Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-04-12 11:15:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6dd2453ef7d7dcc4f6bfb6c5708fe73ca8322f21
awesome-copilot/skills/threat-model-analyst/references/skeletons/skeleton-dfd.md
Vijay Chegu afba5b86b8 Add threat-model-analyst skill: STRIDE-A threat modeling for repositories (#1177) 
* Add threat-model-analyst skill: STRIDE-A threat modeling for repositories

Add a comprehensive threat model analysis skill that performs security audits
using STRIDE-A (STRIDE + Abuse) threat modeling, Zero Trust principles, and
defense-in-depth analysis.

Supports two modes:
- Single analysis: full STRIDE-A threat model producing architecture overviews,
  DFD diagrams, prioritized findings, and executive assessments
- Incremental analysis: security posture diff between baseline report and current
  code, producing standalone reports with embedded comparison

Includes bundled reference assets:
- Orchestrator workflows (full and incremental)
- Analysis principles and verification checklists
- Output format specifications and skeleton templates
- DFD diagram conventions and TMT element taxonomy

* Address PR review comments from Copilot reviewer

- Fix SKILL.md description: use single-quoted scalar, rename mode (2) to
  'Incremental analysis' with accurate description
- Replace 'Compare Mode (Deprecated)' sections with 'Comparing Commits or
  Reports' redirect (no deprecated language for first release)
- Fix skeleton-findings.md: move Tier 1 table rows under header, add
  CONDITIONAL-EMPTY block after END-REPEAT (matching Tier 2/3 structure)
- Fix skeleton-threatmodel.md and skeleton-architecture.md: use 4-backtick
  outer fences to avoid nested fence conflicts with inner mermaid fences
- Fix skeleton-incremental-html.md: correct section count from 9 to 8
- Fix output-formats.md: change status 'open' to 'Open' in JSON example,
  move stride_category warning outside JSON fence as blockquote
- Fix incremental-orchestrator.md: replace stale compare-output-formats.md
  reference with inline color conventions
- Regenerate docs/README.skills.md with updated description

* Address second round of Copilot review comments

- Fix diagram-conventions.md: bidirectional flow notation now uses <-->
  matching orchestrator.md and DFD templates
- Fix tmt-element-taxonomy.md: normalize SE.DF.SSH/LDAP/LDAPS to use
  SE.DF.TMCore.* prefix consistent with all other data flow IDs
- Fix output-formats.md: correct TMT category example from SQLDatabase
  to SQL matching taxonomy, fix component type from 'datastore' to
  'data_store' matching canonical enum, remove DaprSidecar from
  inbound_from per no-standalone-sidecar rule
- Fix 5 skeleton files: clarify VERBATIM instruction to 'copy the
  template content below (excluding the outer code fence)' to prevent
  agents from wrapping output in markdown fences
- Genericize product-specific names in examples: replace edgerag with
  myapp, BitNetManager with TaskProcessor, AzureLocalMCP with MyApp.Core,
  AzureLocalInfra with OnPremInfra, MilvusVectorDB with VectorDB

* Address third round of Copilot review comments

- Fix diagram-conventions.md: second bidirectional two-arrow pattern in
  Quick Reference section now uses <-->
- Fix incremental-orchestrator.md: renumber HTML sections 5-9 to 4-8
  matching skeleton-incremental-html.md 8-section structure
- Fix output-formats.md: add incremental-comparison.html to File List
  as conditional output for incremental mode
- Fix skeleton-inventory.md: add tmt_type, sidecars, and boundary_kind
  fields to match output-formats.md JSON schema example
2026-03-30 07:58:56 +11:00

69 lines
3.3 KiB
Markdown
Raw Blame History

# Skeleton: 1.1-threatmodel.mmd
> **⛔ This is a raw Mermaid file — NO markdown wrapper. Line 1 MUST start with `%%{init:`.**
> **The init block, classDefs, and linkStyle are FIXED — never change colors/strokes.**
> **Diagram direction is ALWAYS `flowchart LR` — NEVER `flowchart TB`.**
> **⛔ The template below is shown inside a code fence for readability only — do NOT include the fence in the output file.**
---
```
%%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'primaryColor': '#ffffff', 'lineColor': '#666666' }}}%%
flowchart LR
classDef process fill:#6baed6,stroke:#2171b5,stroke-width:2px,color:#000000
classDef external fill:#fdae61,stroke:#d94701,stroke-width:2px,color:#000000
classDef datastore fill:#74c476,stroke:#238b45,stroke-width:2px,color:#000000
[CONDITIONAL: incremental mode — include BOTH lines below]
classDef newComponent fill:#d4edda,stroke:#28a745,stroke-width:3px,color:#000000
classDef removedComponent fill:#e9ecef,stroke:#6c757d,stroke-width:1px,stroke-dasharray:5,color:#6c757d
[END-CONDITIONAL]
[REPEAT: one line per external actor/interactor — outside all subgraphs]
[FILL: NodeID]["[FILL: Display Name]"]:::external
[END-REPEAT]
[REPEAT: one subgraph per trust boundary]
subgraph [FILL: BoundaryID]["[FILL: Boundary Display Name]"]
[REPEAT: processes and datastores inside this boundary]
[FILL: NodeID](("[FILL: Process Name]")):::process
[FILL: NodeID][("[FILL: DataStore Name]")]:::datastore
[END-REPEAT]
end
[END-REPEAT]
[REPEAT: one line per data flow — use <--> for bidirectional request-response]
[FILL: SourceID] <-->|"[FILL: DF##: description]"| [FILL: TargetID]
[END-REPEAT]
[REPEAT: one style line per trust boundary subgraph]
style [FILL: BoundaryID] fill:none,stroke:#e31a1c,stroke-width:3px,stroke-dasharray: 5 5
[END-REPEAT]
linkStyle default stroke:#666666,stroke-width:2px
```
**NEVER change these fixed elements:**
- `%%{init:` themeVariables: only `background`, `primaryColor`, `lineColor`
- `flowchart LR` — never TB
- classDef colors: process=#6baed6/#2171b5, external=#fdae61/#d94701, datastore=#74c476/#238b45
- Incremental classDefs (when applicable): newComponent=#d4edda/#28a745 (light green), removedComponent=#e9ecef/#6c757d (gray dashed)
- New components MUST use `:::newComponent` (NOT `:::process`). Removed components MUST use `:::removedComponent`.
- Trust boundary style: `fill:none,stroke:#e31a1c,stroke-width:3px,stroke-dasharray: 5 5`
- linkStyle: `stroke:#666666,stroke-width:2px`
**DFD shapes:**
- Process: `(("Name"))` (double parentheses = circle)
- Data Store: `[("Name")]` (bracket-paren = cylinder)
- External: `["Name"]` (brackets = rectangle)
- All labels MUST be quoted in `""`
- All subgraph IDs: `subgraph ID["Title"]`
<!-- ⛔ POST-DFD GATE — IMMEDIATELY after creating this file:
1. Count element nodes: lines with (("...")), [("...")], ["..."] shapes
2. Count boundaries: lines with 'subgraph'
3. If elements > 15 OR boundaries > 4:
→ OPEN skeleton-summary-dfd.md and create 1.2-threatmodel-summary.mmd NOW
→ Do NOT proceed to 1-threatmodel.md until summary exists
4. If threshold NOT met → skip summary, proceed to 1-threatmodel.md
This is the most frequently skipped step. The gate is MANDATORY. -->
Reference in New Issue View Git Blame Copy Permalink