threat-modeling

分类: 测试与安全 | 上传者: fr33d3m0n | 下载: 0 | 版本: v1.0（最新）

Threat model, security audit, find vulnerabilities, check security of my app, risk assessment, penetration test prep, analyze attack surface, what could an attacker exploit. Use this skill whenever a user wants holistic security analysis of a codebase, application, or project. MUST be invoked instead of analyzing security yourself — it runs a specialized 8-phase STRIDE workflow producing professional deliverables you cannot generate alone: risk assessment reports, DFD diagrams, threat inventories, attack path validation, mitigation plans, and pentest plans.

更新日志: Source: GitHub https://github.com/fr33d3m0n/threat-modeling

目录结构

当前层级: 根目录

📁 assets/
- 📁 contracts/
  - 📄 data-model.yaml 77.9 KB
📁 docs/
- 📄 ARCHITECTURE-WORKFLOW-GUIDE-cn.md 87.2 KB
- 📄 ARCHITECTURE-WORKFLOW-GUIDE.md 87.2 KB
- 📄 KNOWLEDGE-ARCHITECTURE-v5.2-cn.md 61.4 KB
- 📄 KNOWLEDGE-ARCHITECTURE-v5.2.md 61.8 KB
- 📄 REPORT-DESIGN.md 9.1 KB
- 📄 SKILL-ARCHITECTURE-DESIGN-cn.md 95.4 KB
- 📄 SKILL-ARCHITECTURE-DESIGN.md 105.4 KB
- 📄 Skillset-threat-modeling-tour-cn-v5.md 92.3 KB
- 📄 Skillset-threat-modeling-tour-v5.md 101.9 KB
📁 hooks/
- 📄 hooks.json 371 B
- 📄 phase_end_hook.sh 11.2 KB
- 📄 README.md 4.3 KB
- 📄 settings-example.json 1000 B
📁 knowledge/
- 📁 phase2/
  - 📄 completeness-rules.yaml 26.1 KB
  - 📄 data-store-patterns.yaml 19.8 KB
  - 📄 framework-routing-patterns.yaml 40.6 KB
  - 📄 security-checkpoint-patterns.yaml 29.6 KB
- 📁 security-controls/
  - 📁 references/
    
    📄 reference-set-01-authentication.md 36.1 KB
    
    📄 reference-set-01-cookie-theft-mitigation.md 7.3 KB
    
    📄 reference-set-01-credential-stuffing-prevention.md 17.3 KB
    
    📄 reference-set-01-forgot-password.md 9.5 KB
    
    📄 reference-set-01-jaas.md 7.9 KB
    
    📄 reference-set-01-jwt-java.md 27.5 KB
    
    📄 reference-set-01-multifactor-authentication.md 31.2 KB
    
    📄 reference-set-01-password-storage.md 18.4 KB
    
    📄 reference-set-01-saml-security.md 28.8 KB
    
    📄 reference-set-01-security-questions.md 12.0 KB
    
    📄 reference-set-01-session-management.md 51.0 KB
    
    📄 reference-set-02-access-control.md 307 B
    
    📄 reference-set-02-authorization.md 31.6 KB
    
    📄 reference-set-02-idor-prevention.md 3.4 KB
    
    📄 reference-set-02-transaction-authorization.md 18.0 KB
    
    📄 reference-set-03-bean-validation.md 12.8 KB
    
    📄 reference-set-03-deserialization.md 23.0 KB
    
    📄 reference-set-03-file-upload.md 11.8 KB
    
    📄 reference-set-03-injection-prevention-java.md 310 B
    
    📄 reference-set-03-injection-prevention.md 20.3 KB
    
    📄 reference-set-03-input-validation.md 18.9 KB
    
    📄 reference-set-03-ldap-injection-prevention.md 9.4 KB
    
    📄 reference-set-03-mass-assignment.md 7.7 KB
    
    📄 reference-set-03-os-command-injection-defense.md 11.5 KB
    
    📄 reference-set-03-query-parameterization.md 7.9 KB
    
    📄 reference-set-03-sql-injection-prevention.md 19.0 KB
    
    📄 reference-set-03-ssrf-prevention.md 25.9 KB
    
    📄 reference-set-03-unvalidated-redirects.md 8.0 KB
    
    📄 reference-set-05-clickjacking-defense.md 15.1 KB
    
    📄 reference-set-05-csp.md 18.6 KB
    
    📄 reference-set-05-csrf-prevention.md 68.2 KB
    
    📄 reference-set-05-css-security.md 6.3 KB
    
    📄 reference-set-05-dom-clobbering-prevention.md 13.0 KB
    
    📄 reference-set-05-dom-xss-prevention.md 28.5 KB
    
    📄 reference-set-05-hsts.md 4.0 KB
    
    📄 reference-set-05-html5-security.md 14.2 KB
    
    📄 reference-set-05-http-headers.md 19.4 KB
    
    📄 reference-set-05-prototype-pollution-prevention.md 2.3 KB
    
    📄 reference-set-05-third-party-javascript.md 23.6 KB
    
    📄 reference-set-05-xss-filter-evasion.md 45.4 KB
    
    📄 reference-set-05-xss-prevention.md 27.1 KB
    
    📄 reference-set-06-certificate-pinning.md 15.9 KB
    
    📄 reference-set-06-cryptographic-storage.md 19.6 KB
    
    📄 reference-set-06-key-management.md 22.9 KB
    
    📄 reference-set-06-tls-cipher-string.md 338 B
    
    📄 reference-set-06-tls.md 22.2 KB
    
    📄 reference-set-06-transport-layer-protection.md 356 B
    
    📄 reference-set-07-logging-vocabulary.md 31.3 KB
    
    📄 reference-set-07-logging.md 27.8 KB
    
    📄 reference-set-08-error-handling.md 17.8 KB
    
    📄 reference-set-08-xs-leaks.md 16.9 KB
    
    📄 reference-set-09-ajax-security.md 8.5 KB
    
    📄 reference-set-09-dos-prevention.md 14.4 KB
    
    📄 reference-set-09-graphql.md 27.8 KB
    
    📄 reference-set-09-microservices-security.md 21.8 KB
    
    📄 reference-set-09-rest-assessment.md 6.2 KB
    
    📄 reference-set-09-rest-security.md 22.8 KB
    
    📄 reference-set-09-web-service-security.md 9.5 KB
    
    📄 reference-set-10-database-security.md 9.0 KB
    
    📄 reference-set-10-secrets-management.md 63.3 KB
    
    📄 reference-set-10-user-privacy.md 10.9 KB
    
    📄 reference-set-ext-11-docker-security.md 22.2 KB
    
    📄 reference-set-ext-11-iac-security.md 7.8 KB
    
    📄 reference-set-ext-11-kubernetes-security.md 67.3 KB
    
    📄 reference-set-ext-11-nodejs-docker.md 30.3 KB
    
    📄 reference-set-ext-12-cicd-security.md 26.2 KB
    
    📄 reference-set-ext-12-dependency-management.md 16.5 KB
    
    📄 reference-set-ext-12-npm-security.md 21.5 KB
    
    📄 reference-set-ext-12-supply-chain-security.md 21.1 KB
    
    📄 reference-set-ext-13-ai-agent-security.md 25.1 KB
    
    📄 reference-set-ext-14-automotive-security.md 4.3 KB
    
    📄 reference-set-ext-14-mobile-security.md 16.4 KB
    
    📄 reference-set-ext-15-cloud-architecture.md 29.4 KB
    
    📄 reference-set-ext-16-agentic-security.md 33.0 KB
  - 📄 control-set-01-authentication.md 10.4 KB
  - 📄 control-set-02-authorization.md 3.7 KB
  - 📄 control-set-03-input-validation.md 4.9 KB
  - 📄 control-set-04-output-encoding.md 7.9 KB
  - 📄 control-set-05-client-side.md 5.7 KB
  - 📄 control-set-06-cryptography.md 4.0 KB
  - 📄 control-set-07-logging.md 2.4 KB
  - 📄 control-set-08-error-handling.md 7.4 KB
  - 📄 control-set-09-api-security.md 4.4 KB
  - 📄 control-set-10-data-protection.md 3.9 KB
  - 📄 control-set-ext-01_02-auth-patterns.md 7.0 KB
  - 📄 control-set-ext-10-hardcoded-credentials.md 1.8 KB
  - 📄 control-set-ext-11-infrastructure.md 2.3 KB
  - 📄 control-set-ext-12-supply-chain.md 2.2 KB
  - 📄 control-set-ext-13-ai-llm.md 2.0 KB
  - 📄 control-set-ext-14-mobile.md 2.1 KB
  - 📄 control-set-ext-15-cloud.md 2.1 KB
  - 📄 control-set-ext-16-agentic.md 19.2 KB
- 📄 agentic-threats.yaml 69.0 KB
- 📄 capec-mappings.yaml 293.6 KB
- 📄 cloud-services.yaml 19.7 KB
- 📄 compliance-mappings.yaml 25.6 KB
- 📄 comprehensive-mappings.yaml 55.8 KB
- 📄 cwe-mappings.yaml 92.1 KB
- 📄 llm-threats.yaml 66.6 KB
- 📄 owasp_cwe_mapping.json 5.3 KB
- 📄 sast-rules.yaml 8.0 KB
- 📄 secure-coding-rules.yaml 1.5 KB
- 📄 security-design.yaml 18.2 KB
- 📄 security-principles.yaml 2.1 KB
- 📄 security_kb.sqlite 8.0 MB
- 📄 stride-controls-mapping.yaml 8.1 KB
- 📄 stride-library.yaml 5.2 KB
- 📄 stride_cwe_mapping.json 49.3 KB
- 📄 verification-mappings.yaml 25.0 KB
📁 phases/
- 📄 P1-PROJECT-UNDERSTANDING.md 33.2 KB
- 📄 P2-DFD-ANALYSIS.md 44.2 KB
- 📄 P3-TRUST-BOUNDARY.md 21.1 KB
- 📄 P4-SECURITY-DESIGN-REVIEW.md 38.2 KB
- 📄 P5-STRIDE-ANALYSIS.md 35.3 KB
- 📄 P6-RISK-VALIDATION.md 41.0 KB
- 📄 P7-MITIGATION-PLANNING.md 22.1 KB
- 📄 P8-REPORT-GENERATION.md 30.1 KB
- 📄 P8R-DETAILED-REPORT.md 17.4 KB
📁 scripts/
- 📄 module_discovery.py 68.1 KB
- 📄 phase_data.py 278.1 KB
- 📄 report_generator.py 24.1 KB
- 📄 stride_matrix.py 10.1 KB
- 📄 unified_kb_query.py 114.2 KB
📄 CHANGELOG.md 8.8 KB
📄 kb 452 B
📄 LICENSE 1.5 KB
📄 README-cn.md 11.9 KB
📄 README.md 13.0 KB
📄 SKILL.md 21.4 KB
📄 skill_path.sh 1.2 KB
📄 VERSION 18 B
📄 WORKFLOW.md 14.8 KB

SKILL.md

---
name: threat-modeling
description: |
  Threat model, security audit, find vulnerabilities, check security of my app, risk
  assessment, penetration test prep, analyze attack surface, what could an attacker exploit.

  Use this skill whenever a user wants holistic security analysis of a codebase, application,
  or project. MUST be invoked instead of analyzing security yourself — it runs a specialized
  8-phase STRIDE workflow producing professional deliverables you cannot generate alone: risk
  assessment reports, DFD diagrams, threat inventories, attack path validation, mitigation
  plans, and pentest plans.

  Trigger on: 威胁建模, 安全评估, 渗透测试, 安全分析, 安全审计, 安全检查, 风险评估.
  NOT for: fixing one specific bug, adding one security feature (rate limiting, CORS),
  writing tests, CI/CD setup, or debugging errors.
---

<!-- Threat Modeling Skill | Version 3.1.0 (20260313a) | https://github.com/fr33d3m0n/threat-modeling | License: BSD-3-Clause -->

> **Note**: All relative paths in this skill are relative to `SKILL_PATH` (the directory containing this SKILL.md file).

# Threat Modeling Skill v3.1.0 (20260313a)

AI-native automated software risk analysis skill. LLM-driven, Code-First approach for comprehensive security risk assessment, threat modeling, security testing, penetration testing, and compliance checking.

## Version Banner

```
━━━ 🛡️ Threat Modeling Skill v3.1.0 (20260313a) ━━━
```

## Command Line Flags

| Flag | Description | Default |
|------|-------------|---------|
| `--debug` | Publish internal YAML data files, KB queries, coverage validation, and evaluation report | OFF |
| `--lang=xx` | Set output language (en, zh, ja, ko, es, fr, de, pt, ru) | Auto-detect |
| `--detailed` | Auto-trigger P8R (detailed per-VR analysis reports) after P8 completes | OFF |

**Usage Examples**:
```bash
# Default mode - 11 deliverable files only
/threat-model @my-project

# Debug mode - all internal files published
/threat-model @my-project --debug

# Chinese output with debug
/threat-model @my-project --lang=zh --debug

# Generate detailed per-VR analysis reports after P8
/threat-model @my-project --detailed

# Full options
/threat-model @my-project --detailed --debug --lang=zh
```

---

## ⚠️ CRITICAL: Data vs Report Separation

> **PRINCIPLE**: Markdown is for reports (human-readable), YAML is for data (machine-readable). They MUST be separated!

```
┌─────────────────────────────────────────────────────────────────────┐
│  DUAL OUTPUT MODEL - Each phase produces TWO files:                 │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  1. DATA FILE (.yaml) - PRIMARY                                     │
│     • Written FIRST                                                  │
│     • Structured, machine-readable                                   │
│     • Used by NEXT phase as input                                    │
│     • Path: .phase_working/{SESSION_ID}/data/P{N}_*.yaml            │
│                                                                      │
│  2. REPORT FILE (.md) - SECONDARY                                   │
│     • Written AFTER data file                                        │
│     • Human-readable, formatted                                      │
│     • For review and documentation                                   │
│     • Path: .phase_working/{SESSION_ID}/reports/P{N}-*.md           │
│                                                                      │
│  ❌ FORBIDDEN: Reading .md files for data extraction                │
│  ❌ FORBIDDEN: Embedding data as yaml blocks inside .md AS SOURCE   │
│  ✅ ALLOWED: YAML blocks in .md for schema documentation/examples   │
│  ✅ REQUIRED: Data flows via .yaml files only                       │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘
```

---

## §1 Execution Model

**Mode**: Full Assessment Only - All 8 phases executed sequentially.

```
Phase 1 ──► Phase 2 ──► Phase 3 ──► Phase 4 ──► Phase 5 ──► Phase 6 ──► Phase 7 ──► Phase 8
   │            │            │            │            │            │            │
   ▼            ▼            ▼            ▼            ▼            ▼            ▼
P1.yaml ──► P2.yaml ──► P3.yaml ──► P4.yaml ──► P5.yaml ──► P6.yaml ──► P7.yaml ──► P8.yaml
```

**Rules**:
1. Phases execute strictly in order (1→8)
2. Each phase reads previous phase's YAML, writes its own YAML
3. Each phase also writes a human-readable .md report
4. Validation runs on YAML files, not .md files
5. Phase 6 = Risk Validation (NOT mitigation)
6. Phase 7 = Mitigation Planning (AFTER validation)

**Phase Gate Protocol**:
```
FOR each phase N in [1..8]:
    1. Read: @phases/P{N}-*.md (instructions)
    2. Read: .phase_working/{SESSION_ID}/data/P{N-1}_*.yaml (input, except P1)
    3. Execute analysis per phase instructions
    4. Write: .phase_working/{SESSION_ID}/data/P{N}_*.yaml (PRIMARY output)
    5. Write: .phase_working/{SESSION_ID}/reports/P{N}-*.md (SECONDARY output)
    6. Hook validates YAML file
    7. IF exit != 0: Fix YAML and rewrite
    8. IF exit == 0: Update session meta, continue to N+1
```

---

## §2 Output Convention

### Output Modes

```
┌─────────────────────────────────────────────────────────────────────┐
│  OUTPUT MODES - Control what files are generated                    │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  DEFAULT MODE (Production)                                          │
│  ─────────────────────────────────────────────────────────────────  │
│  Only user-deliverable files are published:                         │
│  ✅ 4 Required Reports (RISK-ASSESSMENT, INVENTORY, MITIGATION,    │
│                         PENETRATION-TEST-PLAN)                      │
│  ✅ 7 Phase Reports (P1-P7-*.md) for audit trail                    │
│  ❌ .phase_working/ - NOT published (kept internally)               │
│  ❌ YAML data files - NOT published                                 │
│  ❌ EVALUATION-REPORT.md - NOT published                            │
│                                                                      │
│  DEBUG MODE (--debug flag)                                          │
│  ─────────────────────────────────────────────────────────────────  │
│  All files are published including internal data:                   │
│  ✅ All default mode outputs                                        │
│  ✅ .phase_working/{SESSION_ID}/data/*.yaml - Published             │
│  ✅ P5_knowledge_base_queries.yaml - Published                      │
│  ✅ P8_coverage_validation.yaml - Published                         │
│  ✅ EVALUATION-REPORT.md - Published                                │
│                                                                      │
│  Usage: /threat-model @project --debug                              │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘
```

### Directory Structure

**Default Mode** (11 files published):
```
{PROJECT_ROOT}/
└── Risk_Assessment_Report/
    ├── {PROJECT}-RISK-ASSESSMENT-REPORT.md    ← Required (P8)
    ├── {PROJECT}-RISK-INVENTORY.md            ← Required (P6)
    ├── {PROJECT}-MITIGATION-MEASURES.md       ← Required (P7)
    ├── {PROJECT}-PENETRATION-TEST-PLAN.md     ← Required (P6)
    ├── P1-PROJECT-UNDERSTANDING.md            ← Phase reports
    ├── P2-DFD-ANALYSIS.md
    ├── P3-TRUST-BOUNDARY.md
    ├── P4-SECURITY-DESIGN-REVIEW.md
    ├── P5-STRIDE-THREATS.md
    ├── P6-RISK-VALIDATION.md
    ├── P7-MITIGATION-PLAN.md
    ├── detailed/                              ← P8R only (--detailed flag)
    │   ├── VR-001-{title-slug}.md
    │   └── ...
    └── html/                                  ← HTML output (report_generator.py)
        ├── index.html
        ├── {PROJECT}-RISK-ASSESSMENT-REPORT.html
        ├── ...
        └── detailed/
            └── VR-001-{slug}.html
```

**Debug Mode** (--debug, full structure):
```
{PROJECT_ROOT}/
└── Risk_Assessment_Report/
    ├── {PROJECT}-RISK-ASSESSMENT-REPORT.md    ← Main report (from P8)
    ├── {PROJECT}-RISK-INVENTORY.md            ← From P6 YAML
    ├── {PROJECT}-MITIGATION-MEASURES.md       ← From P7 YAML
    ├── {PROJECT}-PENETRATION-TEST-PLAN.md     ← From P6 YAML
    ├── {PROJECT}-ARCHITECTURE-ANALYSIS.md     ← From P1-P3 YAML
    ├── {PROJECT}-DFD-DIAGRAM.md               ← From P2 YAML
    ├── {PROJECT}-COMPLIANCE-REPORT.md         ← From P4+P7 YAML
    ├── {PROJECT}-ATTACK-PATH-VALIDATION.md    ← From P6 YAML
    ├── P1-PROJECT-UNDERSTANDING.md            ← Published phase reports
    ├── P2-DFD-ANALYSIS.md
    ├── P3-TRUST-BOUNDARY.md
    ├── P4-SECURITY-DESIGN-REVIEW.md
    ├── P5-STRIDE-THREATS.md
    ├── P6-RISK-VALIDATION.md
    ├── EVALUATION-REPORT.md                   ← DEBUG ONLY
    └── .phase_working/                        ← DEBUG ONLY
        ├── _sessions_index.yaml               ← Multi-session index (optional)
        └── {SESSION_ID}/                      ← Session isolated directory
            ├── _session_meta.yaml             ← Session state
            ├── data/                          ← STRUCTURED DATA
            │   ├── P1_project_context.yaml
            │   ├── P2_dfd_elements.yaml
            │   ├── P3_boundary_context.yaml
            │   ├── P4_security_gaps.yaml
            │   ├── P5_threat_inventory.yaml
            │   ├── P5_knowledge_base_queries.yaml  ← KB transparency
            │   ├── P6_validated_risks.yaml
            │   ├── P7_mitigation_plan.yaml
            │   ├── P8_report_manifest.yaml
            │   └── P8_coverage_validation.yaml     ← Coverage metrics
            ├── reports/                       ← WORKING REPORTS
            │   └── (phase reports during execution)
            └── data/P8R_manifest.yaml         ← P8R manifest (--detailed only)
```

### Naming Convention

- **PROJECT**: Uppercase, max 30 chars, format: `^[A-Z][A-Z0-9-]{0,29}$`
- **Example**: `OPEN-WEBUI`, `MY-PROJECT`, `STRIDE-DEMO`

### Session ID Format

- **SESSION_ID**: `{PROJECT_NAME}_{YYYYMMDD_HHMMSS}`
- **Example**: `OPEN-WEBUI_20260130_143022`

### Session Metadata

```yaml
# .phase_working/{SESSION_ID}/_session_meta.yaml
schema_version: "3.1.0 (20260313a)"
session_id: "OPEN-WEBUI_20260130_143022"  # {PROJECT}_{YYYYMMDD_HHMMSS}
project_name: "OPEN-WEBUI"
project_path: "/path/to/project"
started_at: "ISO8601 timestamp"
language: "en"
skill_version: "3.1.0 (20260313a)"

phases:
  P1:
    status: "completed"
    started_at: "2026-01-30T10:00:00Z"
    completed_at: "2026-01-30T10:30:00Z"
    data_file: "data/P1_project_context.yaml"
    report_file: "reports/P1-PROJECT-UNDERSTANDING.md"
  P2:
    status: "in_progress"
    # ...
```

---

## §3 Core Data Model

> See @assets/contracts/data-model.yaml for complete schema definitions.

### Entity Types

| Entity | ID Format | Phase | Description |
|--------|-----------|-------|-------------|
| Module | M-{Seq:03d} | P1 | Code modules/components |
| Finding | F-P{N}-{Seq:03d} | P1-P3 | Security observations (factual) |
| Gap | GAP-{Seq:03d} | P4 | Security control deficiencies |
| Threat | T-{STRIDE}-{Element}-{Seq} | P5 | STRIDE threats |
| ValidatedRisk | VR-{Seq:03d} | P6 | Verified risks |
| Mitigation | MIT-{Seq:03d} | P7 | Remediation measures |
| POC | POC-{Seq:03d} | P6 | Proof of concept |
| AttackPath | AP-{Seq:03d} | P6 | Attack vectors (single path) |
| AttackChain | AC-{Seq:03d} | P6 | Multi-step attack sequences |
| TestCase | TC-{Seq:03d} | P8 | Penetration test cases |
| DetailedRiskRpt | (uses VR-{Seq:03d}) | P8R | Per-VR analysis report |

### Finding vs Gap Semantic Boundary

- **Finding (F-P{N}-xxx)**: A factual **observation** from phases 1-3 that MAY have security implications. Findings are objective facts about architecture, data flows, or boundaries. Example: "API endpoint uses HTTP instead of HTTPS"

- **Gap (GAP-xxx)**: A **security control deficiency** identified in P4 after analyzing findings against security domains. Gaps represent missing or inadequate controls. Example: "Missing TLS enforcement (NETWORK domain)"

**Transition Rule**: Findings from P1-P3 feed into P4 analysis. P4 evaluates findings against 16 security domains and produces Gaps where controls are deficient.

### DFD Element IDs

| Element Type | Prefix | Format | Example |
|--------------|--------|--------|---------|
| External Interactor | EI | EI-{NNN} | EI-001 |
| Process | P | P-{NNN} | P-001 |
| Data Store | DS | DS-{NNN} | DS-001 |
| Data Flow | DF | DF-{NNN} | DF-001 |
| Trust Boundary | TB | TB-{NNN} | TB-001 |

### Count Conservation (P5→P6 Threat Accounting)

```
P5.threat_count = P6.verified + P6.theoretical + P6.pending + P6.excluded
```

All threats from P5 must be accounted for in P6 (no threat loss).

**Semantic Distinction**:
- **Count Conservation**: P5→P6 threat accounting (threats flow from P5 to P6 dispositions)
- **Element Coverage Verification**: P2→P5 element coverage (every DFD element has STRIDE analysis)

---

## §4 Security Knowledge Architecture

> See @knowledge/ for complete reference materials (~11 MB, 113 files).

### Three Knowledge Sets

1. **Security Control Set** (What to do)
   - 16 Security Domains (AUTHN, AUTHZ, INPUT, etc.)
   - Control Sets (18 files, 107 controls)
   - OWASP References (74 items)
   - Compliance Frameworks (14 frameworks)

2. **Threat Pattern Set** (What to know)
   - CWE Weaknesses (974)
   - CAPEC Attack Patterns (615)
   - ATT&CK Techniques (835)
   - CVE/KEV Vulnerabilities (323K+)

3. **Verification Set** (How to test)
   - WSTG Tests (121)
   - MASTG Tests (206)
   - ASVS Requirements (345)

### Security Principles (11)

| Code | Principle | Definition |
|------|-----------|------------|
| DID | Defense in Depth | Multiple independent security controls |
| LP | Least Privilege | Minimum permissions required |
| ZT | Zero Trust | Never trust, always verify |
| FS | Fail Secure | Default to secure state on error |
| SOD | Separation of Duties | Critical ops require multiple parties |
| SBD | Secure by Default | Default config is secure |
| CM | Complete Mediation | Every access verified |
| EOM | Economy of Mechanism | Simple, auditable mechanisms |
| OD | Open Design | Security not dependent on secrecy |
| IV | Input Validation | All input validated |
| LA | Least Agency | Limit AI agent autonomy |

### STRIDE Categories

| STRIDE | Name | CWEs | CAPEC |
|--------|------|------|-------|
| S | Spoofing | CWE-287, 290, 307 | CAPEC-151, 194, 600 |
| T | Tampering | CWE-20, 77, 78, 89 | CAPEC-66, 88, 248 |
| R | Repudiation | CWE-117, 223, 778 | CAPEC-93 |
| I | Information Disclosure | CWE-200, 209, 311 | CAPEC-116, 157 |
| D | Denial of Service | CWE-400, 770, 918 | CAPEC-125, 227 |
| E | Elevation of Privilege | CWE-269, 284, 862 | CAPEC-122, 233 |

---

## §5 Knowledge Base Queries

### kb Wrapper Usage

```bash
# Get skill path
SKILL_PATH=$(bash skill_path.sh)

# STRIDE queries
$SKILL_PATH/kb --stride spoofing
$SKILL_PATH/kb --stride-controls S

# CWE queries
$SKILL_PATH/kb --cwe CWE-89
$SKILL_PATH/kb --full-chain CWE-89

# Attack patterns
$SKILL_PATH/kb --capec CAPEC-89
$SKILL_PATH/kb --attack-technique T1078

# Verification tests
$SKILL_PATH/kb --stride-tests S
$SKILL_PATH/kb --wstg-category ATHN

# LLM/AI extensions
$SKILL_PATH/kb --all-llm
$SKILL_PATH/kb --ai-component
```

---

## §6 Language Adaptation

Output language follows context language unless `--lang=xx` specified.

| Context | File Names | Content |
|---------|------------|---------|
| Chinese | P1-项目理解.md | 中文 |
| English | P1-PROJECT-UNDERSTANDING.md | English |

Supported: en, zh, ja, ko, es, fr, de, pt, ru

---

## §7 Progressive Context Loading

This skill uses progressive disclosure:

1. **Always Loaded**: This file (SKILL.md) - ~5.5K tokens
2. **Session Start**: @WORKFLOW.md - ~4.8K tokens
3. **Per Phase**: @phases/P{N}-*.md - ~4K-10K tokens each (varies by phase)

Total per-phase context: ~12K-18K tokens per phase (vs 30K monolithic)

**Loading Pattern**:
```
Session Start:
  1. Load SKILL.md (global rules)
  2. Load WORKFLOW.md (orchestration)
  3. Create 8 phase todos

Per Phase:
  1. Read @phases/P{N}-*.md
  2. Execute phase instructions
  3. Write to .phase_working/{SESSION_ID}/reports/P{N}-*.md
  4. Hook validates and extracts data

Post-P8 (Optional):
  1. If --detailed flag OR user confirms: Load @phases/P8R-DETAILED-REPORT.md
  2. Generate per-VR detailed analysis reports
  3. Write to Risk_Assessment_Report/detailed/VR-{NNN}-{slug}.md
```

---

## §8 Reference Files

| Path | Purpose |
|------|---------|
| @WORKFLOW.md | Orchestration contracts, phase gates |
| @phases/P{1-8}-*.md | Phase-specific instructions |
| @assets/contracts/data-model.yaml | Entity schemas |
| @knowledge/security-design.yaml | 16 security domains |
| @knowledge/security-principles.yaml | 11 security principles |
| @knowledge/sast-rules.yaml | SAST tool configs and STRIDE mappings |
| @scripts/module_discovery.py | P1 three-layer module discovery |
| @scripts/phase_data.py | Phase validation and extraction |
| @scripts/unified_kb_query.py | Knowledge base queries |
| @scripts/report_generator.py | MD→HTML batch converter |
| @phases/P8R-DETAILED-REPORT.md | Optional per-VR detailed reports |
| @docs/REPORT-DESIGN.md | v3.0.3+ report enhancement design |
| @skill_path.sh | SKILL_PATH resolution helper |

---

## §9 Quick Start

```bash
# 1. Start new session (default mode - 11 deliverable files)
/threat-model @my-project

# 2. With debug mode (all internal files published)
/threat-model @my-project --debug

# 3. Session execution:
#    - Claude loads SKILL.md + WORKFLOW.md automatically
#    - For each phase N (1-8): Read → Execute → Write → Validate
#    - Generate final reports in Risk_Assessment_Report/
```

### Output Summary

| Mode | Files Published | Use Case |
|------|-----------------|----------|
| Default | 11 (4 required + 7 phase reports) | Production delivery |
| `--detailed` | 11 + per-VR detailed reports | Comprehensive assessment |
| `--debug` | 11 + YAML data + evaluation | Development, audit |

---

## §10 Core Execution Constraints (Invariants)

> **PRINCIPLE**: The quality of threat modeling depends on execution rigor. The following constraints are INVIOLABLE.

### Three Absolute Prohibitions

| Constraint | Description | Violation Consequence |
|------------|-------------|----------------------|
| ❌ NO MOCK DATA | All analysis must be based on real code evidence | Analysis results invalid |
| ❌ NO SIMPLIFIED IMPLEMENTATIONS | Each phase must be fully executed | Coverage requirements not met |
| ❌ NO BYPASSING PROBLEMS | Must diagnose root cause when blocked | Data chain broken |

### Phase Execution Invariant

```
∀ Phase N ∈ [1..8]:
  - Input: P{N-1}_*.yaml (except P1)
  - Output: P{N}_*.yaml (PRIMARY) + P{N}-*.md (SECONDARY)
  - Gate: Hook validation must return exit 0
  - Transition: Only proceed to N+1 after gate passes
```

> **Execution Protocol Details**: See WORKFLOW.md §2 Phase Execution Protocol

---

## §11 Phase Isolation Constraints

> **INVARIANT**: Each Phase is an independent execution unit. FSM state transitions MUST follow strict sequential order.

### Forbidden State Transitions

| Illegal Transition | Reason |
|-------------------|--------|
| Pn → Pn+2 (skip) | Violates FSM order invariant (S1) |
| Pn → Pn+1 (unvalidated) | Violates data contract completeness (S2) |
| Parallel Phase execution | Data dependencies cannot be satisfied |

> **Complete FSM Specification**: See WORKFLOW.md §1
> **Formal Properties**: See docs/SKILL-ARCHITECTURE-DESIGN.md §0.2

---

**End of SKILL.md** (~540 lines, ~5.5K tokens)

登录后下载/点赞/收藏 ❤ 203 | ★ 0

threat-modeling

目录结构

SKILL.md

举报内容

提示