mirror of
https://github.com/github/awesome-copilot.git
synced 2026-04-12 19:25:55 +00:00
afba5b86b8
* Add threat-model-analyst skill: STRIDE-A threat modeling for repositories Add a comprehensive threat model analysis skill that performs security audits using STRIDE-A (STRIDE + Abuse) threat modeling, Zero Trust principles, and defense-in-depth analysis. Supports two modes: - Single analysis: full STRIDE-A threat model producing architecture overviews, DFD diagrams, prioritized findings, and executive assessments - Incremental analysis: security posture diff between baseline report and current code, producing standalone reports with embedded comparison Includes bundled reference assets: - Orchestrator workflows (full and incremental) - Analysis principles and verification checklists - Output format specifications and skeleton templates - DFD diagram conventions and TMT element taxonomy * Address PR review comments from Copilot reviewer - Fix SKILL.md description: use single-quoted scalar, rename mode (2) to 'Incremental analysis' with accurate description - Replace 'Compare Mode (Deprecated)' sections with 'Comparing Commits or Reports' redirect (no deprecated language for first release) - Fix skeleton-findings.md: move Tier 1 table rows under header, add CONDITIONAL-EMPTY block after END-REPEAT (matching Tier 2/3 structure) - Fix skeleton-threatmodel.md and skeleton-architecture.md: use 4-backtick outer fences to avoid nested fence conflicts with inner mermaid fences - Fix skeleton-incremental-html.md: correct section count from 9 to 8 - Fix output-formats.md: change status 'open' to 'Open' in JSON example, move stride_category warning outside JSON fence as blockquote - Fix incremental-orchestrator.md: replace stale compare-output-formats.md reference with inline color conventions - Regenerate docs/README.skills.md with updated description * Address second round of Copilot review comments - Fix diagram-conventions.md: bidirectional flow notation now uses <--> matching orchestrator.md and DFD templates - Fix tmt-element-taxonomy.md: normalize SE.DF.SSH/LDAP/LDAPS to use SE.DF.TMCore.* prefix consistent with all other data flow IDs - Fix output-formats.md: correct TMT category example from SQLDatabase to SQL matching taxonomy, fix component type from 'datastore' to 'data_store' matching canonical enum, remove DaprSidecar from inbound_from per no-standalone-sidecar rule - Fix 5 skeleton files: clarify VERBATIM instruction to 'copy the template content below (excluding the outer code fence)' to prevent agents from wrapping output in markdown fences - Genericize product-specific names in examples: replace edgerag with myapp, BitNetManager with TaskProcessor, AzureLocalMCP with MyApp.Core, AzureLocalInfra with OnPremInfra, MilvusVectorDB with VectorDB * Address third round of Copilot review comments - Fix diagram-conventions.md: second bidirectional two-arrow pattern in Quick Reference section now uses <--> - Fix incremental-orchestrator.md: renumber HTML sections 5-9 to 4-8 matching skeleton-incremental-html.md 8-section structure - Fix output-formats.md: add incremental-comparison.html to File List as conditional output for incremental mode - Fix skeleton-inventory.md: add tmt_type, sidecars, and boundary_kind fields to match output-formats.md JSON schema example
3.3 KiB
3.3 KiB
Skeleton: 1.1-threatmodel.mmd
⛔ This is a raw Mermaid file — NO markdown wrapper. Line 1 MUST start with
%%{init:. The init block, classDefs, and linkStyle are FIXED — never change colors/strokes. Diagram direction is ALWAYSflowchart LR— NEVERflowchart TB. ⛔ The template below is shown inside a code fence for readability only — do NOT include the fence in the output file.
%%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'primaryColor': '#ffffff', 'lineColor': '#666666' }}}%%
flowchart LR
classDef process fill:#6baed6,stroke:#2171b5,stroke-width:2px,color:#000000
classDef external fill:#fdae61,stroke:#d94701,stroke-width:2px,color:#000000
classDef datastore fill:#74c476,stroke:#238b45,stroke-width:2px,color:#000000
[CONDITIONAL: incremental mode — include BOTH lines below]
classDef newComponent fill:#d4edda,stroke:#28a745,stroke-width:3px,color:#000000
classDef removedComponent fill:#e9ecef,stroke:#6c757d,stroke-width:1px,stroke-dasharray:5,color:#6c757d
[END-CONDITIONAL]
[REPEAT: one line per external actor/interactor — outside all subgraphs]
[FILL: NodeID]["[FILL: Display Name]"]:::external
[END-REPEAT]
[REPEAT: one subgraph per trust boundary]
subgraph [FILL: BoundaryID]["[FILL: Boundary Display Name]"]
[REPEAT: processes and datastores inside this boundary]
[FILL: NodeID](("[FILL: Process Name]")):::process
[FILL: NodeID][("[FILL: DataStore Name]")]:::datastore
[END-REPEAT]
end
[END-REPEAT]
[REPEAT: one line per data flow — use <--> for bidirectional request-response]
[FILL: SourceID] <-->|"[FILL: DF##: description]"| [FILL: TargetID]
[END-REPEAT]
[REPEAT: one style line per trust boundary subgraph]
style [FILL: BoundaryID] fill:none,stroke:#e31a1c,stroke-width:3px,stroke-dasharray: 5 5
[END-REPEAT]
linkStyle default stroke:#666666,stroke-width:2px
NEVER change these fixed elements:
%%{init:themeVariables: onlybackground,primaryColor,lineColorflowchart LR— never TB- classDef colors: process=#6baed6/#2171b5, external=#fdae61/#d94701, datastore=#74c476/#238b45
- Incremental classDefs (when applicable): newComponent=#d4edda/#28a745 (light green), removedComponent=#e9ecef/#6c757d (gray dashed)
- New components MUST use
:::newComponent(NOT:::process). Removed components MUST use:::removedComponent. - Trust boundary style:
fill:none,stroke:#e31a1c,stroke-width:3px,stroke-dasharray: 5 5 - linkStyle:
stroke:#666666,stroke-width:2px
DFD shapes:
- Process:
(("Name"))(double parentheses = circle) - Data Store:
[("Name")](bracket-paren = cylinder) - External:
["Name"](brackets = rectangle) - All labels MUST be quoted in
"" - All subgraph IDs:
subgraph ID["Title"]