTHROPIC_API_KEY=sk-ant-...
Your venv isn't activated or pip install wasn't run. You should see (.venv) in your terminal prompt.
# Mac/Linux source .venv/bin/activate pip install -r requirements.txt
uvicorn app:app --reload --port 8001 # or kill whatever is using 8000: lsof -ti:8000 | xargs kill
Token expired (15 min TTL) or server restarted without a persistent JWT_SECRET. Re-login to get a fresh token. Set a permanent JWT_SECRET value so tokens survive restarts.
TOKEN=$(curl -s -X POST http://localhost:8000/api/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"admin@example.com","password":"changeme123"}' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")
Run pytest from inside the threat-modeler/ directory with env vars set.
cd threat-modeler export INITIAL_ADMIN_EMAIL=admin@example.com export INITIAL_ADMIN_PASSWORD=changeme123 export JWT_SECRET=test-secret pytest tests/test_new_endpoints.py -v
FastAPI auto-generates interactive docs. Go to http://localhost:8000/docs, click Authorize, paste your Bearer token, and test any endpoint without writing curl commands.