archithreat 3.2.0

Convert ArchiMate 3.x architecture models into threat-modeling artifacts (v1: IriusRisk-compatible draw.io).

archithreat

Convert ArchiMate 3.x architecture models into threat-modeling artifacts, preserving logical trust zones, host containment, and connection semantics. Two output targets ship: IriusRisk-compatible draw.io and OWASP Threat Dragon v2 JSON. The codebase is structured so further targets slot in without rework.

Why

Threat-modeling tools that consume diagrams expect specific input formats (draw.io for IriusRisk, .tm7 for Microsoft TMT, JSON for OWASP Threat Dragon). None ingest ArchiMate directly. Organizations doing serious EA in ArchiMate (TOGAF, BiZZdesign, Sparx EA) have no path from authoritative architecture into their threat model except manual reconstruction. archithreat closes that gap.

Privacy by design

Architecture models for critical infrastructure describe attack surfaces and frequently cannot leave their owning organization. archithreat ships three surfaces, no hosted service:

• CLI — local conversion for engineers and CI pipelines.
• Browser app — static site (Pyodide); runs entirely in your browser, no upload.
• Self-hosted container — FastAPI image you run inside your trust zone.

Install (CLI)

pip install archithreat[cli]
archithreat convert input.xml output.drawio --target iriusrisk
archithreat convert input.xml output.json    --target threatdragon
archithreat targets

Browser app

Open the published GitHub Pages site, drop your .xml in, pick a target from the dropdown, download the .drawio or .json. Nothing leaves your browser.

Self-hosted container

docker run --rm -p 8000:8000 ghcr.io/rondlite/archithreat:latest
# open http://localhost:8000

Documentation

• docs/concepts.md — modeling discipline behind the conversion
• docs/mapping-table.md — YAML schema + customization
• docs/patterns.md — supported patterns
• docs/limitations.md — known gaps and future work
• docs/self-hosting.md — Docker deployment
• docs/browser.md — browser app capabilities
• docs/privacy.md — what each surface does and does not see
• docs/targets.md — supported output targets
• docs/adding-a-target.md — contributor guide for new emitters

Status

v3.2.0. See CHANGELOG.md and ROADMAP.

License

Apache 2.0 — see LICENSE. For third-party / vendored components and their licenses (Pyodide, drawio viewer, HTMX, declared Python deps), see SBOM.md.