{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://catalog.lintel.tools/schemas/schemastore/threagile/latest.json", "title": "Threagile", "description": "Agile Threat Modeling", "x-lintel": { "source": "https://raw.githubusercontent.com/Threagile/threagile/refs/heads/master/support/schema.json", "sourceSha256": "2f44c0b6396dee00552c2a2614bd1ae64c3e7582a1df730ec8b798107ae715c0", "fileMatch": [ "threagile.yaml", "threat-model.yaml" ], "parsers": [ "yaml" ] }, "type": "object", "properties": { "includes": { "description": "Include other yaml files into the model", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } }, "threagile_version": { "description": "Version of the Threagile toolkit", "type": "string" }, "title": { "description": "Title of the model", "type": "string" }, "date": { "description": "Date of the model", "type": [ "string", "null" ], "format": "date" }, "author": { "description": "Author of the model", "type": "object", "properties": { "name": { "description": "Author name", "type": [ "string", "null" ] }, "contact": { "description": "Author contact info", "type": [ "string", "null" ] }, "homepage": { "description": "Author homepage", "type": [ "string", "null" ] } }, "required": [ "name" ] }, "contributors": { "description": "Contributors to the model", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "object", "properties": { "name": { "description": "Contributor name", "type": [ "string", "null" ] }, "contact": { "description": "Contributor contact info", "type": [ "string", "null" ] }, "homepage": { "description": "Contributor homepage", "type": [ "string", "null" ] } }, "required": [ "name" ] } }, "management_summary_comment": { "description": "Individual management summary for the report", "type": [ "string", "null" ] }, "business_criticality": { "description": "Business criticality of the target", "type": "string", "enum": [ "archive", "operational", "important", "critical", "mission-critical" ] }, "application_description": { "description": "General description of the application, its purpose and functionality.", "type": "object", "properties": { "description": { "description": "Application description for the report", "type": [ "string", "null" ] }, "images": { "description": "Application images for the report", "type": [ "array", "null" ], "uniqueItems": true } } }, "business_overview": { "description": "Individual business overview for the report", "type": "object", "properties": { "description": { "description": "Individual business overview for the report", "type": [ "string", "null" ] }, "images": { "description": "Custom images for the report", "type": [ "array", "null" ], "uniqueItems": true } } }, "technical_overview": { "description": "Individual technical overview for the report", "type": "object", "properties": { "description": { "description": "Individual technical overview for the report", "type": [ "string", "null" ] }, "images": { "description": "Custom images for the report", "type": [ "array", "null" ], "uniqueItems": true } } }, "questions": { "description": "Custom questions for the report", "type": [ "object", "null" ], "uniqueItems": true }, "abuse_cases": { "description": "Custom abuse cases for the report", "type": [ "object", "null" ], "uniqueItems": true }, "security_requirements": { "description": "Custom security requirements for the report", "type": [ "object", "null" ], "uniqueItems": true }, "tags_available": { "description": "Tags are used to add custom metadata to model elements, enabling filtering, classification, and the creation of tailored risk rules. They help provide context and drive more precise, organization-specific threat modeling.", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } }, "data_assets": { "description": "Data assets represent types of data processed, stored, or transmitted in the system, such as personal data, credentials, or logs—along with their sensitivity, confidentiality, and integrity requirements. They help assess the impact of risks based on the value of the data involved.", "type": "object", "uniqueItems": true, "additionalProperties": { "type": "object", "properties": { "id": { "description": "A unique identifier for the data asset.", "type": "string" }, "description": { "description": "A description for the data asset.", "type": [ "string", "null" ] }, "usage": { "description": "Describes how the data is handled — typically as business, or devops, to indicate its role in the system and influence certain risk evaluations, such as inappropriate access or exposure.", "type": "string", "enum": [ "business", "devops" ] }, "tags": { "description": "Tags", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } }, "origin": { "description": "Specifies where the data originally comes from — such as client, server, external, or another source — to help assess trust levels, data flow risks, and whether sensitive data enters from untrusted sources.", "type": [ "string", "null" ] }, "owner": { "description": "The person or team responsible for the data asset's management, security, and compliance, ensuring accountability for protecting and maintaining the asset.", "type": [ "string", "null" ] }, "quantity": { "description": "Describes the approximate amount of data for a data asset, helping to gauge the potential impact of data-related risks. The values like very-few, few, many, and very-many represent increasing scales of data volume, allowing the model to differentiate risk severity based on how much data could be affected.", "type": "string", "enum": [ "very-few", "few", "many", "very-many" ] }, "confidentiality": { "description": "Refers to the level of protection required to keep data secret and prevent unauthorized access. It is used to assess the potential impact if sensitive information is exposed.", "type": "string", "enum": [ "public", "internal", "restricted", "confidential", "strictly-confidential" ] }, "integrity": { "description": "Refers to the importance of keeping data accurate, complete, and unaltered by unauthorized parties, helping to evaluate the impact if data is tampered with or corrupted.", "type": "string", "enum": [ "archive", "operational", "important", "critical", "mission-critical" ] }, "availability": { "description": "Measures how critical it is for data to be accessible and operational when needed, guiding the assessment of risks related to downtime or loss of service.", "type": "string", "enum": [ "archive", "operational", "important", "critical", "mission-critical" ] }, "justification_cia_rating": { "description": "Justification of the rating", "type": [ "string", "null" ] } }, "required": [ "id", "description", "usage", "quantity", "confidentiality", "integrity", "availability" ] } }, "technical_assets": { "description": "Any hardware, software, or system component that supports the processing, storage, or transmission of data, such as servers, applications, databases, or network devices.", "type": "object", "uniqueItems": true, "additionalProperties": { "type": "object", "properties": { "id": { "description": "A unique identifier for the technical asset.", "type": "string" }, "description": { "description": "A description for the technical asset.", "type": [ "string", "null" ] }, "type": { "description": "Defines the role or function in the architecture, such as application, database, load-balancer, client-system, or external-entity, which helps determine how it interacts with other assets and what risks apply to it.", "type": "string", "enum": [ "external-entity", "process", "datastore" ] }, "usage": { "description": "Indicates whether it primarily serves business functions or devops purposes, helping to assess risks based on its role and exposure in the system.", "type": "string", "enum": [ "business", "devops" ] }, "used_as_client_by_human": { "description": "Indicates whether a technical asset is directly used by a human, such as a web browser or mobile app. This affects risk evaluation related to user interaction, like spoofing or social engineering.", "type": "boolean" }, "out_of_scope": { "description": "Marks a technical asset as outside the scope of the threat model. This means the asset is shown in diagrams but is not analyzed for risks, helping focus attention on relevant parts of the system.", "type": "boolean" }, "justification_out_of_scope": { "description": "Justification of out of scope", "type": [ "string", "null" ] }, "size": { "description": "Reflects its relative complexity or capacity, with values like component, system etc. This helps estimate the asset's importance and the potential impact if it is compromised.", "type": "string", "enum": [ "system", "service", "application", "component" ] }, "technology": { "description": "Technology (deprecated, use 'technologies' instead)", "type": "string", "enum": [ "unknown-technology", "client-system", "browser", "desktop", "mobile-app", "devops-client", "web-server", "web-application", "application-server", "database", "file-server", "local-file-system", "erp", "cms", "web-service-rest", "web-service-soap", "ejb", "search-index", "search-engine", "service-registry", "reverse-proxy", "load-balancer", "build-pipeline", "sourcecode-repository", "artifact-registry", "code-inspection-platform", "monitoring", "ldap-server", "container-platform", "batch-processing", "event-listener", "identity-provider", "identity-store-ldap", "identity-store-database", "tool", "cli", "task", "function", "gateway", "iot-device", "message-queue", "stream-processing", "service-mesh", "data-lake", "report-engine", "ai", "mail-server", "vault", "hsm", "waf", "ids", "ips", "scheduler", "mainframe", "block-storage", "library" ] }, "technologies": { "description": "List of technologies used for the asset", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string", "enum": [ "unknown-technology", "client-system", "browser", "desktop", "mobile-app", "devops-client", "web-server", "web-application", "application-server", "database", "file-server", "local-file-system", "erp", "cms", "web-service-rest", "web-service-soap", "ejb", "search-index", "search-engine", "service-registry", "reverse-proxy", "load-balancer", "build-pipeline", "sourcecode-repository", "artifact-registry", "code-inspection-platform", "monitoring", "ldap-server", "container-platform", "batch-processing", "event-listener", "identity-provider", "identity-store-ldap", "identity-store-database", "tool", "cli", "task", "function", "gateway", "iot-device", "message-queue", "stream-processing", "service-mesh", "data-lake", "report-engine", "ai", "mail-server", "vault", "hsm", "waf", "ids", "ips", "scheduler", "mainframe", "block-storage", "library" ] } }, "tags": { "description": "Custom labels used to categorize or describe assets, such as cloud, internal, public-facing, or third-party. They support filtering, documentation, and custom risk rules tailored to your environment.", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } }, "internet": { "description": "Set to true if a technical asset is accessible from the public internet. This increases its exposure and affects the severity and likelihood of certain risks, such as unauthorized access or denial of service.", "type": "boolean" }, "machine": { "description": "Describes the type of environment the technical asset runs on, such as virtual, container, physical, or serverless. This helps assess risks related to deployment, isolation, and infrastructure.", "type": "string", "enum": [ "physical", "virtual", "container", "serverless" ] }, "encryption": { "description": "Specifies whether and how data handled by a technical asset is protected using encryption. It helps evaluate the risk of data exposure by indicating if encryption is applied for data at rest, in transit, or both.", "type": "string", "enum": [ "none", "transparent", "data-with-symmetric-shared-key", "data-with-asymmetric-shared-key", "data-with-end-user-individual-key" ] }, "owner": { "description": "Refers to the person, team, or organizational unit responsible for managing and securing a technical asset, ensuring accountability for its protection and compliance.", "type": [ "string", "null" ] }, "confidentiality": { "description": "Defines how important it is to keep asset information secret and protected from unauthorized access, guiding risk assessments related to data leaks or exposure.", "type": "string", "enum": [ "public", "internal", "restricted", "confidential", "strictly-confidential" ] }, "integrity": { "description": "Refers to the importance of maintaining the accuracy and trustworthiness of the system component by preventing unauthorized modification or corruption.", "type": "string", "enum": [ "archive", "operational", "important", "critical", "mission-critical" ] }, "availability": { "description": "Indicates how critical it is for the technical asset to be accessible and operational when needed, helping assess risks related to downtime or service interruptions.", "type": "string", "enum": [ "archive", "operational", "important", "critical", "mission-critical" ] }, "justification_cia_rating": { "description": "Justification of the rating", "type": [ "string", "null" ] }, "multi_tenant": { "description": "Whether the technical asset supports multiple tenants or customers sharing the same instance, affecting risk related to data isolation and access control.", "type": "boolean" }, "redundant": { "description": "Specifies whether the technical asset has redundancy (e.g., backup systems or failover), which impacts availability and resilience risk assessments.", "type": "boolean" }, "custom_developed_parts": { "description": "Marks if the asset contains custom-developed code or components, which may introduce unique security risks compared to off-the-shelf software.", "type": "boolean" }, "data_assets_processed": { "description": "All data assets stored or sent or received via a communication link (be it as a source or a target) are implicitly also processed and do not need to be listed here.", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } }, "data_assets_stored": { "description": "Lists data assets that the technical asset stores persistently, important for confidentiality, integrity, and availability risks.", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } }, "data_formats_accepted": { "description": "Specifies the types or formats of data the asset can accept (e.g., JSON, XML), useful for input validation and injection risk analysis.", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string", "enum": [ "json", "xml", "serialization", "file", "csv", "yaml" ] } }, "diagram_tweak_order": { "description": "A numeric value used to control the layering or order of technical assets in generated diagrams, helping improve visual clarity (affects left to right positioning).", "type": "integer" }, "communication_links": { "description": "Defines connections between technical assets for data or control flow, essential for modeling trust boundaries and attack paths.", "type": [ "object", "null" ], "uniqueItems": true, "additionalProperties": { "type": "object", "properties": { "target": { "description": "Target", "type": "string" }, "description": { "description": "Description", "type": [ "string", "null" ] }, "protocol": { "description": "Protocol", "type": "string", "enum": [ "unknown-protocol", "http", "https", "ws", "wss", "reverse-proxy-web-protocol", "reverse-proxy-web-protocol-encrypted", "mqtt", "jdbc", "jdbc-encrypted", "odbc", "odbc-encrypted", "sql-access-protocol", "sql-access-protocol-encrypted", "nosql-access-protocol", "nosql-access-protocol-encrypted", "binary", "binary-encrypted", "text", "text-encrypted", "ssh", "ssh-tunnel", "smtp", "smtp-encrypted", "pop3", "pop3-encrypted", "imap", "imap-encrypted", "ftp", "ftps", "sftp", "scp", "ldap", "ldaps", "jms", "nfs", "smb", "smb-encrypted", "local-file-access", "nrpe", "xmpp", "iiop", "iiop-encrypted", "jrmp", "jrmp-encrypted", "in-process-library-call", "inter-process-communication", "container-spawning" ] }, "authentication": { "description": "Authentication", "type": "string", "enum": [ "none", "credentials", "session-id", "token", "client-certificate", "two-factor", "externalized" ] }, "authorization": { "description": "Authorization", "type": "string", "enum": [ "none", "technical-user", "end-user-identity-propagation" ] }, "tags": { "description": "Tags", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } }, "vpn": { "description": "VPN", "type": "boolean" }, "ip_filtered": { "description": "IP filtered", "type": "boolean" }, "readonly": { "description": "readonly", "type": "boolean" }, "usage": { "description": "Usage", "type": "string", "enum": [ "business", "devops" ] }, "data_assets_sent": { "description": "Data assets sent", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } }, "data_assets_received": { "description": "Data assets received", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } }, "diagram_tweak_weight": { "description": "diagram tweak weight", "type": "integer" }, "diagram_tweak_constraint": { "description": "diagram tweak constraint", "type": "boolean" } }, "required": [ "target", "description", "protocol", "authentication", "authorization", "vpn", "ip_filtered", "readonly", "usage" ] } } }, "allOf": [ { "anyOf": [ { "required": [ "technology" ] }, { "required": [ "technologies" ] } ] } ], "required": [ "id", "description", "type", "usage", "used_as_client_by_human", "out_of_scope", "size", "internet", "machine", "encryption", "owner", "confidentiality", "integrity", "availability", "multi_tenant", "redundant", "custom_developed_parts", "data_assets_processed", "data_assets_stored", "data_formats_accepted", "communication_links" ] } }, "trust_boundaries": { "description": "Trust boundaries", "type": "object", "uniqueItems": true, "additionalProperties": { "type": "object", "properties": { "id": { "description": "ID", "type": "string" }, "description": { "description": "Description", "type": [ "string", "null" ] }, "type": { "description": "Type", "type": "string", "enum": [ "network-on-prem", "network-dedicated-hoster", "network-virtual-lan", "network-cloud-provider", "network-cloud-security-group", "network-policy-namespace-isolation", "execution-environment" ] }, "tags": { "description": "Tags", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } }, "technical_assets_inside": { "description": "Technical assets inside", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } }, "trust_boundaries_nested": { "description": "Trust boundaries nested", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } } }, "required": [ "id", "description", "type", "technical_assets_inside", "trust_boundaries_nested" ] } }, "shared_runtimes": { "description": "Shared runtimes", "type": "object", "uniqueItems": true, "additionalProperties": { "type": "object", "properties": { "id": { "description": "ID", "type": "string" }, "description": { "description": "Description", "type": [ "string", "null" ] }, "tags": { "description": "Tags", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } }, "technical_assets_running": { "description": "Technical assets running", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } } }, "required": [ "id", "description", "technical_assets_running" ] } }, "individual_risk_categories": { "description": "Individual risk categories", "type": [ "object", "null" ], "uniqueItems": true, "additionalProperties": { "type": "object", "properties": { "id": { "description": "ID", "type": "string" }, "description": { "description": "Description", "type": [ "string", "null" ] }, "impact": { "description": "Impact", "type": "string" }, "asvs": { "description": "ASVS", "type": "string" }, "cheat_sheet": { "description": "Cheat sheet", "type": "string" }, "action": { "description": "Action", "type": "string" }, "mitigation": { "description": "Mitigation", "type": "string" }, "check": { "description": "Check", "type": "string" }, "function": { "description": "Function", "type": "string", "enum": [ "business-side", "architecture", "development", "operations" ] }, "stride": { "description": "STRIDE", "type": "string", "enum": [ "spoofing", "tampering", "repudiation", "information-disclosure", "denial-of-service", "elevation-of-privilege" ] }, "detection_logic": { "description": "Detection logic", "type": "string" }, "risk_assessment": { "description": "Risk assessment", "type": "string" }, "false_positives": { "description": "False positives", "type": "string" }, "model_failure_possible_reason": { "description": "Model failure possible reason", "type": "boolean" }, "cwe": { "description": "CWE", "type": "integer" }, "risks_identified": { "description": "Risks identified", "type": "object", "uniqueItems": true, "additionalProperties": { "type": "object", "properties": { "severity": { "description": "Severity", "type": "string", "enum": [ "low", "medium", "elevated", "high", "critical" ] }, "exploitation_likelihood": { "description": "Exploitation likelihood", "type": "string", "enum": [ "unlikely", "likely", "very-likely", "frequent" ] }, "exploitation_impact": { "description": "Exploitation impact", "type": "string", "enum": [ "low", "medium", "high", "very-high" ] }, "data_breach_probability": { "description": "Data breach probability", "type": "string", "enum": [ "improbable", "possible", "probable" ] }, "data_breach_technical_assets": { "description": "Data breach technical assets", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } }, "most_relevant_data_asset": { "description": "Most relevant data asset", "type": [ "string", "null" ] }, "most_relevant_technical_asset": { "description": "Most relevant technical asset", "type": [ "string", "null" ] }, "most_relevant_communication_link": { "description": "Most relevant communication link", "type": [ "string", "null" ] }, "most_relevant_trust_boundary": { "description": "Most relevant trust boundary", "type": [ "string", "null" ] }, "most_relevant_shared_runtime": { "description": "Most relevant shared runtime", "type": [ "string", "null" ] } } } } }, "required": [ "id", "description", "impact", "asvs", "cheat_sheet", "action", "mitigation", "check", "function", "stride", "detection_logic", "risk_assessment", "false_positives", "model_failure_possible_reason", "cwe", "risks_identified" ] } }, "risk_tracking": { "description": "Risk tracking", "type": [ "object", "null" ], "uniqueItems": true, "additionalProperties": { "type": "object", "properties": { "status": { "description": "Status", "type": "string", "enum": [ "unchecked", "in-discussion", "accepted", "in-progress", "mitigated", "false-positive" ] }, "justification": { "description": "Justification", "type": [ "string", "null" ] }, "ticket": { "description": "Ticket", "type": [ "string", "null" ] }, "date": { "description": "Date", "type": [ "string", "null" ], "format": "date" }, "checked_by": { "description": "Checked by", "type": [ "string", "null" ] } }, "required": [ "status", "justification", "ticket", "date", "checked_by" ] } }, "diagram_tweak_suppress_edge_labels": { "description": "Diagram tweak suppress edge labels", "type": [ "boolean", "null" ] }, "diagram_tweak_layout_left_to_right": { "description": "Diagram tweak layout left to right", "type": [ "boolean", "null" ] }, "diagram_tweak_edge_layout": { "description": "Diagram tweak edge layout", "type": [ "string", "null" ], "enum": [ "", "ortho", "spline", "polyline", "false", "curved" ] }, "diagram_tweak_nodesep": { "description": "Diagram tweak nodesep", "type": [ "integer", "null" ] }, "diagram_tweak_ranksep": { "description": "Diagram tweak ranksep", "type": [ "integer", "null" ] }, "diagram_tweak_invisible_connections_between_assets": { "description": "Diagram tweak invisible connections between assets", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } }, "diagram_tweak_same_rank_assets": { "description": "Diagram tweak same rank assets", "type": [ "array", "null" ], "uniqueItems": true, "items": { "type": "string" } } }, "required": [ "threagile_version", "title", "author", "business_criticality", "tags_available", "data_assets", "technical_assets", "shared_runtimes" ], "id": "https://threagile.io/schema.json" }