JustAppSec
Reference

.justappsec Schema

The complete structure of a .justappsec v1 file.

← Back to Editor
Root object
FieldTypeNotes
version"1"Always the string "1".
$schemastringEmbedded instructions for AI agents. Injected automatically by the editor.[view]
metaMetaObjectName and timestamps.
threatsThreatObject[]Flat list of all identified threats.
MetaObject
FieldTypeNotes
namestringHuman-readable model name. e.g. "My SaaS Platform"
createdISO 8601 stringCreation timestamp.
modifiedISO 8601 stringLast-modified timestamp.
ThreatObject
FieldTypeNotes
idstringUnique within the file. e.g. "t1", "t2abc"
titlestringConcise, action-based threat name. Max ~60 chars.
descriptionstringSpecific attack scenario or mitigation details.
severity"critical" | "high" | "medium" | "low" | "info"Realistic severity estimate.
status"open" | "in-progress" | "closed""open" for unaddressed threats.
closeReason"mitigated" | "accepted" | "ignored" | "wont-fix" | nullRequired when status is "closed".
pathstring[]Attack chain. First = entry point, last = target. e.g. ["Attacker","API Server","Database"]
categorystringThreat category (see below).
ownerstring | nullTeam or person. e.g. "@backend-team"
ceControlsstring[] (optional)UK Cyber Essentials controls (see below).
ticketUrlstring (optional)Link to Jira, GitHub Issue, Linear, etc.

Allowed values

Threat Categories

  • Authentication
  • Authorisation
  • Session Management
  • Input Handling
  • Data Exposure
  • Cryptography
  • Dependencies
  • Infrastructure
  • Rate Limiting
  • Logging
  • Business Logic
  • Configuration

Cyber Essentials Controls

  • CE: Firewalls
  • CE: Secure Configuration
  • CE: User Access Control
  • CE: Malware Protection
  • CE: Security Update Management

Embedded $schema

This is automatically included in every .justappsec file. It tells AI agents how to update the file.

JustAppSec Threat Model v1 - Update Instructions

This file already exists. These instructions are for UPDATES ONLY.
For full documentation, visit: https://justappsec.com/threat-model/ai-support

YOU ARE UPDATING AN EXISTING THREAT MODEL
- This file was created previously and is now being maintained
- Do NOT regenerate from scratch unless explicitly asked
- Preserve all existing content that is unaffected by changes
- Only modify what needs to change based on new code or user requests

STRUCTURE (preserve this format):
- version: Always "1"
- $schema: These instructions (never remove or modify)
- meta.name: Project name (preserve unless user renames)
- meta.created: Original creation timestamp (never change)
- meta.modified: Update to current ISO 8601 timestamp on each edit
- threats[]: Array of threat objects

THREAT OBJECT:
- id: Unique string - preserve existing IDs, generate new for additions
- title: Concise description, max 60 chars
- description: Specific attack scenario or mitigation details
- severity: "critical" | "high" | "medium" | "low" | "info"
- status: "open" | "in-progress" | "closed"
- closeReason: "mitigated" | "accepted" | "ignored" | "wont-fix" | null
- path: Array of component names (2-3 ideal, max 4 for Critical)
- category: Authentication | Authorisation | Session Management | Input Handling | Data Exposure | Cryptography | Dependencies | Infrastructure | Rate Limiting | Logging | Business Logic | Configuration
- owner: Team or person responsible (optional)
- ceControls: UK Cyber Essentials controls (optional)

WHEN UPDATING:
- Review code changes to understand what security aspects changed
- Add new threats for new security-relevant functionality
- Update existing threats affected by changes
- Set status to "closed" with closeReason when mitigations are implemented
- IMPORTANT: Keep path component names consistent across all threats
- IMPORTANT: Preserve all threats unaffected by changes
- Update meta.modified timestamp

OUTPUT RULES:
- Valid JSON only - no markdown fences, no explanation text
- Must parse with JSON.parse() directly
- All threat ids must be unique
- Keep $schema field intact

IF SOMETHING SEEMS WRONG:
- Schema reference: https://justappsec.com/threat-model/schema
- AI support docs: https://justappsec.com/threat-model/ai-support
- Automated updates guide: https://justappsec.com/guides/automated-threat-model-updates

Example file

A minimal threat model with two threats - one open, one mitigated.

{
  "version": "1",
  "$schema": "...",
  "meta": {
    "name": "My API",
    "created": "2026-01-01T00:00:00.000Z",
    "modified": "2026-01-01T00:00:00.000Z"
  },
  "threats": [
    {
      "id": "t1",
      "title": "SQL injection via search endpoint",
      "description": "The GET /api/products?q= parameter is concatenated into a raw SQL query without parameterisation. An attacker can exfiltrate the entire users table.",
      "severity": "critical",
      "status": "open",
      "closeReason": null,
      "path": ["Attacker", "API Server", "PostgreSQL"],
      "category": "Input Handling",
      "owner": null
    },
    {
      "id": "t2",
      "title": "ORM enforces parameterised queries",
      "description": "All database access goes through the ORM prepared statement layer. Raw query concatenation is banned by linter and enforced in CI.",
      "severity": "high",
      "status": "closed",
      "closeReason": "mitigated",
      "path": ["API Server", "Database"],
      "category": "Input Handling",
      "owner": "@backend-team"
    }
  ]
}
Open the Editor →

For AI integration details, see Automated Threat Model Updates

Threat modelling is in betaReport an issue here
Need help?Get in touch.