Agent Skillskinncj/Heimdall › threat-modeling

threat-modeling

GitHub

基于STRIDE框架对组件和信任边界进行威胁建模,生成包含资产、风险分析及缓解措施的威胁登记册。适用于新功能安全评审,输出至指定文档路径,确保上线前关键风险得到控制。

.claude/skills/threat-modeling/SKILL.md kinncj/Heimdall

Trigger Scenarios

需要对新功能进行安全评估 执行STRIDE威胁建模分析 生成威胁登记册

Install

npx skills add kinncj/Heimdall --skill threat-modeling -g -y
More Options

Non-standard path

npx skills add https://github.com/kinncj/Heimdall/tree/main/.claude/skills/threat-modeling -g -y

Use without installing

npx skills use kinncj/Heimdall@threat-modeling

指定 Agent (Claude Code)

npx skills add kinncj/Heimdall --skill threat-modeling -a claude-code -g -y

安装 repo 全部 skill

npx skills add kinncj/Heimdall --all -g -y

预览 repo 内 skill

npx skills add kinncj/Heimdall --list

SKILL.md

Frontmatter
{
    "name": "threat-modeling",
    "description": "Perform STRIDE threat modeling for each component and trust boundary and produce a threat register. Use when reviewing a feature for security."
}

SKILL: Threat Modeling (STRIDE)

Output Location

docs/specs/{feature-slug}/threat-model.md

STRIDE Framework

For each component and trust boundary, evaluate all 6 threat categories:

Letter Threat Question
S Spoofing Can an attacker impersonate a user, service, or system?
T Tampering Can data be modified in transit or at rest without detection?
R Repudiation Can a user deny performing an action?
I Information Disclosure Can sensitive data leak to unauthorized parties?
D Denial of Service Can an attacker prevent legitimate users from accessing the service?
E Elevation of Privilege Can an attacker gain capabilities beyond what is authorized?

Threat Model Template

# Threat Model: {Feature Name}

## Assets
| Asset | Sensitivity | Owner |
|-------|-------------|-------|
| User PII | High | {team} |
| Payment data | Critical | {team} |
| API keys | Critical | {team} |

## Trust Boundaries
- Internet <-> Load Balancer
- Load Balancer <-> Application
- Application <-> Database
- Application <-> Third-party APIs

## STRIDE Analysis

### {Component Name}

**S — Spoofing**
- Risk: {description}
- Likelihood: High/Medium/Low
- Impact: High/Medium/Low
- Mitigation: {control}

**T — Tampering**
...

**R — Repudiation**
...

**I — Information Disclosure**
...

**D — Denial of Service**
...

**E — Elevation of Privilege**
...

## Risk Register
| Threat | Component | Likelihood | Impact | Risk Level | Mitigation | Status |
|--------|-----------|------------|--------|------------|------------|--------|
| SQL Injection | API | High | Critical | Critical | Parameterized queries | Mitigated |

## Mitigations Required Before Launch
- [ ] {Critical mitigation 1}
- [ ] {Critical mitigation 2}

Common Mitigations

  • Authentication: JWT with short expiry, refresh token rotation.
  • Authorization: RBAC, RLS on database.
  • Input validation: Zod/FluentValidation on all inputs.
  • Rate limiting: Per-IP and per-user limits.
  • Encryption: TLS 1.3 in transit, AES-256 at rest.
  • Audit logging: All write operations logged with actor + timestamp.
  • Secrets management: Never in code; use environment variables or vault.

Version History

  • f4ea31f Current 2026-07-05 10:41

Same Skill Collection

.claude/skills/a11y-audit/SKILL.md
.claude/skills/component-scaffold/SKILL.md
.claude/skills/cucumber-automation/SKILL.md
.claude/skills/design-tokens/SKILL.md
.claude/skills/docker-patterns/SKILL.md
.claude/skills/finops-review/SKILL.md
.claude/skills/gh-issues/SKILL.md
.claude/skills/gh-labels-milestones/SKILL.md
.claude/skills/gh-projects/SKILL.md
.claude/skills/gherkin-authoring/SKILL.md
.claude/skills/github-cli/SKILL.md
.claude/skills/humanizer/SKILL.md
.claude/skills/jupyter-patterns/SKILL.md
.claude/skills/karpathy-audit/SKILL.md
.claude/skills/kubernetes-patterns/SKILL.md
.claude/skills/mermaid-diagrams/SKILL.md
.claude/skills/mockup/SKILL.md
.claude/skills/pipeline-runner/SKILL.md
.claude/skills/playwright-cli/SKILL.md
.claude/skills/postgresql-patterns/SKILL.md
.claude/skills/redis-patterns/SKILL.md
.claude/skills/rfc-adr/SKILL.md
.claude/skills/rubber-duck/SKILL.md
.claude/skills/ship-safe/SKILL.md
.claude/skills/spec-kit/SKILL.md
.claude/skills/sre-review/SKILL.md
.claude/skills/story-issue-sync/SKILL.md
.claude/skills/stripe-patterns/SKILL.md
.claude/skills/supabase-patterns/SKILL.md
.claude/skills/tdd-workflow/SKILL.md
.claude/skills/terraform-patterns/SKILL.md
.claude/skills/vercel-patterns/SKILL.md
.claude/skills/visual-identity/SKILL.md
.claude/skills/wireframe/SKILL.md
.cursor/skills/a11y-audit/SKILL.md
.cursor/skills/component-scaffold/SKILL.md
.cursor/skills/cucumber-automation/SKILL.md
.cursor/skills/design-tokens/SKILL.md
.cursor/skills/docker-patterns/SKILL.md
.cursor/skills/finops-review/SKILL.md
.cursor/skills/gh-issues/SKILL.md
.cursor/skills/gh-labels-milestones/SKILL.md
.cursor/skills/gh-projects/SKILL.md
.cursor/skills/gherkin-authoring/SKILL.md
.cursor/skills/github-cli/SKILL.md
.cursor/skills/humanizer/SKILL.md
.cursor/skills/jupyter-patterns/SKILL.md
.cursor/skills/karpathy-audit/SKILL.md
.cursor/skills/kubernetes-patterns/SKILL.md
.cursor/skills/mermaid-diagrams/SKILL.md
.cursor/skills/mockup/SKILL.md
.cursor/skills/pipeline-runner/SKILL.md
.cursor/skills/playwright-cli/SKILL.md
.cursor/skills/postgresql-patterns/SKILL.md
.cursor/skills/redis-patterns/SKILL.md
.cursor/skills/rfc-adr/SKILL.md
.cursor/skills/rubber-duck/SKILL.md
.cursor/skills/ship-safe/SKILL.md
.cursor/skills/spec-kit/SKILL.md
.cursor/skills/sre-review/SKILL.md
.cursor/skills/story-issue-sync/SKILL.md
.cursor/skills/stripe-patterns/SKILL.md
.cursor/skills/supabase-patterns/SKILL.md
.cursor/skills/tdd-workflow/SKILL.md
.cursor/skills/terraform-patterns/SKILL.md
.cursor/skills/threat-modeling/SKILL.md
.cursor/skills/vercel-patterns/SKILL.md
.cursor/skills/visual-identity/SKILL.md
.cursor/skills/wireframe/SKILL.md
.opencode/skills/a11y-audit/SKILL.md
.opencode/skills/component-scaffold/SKILL.md
.opencode/skills/cucumber-automation/SKILL.md
.opencode/skills/design-tokens/SKILL.md
.opencode/skills/docker-patterns/SKILL.md
.opencode/skills/finops-review/SKILL.md
.opencode/skills/gh-issues/SKILL.md
.opencode/skills/gh-labels-milestones/SKILL.md
.opencode/skills/gh-projects/SKILL.md
.opencode/skills/gherkin-authoring/SKILL.md
.opencode/skills/github-cli/SKILL.md
.opencode/skills/humanizer/SKILL.md
.opencode/skills/jupyter-patterns/SKILL.md
.opencode/skills/karpathy-audit/SKILL.md
.opencode/skills/kubernetes-patterns/SKILL.md
.opencode/skills/mermaid-diagrams/SKILL.md
.opencode/skills/mockup/SKILL.md
.opencode/skills/pipeline-runner/SKILL.md
.opencode/skills/playwright-cli/SKILL.md
.opencode/skills/postgresql-patterns/SKILL.md
.opencode/skills/redis-patterns/SKILL.md
.opencode/skills/rfc-adr/SKILL.md
.opencode/skills/rubber-duck/SKILL.md
.opencode/skills/ship-safe/SKILL.md
.opencode/skills/spec-kit/SKILL.md
.opencode/skills/sre-review/SKILL.md
.opencode/skills/story-issue-sync/SKILL.md
.opencode/skills/stripe-patterns/SKILL.md
.opencode/skills/supabase-patterns/SKILL.md
.opencode/skills/tdd-workflow/SKILL.md
.opencode/skills/terraform-patterns/SKILL.md
.opencode/skills/threat-modeling/SKILL.md
.opencode/skills/vercel-patterns/SKILL.md
.opencode/skills/visual-identity/SKILL.md
.opencode/skills/wireframe/SKILL.md

Metadata

Files
0
Version
f4ea31f
Hash
3104824c
Indexed
2026-07-05 10:41

Главная - Вики-сайт
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-09 07:24
浙ICP备14020137号-1 $Гость$