mirror of
https://github.com/github/awesome-copilot.git
synced 2026-04-12 11:15:56 +00:00
afba5b86b8
* Add threat-model-analyst skill: STRIDE-A threat modeling for repositories Add a comprehensive threat model analysis skill that performs security audits using STRIDE-A (STRIDE + Abuse) threat modeling, Zero Trust principles, and defense-in-depth analysis. Supports two modes: - Single analysis: full STRIDE-A threat model producing architecture overviews, DFD diagrams, prioritized findings, and executive assessments - Incremental analysis: security posture diff between baseline report and current code, producing standalone reports with embedded comparison Includes bundled reference assets: - Orchestrator workflows (full and incremental) - Analysis principles and verification checklists - Output format specifications and skeleton templates - DFD diagram conventions and TMT element taxonomy * Address PR review comments from Copilot reviewer - Fix SKILL.md description: use single-quoted scalar, rename mode (2) to 'Incremental analysis' with accurate description - Replace 'Compare Mode (Deprecated)' sections with 'Comparing Commits or Reports' redirect (no deprecated language for first release) - Fix skeleton-findings.md: move Tier 1 table rows under header, add CONDITIONAL-EMPTY block after END-REPEAT (matching Tier 2/3 structure) - Fix skeleton-threatmodel.md and skeleton-architecture.md: use 4-backtick outer fences to avoid nested fence conflicts with inner mermaid fences - Fix skeleton-incremental-html.md: correct section count from 9 to 8 - Fix output-formats.md: change status 'open' to 'Open' in JSON example, move stride_category warning outside JSON fence as blockquote - Fix incremental-orchestrator.md: replace stale compare-output-formats.md reference with inline color conventions - Regenerate docs/README.skills.md with updated description * Address second round of Copilot review comments - Fix diagram-conventions.md: bidirectional flow notation now uses <--> matching orchestrator.md and DFD templates - Fix tmt-element-taxonomy.md: normalize SE.DF.SSH/LDAP/LDAPS to use SE.DF.TMCore.* prefix consistent with all other data flow IDs - Fix output-formats.md: correct TMT category example from SQLDatabase to SQL matching taxonomy, fix component type from 'datastore' to 'data_store' matching canonical enum, remove DaprSidecar from inbound_from per no-standalone-sidecar rule - Fix 5 skeleton files: clarify VERBATIM instruction to 'copy the template content below (excluding the outer code fence)' to prevent agents from wrapping output in markdown fences - Genericize product-specific names in examples: replace edgerag with myapp, BitNetManager with TaskProcessor, AzureLocalMCP with MyApp.Core, AzureLocalInfra with OnPremInfra, MilvusVectorDB with VectorDB * Address third round of Copilot review comments - Fix diagram-conventions.md: second bidirectional two-arrow pattern in Quick Reference section now uses <--> - Fix incremental-orchestrator.md: renumber HTML sections 5-9 to 4-8 matching skeleton-incremental-html.md 8-section structure - Fix output-formats.md: add incremental-comparison.html to File List as conditional output for incremental mode - Fix skeleton-inventory.md: add tmt_type, sidecars, and boundary_kind fields to match output-formats.md JSON schema example
2.8 KiB
2.8 KiB
Skeleton: 1.2-threatmodel-summary.mmd
⛔ ALWAYS evaluate this skeleton after creating
1.1-threatmodel.mmd. Count elements (nodes with(("...")),[("...")],["..."]) and boundaries (subgraph) in the detailed DFD.
- If elements > 15 OR boundaries > 4 → this file is REQUIRED. Fill the template below.
- If elements ≤ 15 AND boundaries ≤ 4 → SKIP this file. Proceed to
1-threatmodel.md. ⛔ This is a raw Mermaid file. The template below is shown inside a code fence for readability only — do NOT include the fence in the output file. The.mmdfile must start with%%{init:on line 1.
%%{init: {'theme': 'base', 'themeVariables': { 'background': '#ffffff', 'primaryColor': '#ffffff', 'lineColor': '#666666' }}}%%
flowchart LR
classDef process fill:#6baed6,stroke:#2171b5,stroke-width:2px,color:#000000
classDef external fill:#fdae61,stroke:#d94701,stroke-width:2px,color:#000000
classDef datastore fill:#74c476,stroke:#238b45,stroke-width:2px,color:#000000
[FILL: External actors — keep all, do not aggregate]
[FILL: ExternalActor]["[FILL: Name]"]:::external
[REPEAT: one subgraph per trust boundary — ALL boundaries MUST be preserved]
subgraph [FILL: BoundaryID]["[FILL: Boundary Name]"]
[FILL: Aggregated and individual nodes]
end
[END-REPEAT]
[REPEAT: summary data flows using SDF prefix]
[FILL: Source] <-->|"[FILL: SDF##: description]"| [FILL: Target]
[END-REPEAT]
[REPEAT: boundary styles]
style [FILL: BoundaryID] fill:none,stroke:#e31a1c,stroke-width:3px,stroke-dasharray: 5 5
[END-REPEAT]
linkStyle default stroke:#666666,stroke-width:2px
Aggregation Rules
Reference: diagram-conventions.md → Summary Diagram Rules for full details.
- ALL trust boundaries MUST be preserved — never combine or omit boundaries.
- Keep individually: entry points, core flow components, security-critical services, primary data stores, all external actors.
- Aggregate only: supporting infrastructure, secondary caches, multiple externals at same trust level.
- Aggregated element labels MUST list contents:
DataLayer[("Data Layer<br/>(UserDB, OrderDB, Redis)")] SupportServices(("Supporting<br/>(Logging, Monitoring)")) - Flow IDs: Use
SDFprefix:SDF01,SDF02, ...
Required in 1-threatmodel.md
When this file is generated, 1-threatmodel.md MUST include:
- A
## Summary Viewsection with this diagram in a```mermaidfence - A
## Summary to Detailed Mappingtable:
| Summary Element | Contains | Summary Flows | Maps to Detailed Flows |
|----------------|----------|---------------|------------------------|
| [FILL] | [FILL: list of detailed elements] | [FILL: SDF##] | [FILL: DF## list] |