Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-04-11 02:35:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
awesome-copilot/skills/threat-model-analyst/references/tmt-element-taxonomy.md
Vijay Chegu afba5b86b8 Add threat-model-analyst skill: STRIDE-A threat modeling for repositories (#1177) 
* Add threat-model-analyst skill: STRIDE-A threat modeling for repositories

Add a comprehensive threat model analysis skill that performs security audits
using STRIDE-A (STRIDE + Abuse) threat modeling, Zero Trust principles, and
defense-in-depth analysis.

Supports two modes:
- Single analysis: full STRIDE-A threat model producing architecture overviews,
  DFD diagrams, prioritized findings, and executive assessments
- Incremental analysis: security posture diff between baseline report and current
  code, producing standalone reports with embedded comparison

Includes bundled reference assets:
- Orchestrator workflows (full and incremental)
- Analysis principles and verification checklists
- Output format specifications and skeleton templates
- DFD diagram conventions and TMT element taxonomy

* Address PR review comments from Copilot reviewer

- Fix SKILL.md description: use single-quoted scalar, rename mode (2) to
  'Incremental analysis' with accurate description
- Replace 'Compare Mode (Deprecated)' sections with 'Comparing Commits or
  Reports' redirect (no deprecated language for first release)
- Fix skeleton-findings.md: move Tier 1 table rows under header, add
  CONDITIONAL-EMPTY block after END-REPEAT (matching Tier 2/3 structure)
- Fix skeleton-threatmodel.md and skeleton-architecture.md: use 4-backtick
  outer fences to avoid nested fence conflicts with inner mermaid fences
- Fix skeleton-incremental-html.md: correct section count from 9 to 8
- Fix output-formats.md: change status 'open' to 'Open' in JSON example,
  move stride_category warning outside JSON fence as blockquote
- Fix incremental-orchestrator.md: replace stale compare-output-formats.md
  reference with inline color conventions
- Regenerate docs/README.skills.md with updated description

* Address second round of Copilot review comments

- Fix diagram-conventions.md: bidirectional flow notation now uses <-->
  matching orchestrator.md and DFD templates
- Fix tmt-element-taxonomy.md: normalize SE.DF.SSH/LDAP/LDAPS to use
  SE.DF.TMCore.* prefix consistent with all other data flow IDs
- Fix output-formats.md: correct TMT category example from SQLDatabase
  to SQL matching taxonomy, fix component type from 'datastore' to
  'data_store' matching canonical enum, remove DaprSidecar from
  inbound_from per no-standalone-sidecar rule
- Fix 5 skeleton files: clarify VERBATIM instruction to 'copy the
  template content below (excluding the outer code fence)' to prevent
  agents from wrapping output in markdown fences
- Genericize product-specific names in examples: replace edgerag with
  myapp, BitNetManager with TaskProcessor, AzureLocalMCP with MyApp.Core,
  AzureLocalInfra with OnPremInfra, MilvusVectorDB with VectorDB

* Address third round of Copilot review comments

- Fix diagram-conventions.md: second bidirectional two-arrow pattern in
  Quick Reference section now uses <-->
- Fix incremental-orchestrator.md: renumber HTML sections 5-9 to 4-8
  matching skeleton-incremental-html.md 8-section structure
- Fix output-formats.md: add incremental-comparison.html to File List
  as conditional output for incremental mode
- Fix skeleton-inventory.md: add tmt_type, sidecars, and boundary_kind
  fields to match output-formats.md JSON schema example
2026-03-30 07:58:56 +11:00

8.5 KiB
Raw Permalink Blame History

TMT Element Taxonomy — Code to Threat Model DFD Reference

Complete reference for identifying DFD elements from source code analysis. Aligns with Microsoft Threat Modeling Tool (TMT) element types for TM7 compatibility. This is the single authoritative file for all TMT type classifications.

Diagram styling & rendering rules are in: diagram-conventions.md This file covers: What to look for in code, how to classify it, and how to name it.

1. Element Types

NOTE: TMT IDs (e.g., SE.P.TMCore.OSProcess) are for classification reference only. Do NOT use TMT IDs as Mermaid node IDs. Use concise, readable PascalCase IDs (e.g., WebServer, SqlDatabase).

1.1 Process Types

TMT ID Name Code Patterns to Identify
SE.P.TMCore.OSProcess OS Process Native executables, system processes, spawned processes
SE.P.TMCore.Thread Thread Thread pools, Task, pthread, worker threads
SE.P.TMCore.WinApp Native Application Win32 apps, C/C++ executables, desktop apps
SE.P.TMCore.NetApp Managed Application .NET apps, C# services, F# programs
SE.P.TMCore.ThickClient Thick Client Desktop GUI apps, WPF, WinForms, Electron
SE.P.TMCore.BrowserClient Browser Client SPAs, JavaScript apps, WebAssembly
SE.P.TMCore.WebServer Web Server IIS, Apache, Nginx, Express, Kestrel
SE.P.TMCore.WebApp Web Application ASP.NET, Django, Rails, Spring MVC
SE.P.TMCore.WebSvc Web Service REST APIs, SOAP, GraphQL endpoints
SE.P.TMCore.VM Virtual Machine VMs, containers, Docker
SE.P.TMCore.Win32Service Win32 Service Windows services, ServiceBase
SE.P.TMCore.KernelThread Kernel Thread Kernel modules, drivers, ring-0 code
SE.P.TMCore.Modern Windows Store Process UWP apps, Windows Store apps, sandboxed apps
SE.P.TMCore.PlugIn Browser and ActiveX Plugins Browser extensions, ActiveX, BHO plugins
SE.P.TMCore.NonMS Applications Running on a non Microsoft OS Linux apps, macOS apps, Unix processes

1.2 External Interactor Types

TMT ID Name Code Patterns to Identify
SE.EI.TMCore.Browser Browser Browser clients, user agents, web UI consumers
SE.EI.TMCore.AuthProvider Authorization Provider OAuth servers, OIDC providers, IdP, SAML
SE.EI.TMCore.WebSvc External Web Service External APIs, vendor services, SaaS endpoints
SE.EI.TMCore.User Human User End users, operators, administrators
SE.EI.TMCore.Megaservice Megaservice Large cloud platforms (Azure, AWS, GCP services)
SE.EI.TMCore.WebApp External Web Application Third-party web apps, external portals
SE.EI.TMCore.CRT Windows Runtime WinRT APIs, Windows runtime components
SE.EI.TMCore.NFX Windows .NET Runtime .NET Framework, CLR, BCL
SE.EI.TMCore.WinRT Windows RT Runtime Windows RT platform, ARM Windows apps

1.3 Data Store Types

TMT ID Name Code Patterns to Identify
SE.DS.TMCore.CloudStorage Cloud Storage Azure Blob, S3, GCS
SE.DS.TMCore.SQL SQL Database PostgreSQL, MySQL, SQL Server, SQLite
SE.DS.TMCore.NoSQL Non-Relational DB MongoDB, CosmosDB, Redis, Cassandra
SE.DS.TMCore.FS File System Local files, NFS, shared drives
SE.DS.TMCore.Cache Cache Redis, Memcached, in-memory caches
SE.DS.TMCore.ConfigFile Configuration File .env, appsettings.json, YAML configs
SE.DS.TMCore.Cookie Cookies HTTP cookies, session cookies
SE.DS.TMCore.Registry Registry Hive Windows Registry, system configuration stores
SE.DS.TMCore.HTML5LS HTML5 Local Storage localStorage, sessionStorage, IndexedDB
SE.DS.TMCore.Device Device Hardware devices, USB, peripheral storage

1.4 Data Flow Types

TMT ID Name Code Patterns to Identify
SE.DF.TMCore.HTTP HTTP fetch(), axios, HttpClient, REST without TLS
SE.DF.TMCore.HTTPS HTTPS TLS-secured REST, https:// endpoints
SE.DF.TMCore.Binary Binary gRPC, Protobuf, raw binary protocols
SE.DF.TMCore.NamedPipe Named Pipe IPC via named pipes
SE.DF.TMCore.SMB SMB SMB/CIFS file shares
SE.DF.TMCore.UDP UDP UDP sockets, datagram protocols
SE.DF.TMCore.SSH SSH SSH tunnels, SFTP, SCP
SE.DF.TMCore.LDAP LDAP LDAP queries, AD lookups
SE.DF.TMCore.LDAPS LDAPS Secure LDAP over TLS
SE.DF.TMCore.IPsec IPsec VPN tunnels, IPsec-secured connections
SE.DF.TMCore.RPC RPC or DCOM COM+, DCOM, RPC calls, WCF net.tcp
SE.DF.TMCore.ALPC ALPC Advanced Local Procedure Call, Windows IPC
SE.DF.TMCore.IOCTL IOCTL Interface Device I/O control, driver communication

1.5 Trust Boundary Types

Line Boundaries:

TMT ID Name Code Indicators
SE.TB.L.TMCore.Internet Internet Boundary Public endpoints, API gateways
SE.TB.L.TMCore.Machine Machine Boundary Process boundaries, VM separation
SE.TB.L.TMCore.Kernel Kernel/User Mode Drivers, ring 0/3 transitions
SE.TB.L.TMCore.AppContainer AppContainer UWP sandboxes, app containers

Border Boundaries:

TMT ID Name Code Indicators
SE.TB.B.TMCore.CorpNet CorpNet Corporate network, VPN perimeter
SE.TB.B.TMCore.Sandbox Sandbox Sandboxed execution environments
SE.TB.B.TMCore.IEB Internet Explorer Boundaries IE zones, IE security settings
SE.TB.B.TMCore.NonIEB Other Browsers Boundaries Chrome, Firefox, Edge security contexts

2. Trust Boundary Detection

Create a trust boundary (subgraph) when code crosses:

Boundary Type Code Indicators
Internet/Public Public endpoints, API gateways, load balancers
Machine Process boundaries, host separation
Kernel/User Mode Kernel calls, drivers, syscalls
AppContainer UWP sandboxes, containerized apps
CorpNet Corporate network perimeter, VPN
Sandbox Sandboxed execution environments

3. Data Flow Detection

Look for these patterns to identify flows:

Flow Type Code Patterns
HTTP/HTTPS fetch(), axios, HttpClient, REST calls
SQL Database ORM queries, SQL connections, DbContext
Message Queue Pub/sub, queue send/receive, Dapr pub/sub
File I/O File read/write, blob upload/download
gRPC Protobuf calls, gRPC streams
Named Pipe IPC via named pipes
SSH SSH tunnels, SFTP, SCP transfers
LDAP/LDAPS Directory queries, AD lookups

4. Code Analysis Checklist

When analyzing code, systematically identify:

  1. Entry Points → External Interactors + inbound flows

    • API controllers, event handlers, webhook endpoints

  2. Services/Logic → Processes

    • Business logic classes, service layers, workers

  3. Data Access → Data Stores + flows

    • Repository classes, DB contexts, cache clients

  4. External Calls → External Interactors + outbound flows

    • HTTP clients, SDK integrations, third-party APIs

  5. Security Boundaries → Trust Boundaries

    • Auth middleware, network segments, deployment units

  6. Kubernetes Pod Composition → Sidecar co-location

    • Look for Helm charts, K8s manifests, deployment YAMLs
    • Common sidecars: Dapr, MISE, Envoy, Istio proxy, Linkerd, log collectors
    • Apply rules from diagram-conventions.md Rule 1 — annotate host nodes, never create standalone sidecar nodes

5. Naming Conventions

See diagram-conventions.md Naming Conventions section for the full table with quoting rules.

6. Output Files

Generate TWO files for maximum flexibility:

File 1: Pure Mermaid (.mmd)

  • Raw Mermaid code only, no markdown wrapper
  • Used for: CLI tools, editors, CI/CD, direct rendering

File 2: Markdown (.md)

  • Mermaid in ```mermaid code fence
  • Include element, flow, and boundary summary tables
  • Used for: GitHub, VS Code, documentation

Format Comparison

Format Extension Contents Best For
Pure Mermaid .mmd Raw diagram code CLI, editors, tools
Markdown .md Diagram + tables GitHub, docs, viewing
Reference in New Issue View Git Blame Copy Permalink