Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-04-13 03:35:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6dd2453ef7d7dcc4f6bfb6c5708fe73ca8322f21
awesome-copilot/skills/threat-model-analyst/references/skeletons/skeleton-inventory.md
Vijay Chegu afba5b86b8 Add threat-model-analyst skill: STRIDE-A threat modeling for repositories (#1177) 
* Add threat-model-analyst skill: STRIDE-A threat modeling for repositories

Add a comprehensive threat model analysis skill that performs security audits
using STRIDE-A (STRIDE + Abuse) threat modeling, Zero Trust principles, and
defense-in-depth analysis.

Supports two modes:
- Single analysis: full STRIDE-A threat model producing architecture overviews,
  DFD diagrams, prioritized findings, and executive assessments
- Incremental analysis: security posture diff between baseline report and current
  code, producing standalone reports with embedded comparison

Includes bundled reference assets:
- Orchestrator workflows (full and incremental)
- Analysis principles and verification checklists
- Output format specifications and skeleton templates
- DFD diagram conventions and TMT element taxonomy

* Address PR review comments from Copilot reviewer

- Fix SKILL.md description: use single-quoted scalar, rename mode (2) to
  'Incremental analysis' with accurate description
- Replace 'Compare Mode (Deprecated)' sections with 'Comparing Commits or
  Reports' redirect (no deprecated language for first release)
- Fix skeleton-findings.md: move Tier 1 table rows under header, add
  CONDITIONAL-EMPTY block after END-REPEAT (matching Tier 2/3 structure)
- Fix skeleton-threatmodel.md and skeleton-architecture.md: use 4-backtick
  outer fences to avoid nested fence conflicts with inner mermaid fences
- Fix skeleton-incremental-html.md: correct section count from 9 to 8
- Fix output-formats.md: change status 'open' to 'Open' in JSON example,
  move stride_category warning outside JSON fence as blockquote
- Fix incremental-orchestrator.md: replace stale compare-output-formats.md
  reference with inline color conventions
- Regenerate docs/README.skills.md with updated description

* Address second round of Copilot review comments

- Fix diagram-conventions.md: bidirectional flow notation now uses <-->
  matching orchestrator.md and DFD templates
- Fix tmt-element-taxonomy.md: normalize SE.DF.SSH/LDAP/LDAPS to use
  SE.DF.TMCore.* prefix consistent with all other data flow IDs
- Fix output-formats.md: correct TMT category example from SQLDatabase
  to SQL matching taxonomy, fix component type from 'datastore' to
  'data_store' matching canonical enum, remove DaprSidecar from
  inbound_from per no-standalone-sidecar rule
- Fix 5 skeleton files: clarify VERBATIM instruction to 'copy the
  template content below (excluding the outer code fence)' to prevent
  agents from wrapping output in markdown fences
- Genericize product-specific names in examples: replace edgerag with
  myapp, BitNetManager with TaskProcessor, AzureLocalMCP with MyApp.Core,
  AzureLocalInfra with OnPremInfra, MilvusVectorDB with VectorDB

* Address third round of Copilot review comments

- Fix diagram-conventions.md: second bidirectional two-arrow pattern in
  Quick Reference section now uses <-->
- Fix incremental-orchestrator.md: renumber HTML sections 5-9 to 4-8
  matching skeleton-incremental-html.md 8-section structure
- Fix output-formats.md: add incremental-comparison.html to File List
  as conditional output for incremental mode
- Fix skeleton-inventory.md: add tmt_type, sidecars, and boundary_kind
  fields to match output-formats.md JSON schema example
2026-03-30 07:58:56 +11:00

140 lines
5.3 KiB
Markdown
Raw Blame History

# Skeleton: threat-inventory.json
> **⛔ Use EXACT field names shown below. Common errors: `display_name` (wrong→`display`), `category` (wrong→`stride_category`), `name` (wrong→`title`).**
> **⛔ The template below is shown inside a code fence for readability only — do NOT include the fence in the output file. The `.json` file must start with `{` on line 1.**
---
```json
{
"schema_version": "[FILL: 1.0 for standalone, 1.1 for incremental]",
"report_folder": "[FILL: threat-model-YYYYMMDD-HHmmss]",
"commit": "[FILL: short SHA]",
"commit_date": "[FILL: commit date UTC]",
"branch": "[FILL]",
"repository": "[FILL: remote URL]",
"analysis_timestamp": "[FILL: UTC timestamp]",
"model": "[FILL]",
"components": [
[REPEAT: sorted by id]
{
"id": "[FILL: PascalCase]",
"display": "[FILL: display name — NOT display_name]",
"type": "[FILL: process / external_service / data_store / external_interactor]",
"tmt_type": "[FILL: SE.P.TMCore.* / SE.EI.TMCore.* / SE.DS.TMCore.* from tmt-element-taxonomy.md]",
"boundary": "[FILL: boundary ID]",
"boundary_kind": "[FILL: MachineBoundary / NetworkBoundary / ClusterBoundary / ProcessBoundary / PrivilegeBoundary / SandboxBoundary]",
"aliases": [],
"source_files": ["[FILL: relative paths]"],
"source_directories": ["[FILL: relative dirs]"],
"fingerprint": {
"component_type": "[FILL: process / external_service / data_store / external_interactor]",
"boundary_kind": "[FILL: MachineBoundary / NetworkBoundary / ClusterBoundary / ProcessBoundary / PrivilegeBoundary / SandboxBoundary]",
"source_files": ["[FILL: relative paths]"],
"source_directories": ["[FILL: relative dirs — MUST NOT be empty for process-type]"],
"class_names": ["[FILL]"],
"namespace": "[FILL]",
"config_keys": [],
"api_routes": [],
"dependencies": [],
"inbound_from": ["[FILL: component IDs that send data TO this component]"],
"outbound_to": ["[FILL: component IDs this component sends data TO]"],
"protocols": ["[FILL: gRPC / HTTPS / SQL / etc.]"]
},
"sidecars": ["[FILL: co-located sidecar names, or empty array]"]
}
[END-REPEAT]
],
"boundaries": [
[REPEAT: sorted by id]
{
"id": "[FILL: PascalCase boundary ID]",
"display": "[FILL]",
"kind": "[FILL: MachineBoundary / NetworkBoundary / ClusterBoundary / ProcessBoundary / PrivilegeBoundary / SandboxBoundary]",
"aliases": [],
"contains": ["[FILL: component IDs]"],
"contains_fingerprint": "[FILL: sorted pipe-delimited component IDs]"
}
[END-REPEAT]
],
"flows": [
[REPEAT: sorted by id]
{
"id": "[FILL: DF_Source_to_Target]",
"from": "[FILL: component ID]",
"to": "[FILL: component ID]",
"protocol": "[FILL]",
"description": "[FILL: 1 sentence max]"
}
[END-REPEAT]
],
"threats": [
[REPEAT: sorted by id then identity_key.component_id]
{
"id": "[FILL: T##.X]",
"title": "[FILL: short title — REQUIRED]",
"description": "[FILL: 1 sentence — REQUIRED]",
"stride_category": "[FILL: S/T/R/I/D/E/A — SINGLE LETTER, NOT full word]",
"tier": [FILL: 1/2/3],
"prerequisites": "[FILL]",
"status": "[FILL: Open/Mitigated/Platform]",
"mitigation": "[FILL: 1 sentence or empty]",
"identity_key": {
"component_id": "[FILL: PascalCase — MUST be inside identity_key, NOT top-level]",
"data_flow_id": "[FILL: DF_Source_to_Target]",
"stride_category": "[FILL: S/T/R/I/D/E/A]",
"attack_surface": "[FILL: brief description of the attack surface]"
}
}
[END-REPEAT]
],
"findings": [
[REPEAT: sorted by id then identity_key.component_id]
{
"id": "[FILL: FIND-##]",
"title": "[FILL]",
"severity": "[FILL: Critical/Important/Moderate/Low]",
"cvss_score": [FILL: N.N],
"cvss_vector": "[FILL: CVSS:4.0/AV:...]",
"cwe": "[FILL: CWE-###]",
"owasp": "[FILL: A##:2025]",
"tier": [FILL: 1/2/3],
"effort": "[FILL: Low/Medium/High]",
"related_threats": ["[FILL: T##.X]"],
"evidence_files": ["[FILL: relative paths]"],
"component": "[FILL: display name]",
"identity_key": {
"component_id": "[FILL: PascalCase]",
"vulnerability": "[FILL: CWE-###]",
"attack_surface": "[FILL: file:key or endpoint]"
}
}
[END-REPEAT]
],
"metrics": {
"total_components": [FILL],
"total_boundaries": [FILL],
"total_flows": [FILL],
"total_threats": [FILL],
"total_findings": [FILL],
"threats_by_tier": { "T1": [FILL], "T2": [FILL], "T3": [FILL] },
"findings_by_tier": { "T1": [FILL], "T2": [FILL], "T3": [FILL] },
"threats_by_stride": { "S": [FILL], "T": [FILL], "R": [FILL], "I": [FILL], "D": [FILL], "E": [FILL], "A": [FILL] },
"findings_by_severity": { "Critical": [FILL], "Important": [FILL], "Moderate": [FILL], "Low": [FILL] }
}
}
```
**MANDATORY field name compliance:**
- `"display"` — NOT `"display_name"`, `"name"`
- `"stride_category"` — NOT `"category"` — SINGLE LETTER (S/T/R/I/D/E/A)
- `"title"` AND `"description"` — both required on every threat
- `identity_key.component_id` — component link INSIDE identity_key, NOT top-level
- Sort all arrays deterministically before writing
Reference in New Issue View Git Blame Copy Permalink