-
Notifications
You must be signed in to change notification settings - Fork 0
Metadata and Extensions
Eric Fitzgerald edited this page Nov 12, 2025
·
1 revision
Extend TMI with custom metadata on threat models, diagrams, threats, and other objects.
TMI supports extensible metadata on all major objects, allowing you to customize the platform for your workflows and requirements.
Metadata consists of custom key-value pairs that you can add to:
- Threat models
- Diagrams
- Threats
- Notes
- Components (future)
- Select the object (threat model, diagram, threat, etc.)
- Find the "Metadata" section
- Click "Add Metadata" or "+"
- Enter key and value
- Save
-
Key: String identifier (e.g.,
compliance,owner,priority) -
Value: String value (e.g.,
PCI-DSS,security-team,high)
category: web-application
tier: production
environment: cloud
owner: security-team
reviewer: john.doe
team: platform-engineering
compliance: PCI-DSS,HIPAA,SOC2
data-classification: confidential
regulatory-requirement: GDPR
jira-project: SEC
status: in-review
review-date: 2025-06-01
approval-required: true
attack-surface: external
data-sensitivity: high
business-criticality: critical
- Use kebab-case or snake_case
- Avoid spaces in keys
- Be consistent across objects
- Document your schema
For multiple values, use delimiters:
- Comma-separated:
PCI-DSS,HIPAA,SOC2 - Pipe-separated:
team-a|team-b|team-c
Document your metadata schema:
- What keys are used
- What values are valid
- What they mean
- When to use them
Use metadata to filter:
- Show only threats with
priority: high - Filter threat models by
compliance: PCI-DSS - View diagrams for
environment: production
Search for objects with specific metadata values.
Metadata is included in API responses:
{
"id": "tm-123",
"name": "Payment System",
"metadata": {
"compliance": "PCI-DSS",
"owner": "security-team",
"review-date": "2025-06-01"
}
}Update metadata via API:
PATCH /threatmodels/tm-123
{
"metadata": {
"status": "reviewed",
"reviewer": "john.doe"
}
}See API Integration for details.
Generate reports based on metadata:
- All high-priority threats
- Threat models by compliance requirement
- Items requiring review by date
Use metadata for automation:
- Auto-assign based on
ownerfield - Trigger workflows based on
status - Generate notifications for
review-date
Map metadata to external systems:
-
jira-project→ Jira project key -
servicenow-ci→ ServiceNow CI -
repository-url→ GitHub repo
Threat Model Metadata:
compliance: PCI-DSS,SOC2
data-classification: highly-confidential
audit-frequency: quarterly
next-review: 2025-Q2
Threat Metadata:
control-id: PCI-6.5.1
compliance-requirement: PCI-DSS
verification-method: code-review
Threat Model Metadata:
team: platform-team
product: payment-service
owner: [email protected]
technical-lead: [email protected]
Diagram Metadata:
subsystem: authentication
responsible-team: security-team
sla: 99.99%
Threat Metadata:
jira-ticket: SEC-1234
status: in-progress
priority: P1
target-date: 2025-04-01
assigned-to: security-team
Define a standard schema for your organization:
# TMI Metadata Schema
## Threat Model Level
- `owner`: Team or person responsible
- `compliance`: Applicable compliance frameworks
- `environment`: dev, staging, production
- `data-classification`: public, internal, confidential, restricted
## Threat Level
- `priority`: P0, P1, P2, P3
- `control-id`: Reference to control framework
- `jira-ticket`: Jira ticket ID
- `assigned-to`: Responsible party
## Diagram Level
- `subsystem`: Which subsystem this represents
- `level`: Context, L0, L1, L2
- `review-status`: draft, in-review, approvedPotential future features:
- Metadata validation and schemas
- Required metadata fields
- Metadata templates
- Bulk metadata updates
- Metadata inheritance
- Learn about Issue Tracker Integration
- Explore API Integration
- Review Webhook Integration
- Using TMI for Threat Modeling
- Accessing TMI
- Creating Your First Threat Model
- Understanding the User Interface
- Working with Data Flow Diagrams
- Managing Threats
- Collaborative Threat Modeling
- Using Notes and Documentation
- Metadata and Extensions
- Planning Your Deployment
- Deploying TMI Server
- Deploying TMI Web Application
- Setting Up Authentication
- Database Setup
- Component Integration
- Post-Deployment
- Monitoring and Health
- Database Operations
- Security Operations
- Performance and Scaling
- Maintenance Tasks