Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-04-12 19:25:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6dd2453ef7d7dcc4f6bfb6c5708fe73ca8322f21
awesome-copilot/skills/threat-model-analyst/references/skeletons/skeleton-incremental-html.md
Vijay Chegu afba5b86b8 Add threat-model-analyst skill: STRIDE-A threat modeling for repositories (#1177) 
* Add threat-model-analyst skill: STRIDE-A threat modeling for repositories

Add a comprehensive threat model analysis skill that performs security audits
using STRIDE-A (STRIDE + Abuse) threat modeling, Zero Trust principles, and
defense-in-depth analysis.

Supports two modes:
- Single analysis: full STRIDE-A threat model producing architecture overviews,
  DFD diagrams, prioritized findings, and executive assessments
- Incremental analysis: security posture diff between baseline report and current
  code, producing standalone reports with embedded comparison

Includes bundled reference assets:
- Orchestrator workflows (full and incremental)
- Analysis principles and verification checklists
- Output format specifications and skeleton templates
- DFD diagram conventions and TMT element taxonomy

* Address PR review comments from Copilot reviewer

- Fix SKILL.md description: use single-quoted scalar, rename mode (2) to
  'Incremental analysis' with accurate description
- Replace 'Compare Mode (Deprecated)' sections with 'Comparing Commits or
  Reports' redirect (no deprecated language for first release)
- Fix skeleton-findings.md: move Tier 1 table rows under header, add
  CONDITIONAL-EMPTY block after END-REPEAT (matching Tier 2/3 structure)
- Fix skeleton-threatmodel.md and skeleton-architecture.md: use 4-backtick
  outer fences to avoid nested fence conflicts with inner mermaid fences
- Fix skeleton-incremental-html.md: correct section count from 9 to 8
- Fix output-formats.md: change status 'open' to 'Open' in JSON example,
  move stride_category warning outside JSON fence as blockquote
- Fix incremental-orchestrator.md: replace stale compare-output-formats.md
  reference with inline color conventions
- Regenerate docs/README.skills.md with updated description

* Address second round of Copilot review comments

- Fix diagram-conventions.md: bidirectional flow notation now uses <-->
  matching orchestrator.md and DFD templates
- Fix tmt-element-taxonomy.md: normalize SE.DF.SSH/LDAP/LDAPS to use
  SE.DF.TMCore.* prefix consistent with all other data flow IDs
- Fix output-formats.md: correct TMT category example from SQLDatabase
  to SQL matching taxonomy, fix component type from 'datastore' to
  'data_store' matching canonical enum, remove DaprSidecar from
  inbound_from per no-standalone-sidecar rule
- Fix 5 skeleton files: clarify VERBATIM instruction to 'copy the
  template content below (excluding the outer code fence)' to prevent
  agents from wrapping output in markdown fences
- Genericize product-specific names in examples: replace edgerag with
  myapp, BitNetManager with TaskProcessor, AzureLocalMCP with MyApp.Core,
  AzureLocalInfra with OnPremInfra, MilvusVectorDB with VectorDB

* Address third round of Copilot review comments

- Fix diagram-conventions.md: second bidirectional two-arrow pattern in
  Quick Reference section now uses <-->
- Fix incremental-orchestrator.md: renumber HTML sections 5-9 to 4-8
  matching skeleton-incremental-html.md 8-section structure
- Fix output-formats.md: add incremental-comparison.html to File List
  as conditional output for incremental mode
- Fix skeleton-inventory.md: add tmt_type, sidecars, and boundary_kind
  fields to match output-formats.md JSON schema example
2026-03-30 07:58:56 +11:00

151 lines
5.3 KiB
Markdown
Raw Blame History

# Skeleton: incremental-comparison.html
> **⛔ Self-contained HTML — ALL CSS inline. No CDN links. Follow this exact 8-section structure.**
---
The HTML report has exactly 8 sections in this order. Each section MUST be present.
## Section 1: Header + Comparison Cards
```html
<div class="header">
<div class="report-badge">INCREMENTAL THREAT MODEL COMPARISON</div>
<h1>[FILL: repo name]</h1>
</div>
<div class="comparison-cards">
<div class="compare-card baseline">
<div class="card-label">BASELINE</div>
<div class="card-hash">[FILL: baseline SHA]</div>
<div class="card-date">[FILL: baseline commit date from git log]</div>
<div class="risk-badge [FILL: old-class]">[FILL: old rating]</div>
</div>
<div class="compare-arrow"></div>
<div class="compare-card target">
<div class="card-label">TARGET</div>
<div class="card-hash">[FILL: target SHA]</div>
<div class="card-date">[FILL: target commit date from git log]</div>
<div class="risk-badge [FILL: new-class]">[FILL: new rating]</div>
</div>
<div class="compare-card trend">
<div class="card-label">TREND</div>
<div class="trend-direction [FILL: color]">[FILL: Improving / Worsening / Stable]</div>
<div class="trend-duration">[FILL: N months]</div>
</div>
</div>
```
<!-- SKELETON INSTRUCTION: Section 2 (Risk Shift) is merged into Section 1 above. The old separate risk-shift div is removed. The comparison-cards div replaces both the old subtitle + risk-shift + time-between box. -->
## Section 2: Metrics Bar (5 boxes)
```html
<div class="metrics-bar">
[FILL: Components: old → new (±N)]
[FILL: Trust Boundaries: old → new (±N)]
[FILL: Threats: old → new (±N)]
[FILL: Findings: old → new (±N)]
[FILL: Code Changes: N commits, M PRs — use git rev-list --count and git log --oneline --merges --grep="Merged PR"]
</div>
```
**MUST include Trust Boundaries as one of the 5 metrics. 5th box is Code Changes (NOT Time Between).**
## Section 3: Status Summary Cards (colored)
```html
<div class="status-cards">
<!-- Green card --> Fixed: [FILL: count] [FILL: 1-sentence summary, NO IDs]
<!-- Red card --> New: [FILL: count] [FILL: 1-sentence summary, NO IDs]
<!-- Amber card --> Previously Unidentified: [FILL: count] [FILL: 1-sentence summary, NO IDs]
<!-- Gray card --> Still Present: [FILL: count] [FILL: 1-sentence summary, NO IDs]
</div>
```
<!-- SKELETON INSTRUCTION: Status cards show COUNT + a short human-readable sentence ONLY.
DO NOT include threat IDs (T06.S, T02.E), finding IDs (FIND-14), or component names.
Good: "1 credential handling vulnerability remediated"
Good: "4 new components with 21 new threats identified"
Good: "No new threats or findings introduced"
Bad: "T06.S: DefaultAzureCredential → ManagedIdentityCredential"
Bad: "ConfigurationOrchestrator — 5 threats (T16.*), LLMService — 6 threats (T17.*)"
The detailed item-by-item breakdown with IDs belongs in Section 5 (Threat/Finding Status Breakdown). -->
**Status info appears ONLY here — NOT also in the metrics bar.**
## Section 4: Component Status Grid
```html
<table class="component-grid">
<tr><th>Component</th><th>Type</th><th>Status</th><th>Source Files</th></tr>
[REPEAT: one row per component with color-coded status badge]
<tr><td>[FILL]</td><td>[FILL]</td><td><span class="badge-[FILL: status]">[FILL]</span></td><td>[FILL]</td></tr>
[END-REPEAT]
</table>
```
## Section 5: Threat/Finding Status Breakdown
```html
<div class="status-breakdown">
[FILL: Grouped by status — Fixed items, New items, etc.]
[REPEAT: Each item: ID | Title | Component | Status]
[END-REPEAT]
</div>
```
## Section 6: STRIDE Heatmap with Deltas
```html
<table class="stride-heatmap">
<thead>
<tr>
<th>Component</th>
<th>S</th><th>T</th><th>R</th><th>I</th><th>D</th><th>E</th><th>A</th>
<th>Total</th>
<th class="divider"></th>
<th>T1</th><th>T2</th><th>T3</th>
</tr>
</thead>
<tbody>
[REPEAT: one row per component]
<tr>
<td>[FILL: component]</td>
<td>[FILL: S value] [FILL: delta indicator ▲/▼]</td>
... [same for T, R, I, D, E, A, Total] ...
<td class="divider"></td>
<td>[FILL: T1]</td><td>[FILL: T2]</td><td>[FILL: T3]</td>
</tr>
[END-REPEAT]
</tbody>
</table>
```
**MUST have 13 columns: Component + S + T + R + I + D + E + A + Total + divider + T1 + T2 + T3**
## Section 7: Needs Verification
```html
<div class="needs-verification">
[REPEAT: items where analysis disagrees with old report]
[FILL: item description]
[END-REPEAT]
</div>
```
## Section 8: Footer
```html
<div class="footer">
Model: [FILL] | Duration: [FILL]
Baseline: [FILL: folder] at [FILL: SHA]
Generated: [FILL: timestamp]
</div>
```
---
**Fixed CSS variables (use in `<style>` block):**
```css
--red: #dc3545; /* new vulnerability */
--green: #28a745; /* fixed/improved */
--amber: #fd7e14; /* previously unidentified */
--gray: #6c757d; /* still present */
--accent: #2171b5; /* modified/info */
```
**Fixed rules:**
- ALL CSS in inline `<style>` block — no external stylesheets
- Include `@media print` styles
- Heatmap MUST have T1/T2/T3 columns after divider
- Metrics bar MUST include Trust Boundaries
- Status data in cards ONLY — not duplicated in metrics bar
- HTML threat/finding totals MUST match markdown STRIDE summary totals
Reference in New Issue View Git Blame Copy Permalink