Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-04-14 04:05:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add threat-model-analyst skill: STRIDE-A threat modeling for repositories (#1177)

Browse Source 
* Add threat-model-analyst skill: STRIDE-A threat modeling for repositories

Add a comprehensive threat model analysis skill that performs security audits
using STRIDE-A (STRIDE + Abuse) threat modeling, Zero Trust principles, and
defense-in-depth analysis.

Supports two modes:
- Single analysis: full STRIDE-A threat model producing architecture overviews,
  DFD diagrams, prioritized findings, and executive assessments
- Incremental analysis: security posture diff between baseline report and current
  code, producing standalone reports with embedded comparison

Includes bundled reference assets:
- Orchestrator workflows (full and incremental)
- Analysis principles and verification checklists
- Output format specifications and skeleton templates
- DFD diagram conventions and TMT element taxonomy

* Address PR review comments from Copilot reviewer

- Fix SKILL.md description: use single-quoted scalar, rename mode (2) to
  'Incremental analysis' with accurate description
- Replace 'Compare Mode (Deprecated)' sections with 'Comparing Commits or
  Reports' redirect (no deprecated language for first release)
- Fix skeleton-findings.md: move Tier 1 table rows under header, add
  CONDITIONAL-EMPTY block after END-REPEAT (matching Tier 2/3 structure)
- Fix skeleton-threatmodel.md and skeleton-architecture.md: use 4-backtick
  outer fences to avoid nested fence conflicts with inner mermaid fences
- Fix skeleton-incremental-html.md: correct section count from 9 to 8
- Fix output-formats.md: change status 'open' to 'Open' in JSON example,
  move stride_category warning outside JSON fence as blockquote
- Fix incremental-orchestrator.md: replace stale compare-output-formats.md
  reference with inline color conventions
- Regenerate docs/README.skills.md with updated description

* Address second round of Copilot review comments

- Fix diagram-conventions.md: bidirectional flow notation now uses <-->
  matching orchestrator.md and DFD templates
- Fix tmt-element-taxonomy.md: normalize SE.DF.SSH/LDAP/LDAPS to use
  SE.DF.TMCore.* prefix consistent with all other data flow IDs
- Fix output-formats.md: correct TMT category example from SQLDatabase
  to SQL matching taxonomy, fix component type from 'datastore' to
  'data_store' matching canonical enum, remove DaprSidecar from
  inbound_from per no-standalone-sidecar rule
- Fix 5 skeleton files: clarify VERBATIM instruction to 'copy the
  template content below (excluding the outer code fence)' to prevent
  agents from wrapping output in markdown fences
- Genericize product-specific names in examples: replace edgerag with
  myapp, BitNetManager with TaskProcessor, AzureLocalMCP with MyApp.Core,
  AzureLocalInfra with OnPremInfra, MilvusVectorDB with VectorDB

* Address third round of Copilot review comments

- Fix diagram-conventions.md: second bidirectional two-arrow pattern in
  Quick Reference section now uses <-->
- Fix incremental-orchestrator.md: renumber HTML sections 5-9 to 4-8
  matching skeleton-incremental-html.md 8-section structure
- Fix output-formats.md: add incremental-comparison.html to File List
  as conditional output for incremental mode
- Fix skeleton-inventory.md: add tmt_type, sidecars, and boundary_kind
  fields to match output-formats.md JSON schema example
This commit is contained in:
Vijay Chegu
2026-03-29 20:58:56 +00:00
committed by GitHub
parent d0fdc3a566
commit afba5b86b8
18 changed files with 5370 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
skills/threat-model-analyst/references/skeletons/skeleton-summary-dfd.md Normal file
View File

@@ -0,0 +1,62 @@
# Skeleton: 1.2-threatmodel-summary.mmd
> **⛔ ALWAYS evaluate this skeleton after creating `1.1-threatmodel.mmd`.**
> Count elements (nodes with `(("..."))`, `[("...")]`, `["..."]`) and boundaries (`subgraph`) in the detailed DFD.
> - If elements > 15 OR boundaries > 4 → this file is **REQUIRED**. Fill the template below.
> - If elements ≤ 15 AND boundaries ≤ 4 → **SKIP** this file. Proceed to `1-threatmodel.md`.
> **⛔ This is a raw Mermaid file. The template below is shown inside a code fence for readability only — do NOT include the fence in the output file. The `.mmd` file must start with `%%{init:` on line 1.**
---
```
%%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'primaryColor': '#ffffff', 'lineColor': '#666666' }}}%%
flowchart LR
classDef process fill:#6baed6,stroke:#2171b5,stroke-width:2px,color:#000000
classDef external fill:#fdae61,stroke:#d94701,stroke-width:2px,color:#000000
classDef datastore fill:#74c476,stroke:#238b45,stroke-width:2px,color:#000000
[FILL: External actors — keep all, do not aggregate]
[FILL: ExternalActor]["[FILL: Name]"]:::external
[REPEAT: one subgraph per trust boundary — ALL boundaries MUST be preserved]
subgraph [FILL: BoundaryID]["[FILL: Boundary Name]"]
[FILL: Aggregated and individual nodes]
end
[END-REPEAT]
[REPEAT: summary data flows using SDF prefix]
[FILL: Source] <-->|"[FILL: SDF##: description]"| [FILL: Target]
[END-REPEAT]
[REPEAT: boundary styles]
style [FILL: BoundaryID] fill:none,stroke:#e31a1c,stroke-width:3px,stroke-dasharray: 5 5
[END-REPEAT]
linkStyle default stroke:#666666,stroke-width:2px
```
## Aggregation Rules
**Reference:** `diagram-conventions.md` → Summary Diagram Rules for full details.
1. **ALL trust boundaries MUST be preserved** — never combine or omit boundaries.
2. **Keep individually:** entry points, core flow components, security-critical services, primary data stores, all external actors.
3. **Aggregate only:** supporting infrastructure, secondary caches, multiple externals at same trust level.
4. **Aggregated element labels MUST list contents:**
```
DataLayer[("Data Layer<br/>(UserDB, OrderDB, Redis)")]
SupportServices(("Supporting<br/>(Logging, Monitoring)"))
```
5. **Flow IDs:** Use `SDF` prefix: `SDF01`, `SDF02`, ...
## Required in `1-threatmodel.md`
When this file is generated, `1-threatmodel.md` MUST include:
- A `## Summary View` section with this diagram in a ` ```mermaid ` fence
- A `## Summary to Detailed Mapping` table:
```markdown
| Summary Element | Contains | Summary Flows | Maps to Detailed Flows |
|----------------|----------|---------------|------------------------|
| [FILL] | [FILL: list of detailed elements] | [FILL: SDF##] | [FILL: DF## list] |
```