rohunj/claude-build-workflow
Overview
This skill provides programmatic threat modeling using the pytm Python library to produce STRIDE-based threat enumeration, data flow diagrams (DFDs), and automated threat reports. It treats architecture as code so teams can version, automate, and integrate threat models into CI/CD pipelines for continuous security analysis. The outputs include DFD images, JSON/Markdown threat reports, and structured mitigations mapped to STRIDE categories.
How this skill works
Define system components, actors, boundaries, and data flows using pytm Python objects. Run tm.process() to automatically detect STRIDE threats, generate diagrams via Graphviz, and export reports (Markdown/JSON). Integrate scripts to validate mitigations, add custom threats, and run models in CI to enforce shift-left security and continuous risk assessment.
When to use it
- When you need repeatable, version-controlled threat models as code for architectures
- To generate DFDs and automatic STRIDE threat identification for design reviews
- When integrating threat modeling into CI/CD pipelines and automated gating
- To analyze trust boundary crossings and map data sensitivity to threats
- When producing exportable threat reports with recommended mitigations
Best practices
- Model architecture programmatically and store models in version control, avoiding hardcoded secrets
- Label data flows with sensitivity and encryption attributes to reduce false positives
- Run threat model generation in CI on PRs to catch regressions early
- Use threat.conditions and custom Threat objects to tailor findings to your environment
- Restrict access to generated reports and diagrams; treat them as sensitive artifacts
Example use cases
- Create a microservices threat model that generates DFD PNGs and a JSON threat list during CI builds
- Automate STRIDE analysis for a web application template and export mitigations as Jira issues
- Add custom organization-specific threats (e.g., rate-limit bypass) to supplement pytm rules
- Run periodic threat model checks to ensure architecture changes didn’t introduce unmitigated cross-boundary flows
- Produce compliance-oriented threat reports aligned with NIST/ISO controls for audits
FAQ
pytm plus Graphviz (install via apt/brew/etc.). Ensure dot is on PATH before running tm.process().
How do I avoid irrelevant/false-positive threats?
Set accurate component and dataflow properties (encryption, protocols, service features) and use threat.condition or mark mitigations as N/A with rationale.
7 skills
This skill helps you model threats in code using pytm to generate STRIDE-based diagrams, threats, and mitigations for secure architectures.
This skill analyzes a PRD to identify edge cases, failure modes, and scenarios, then recommends concrete PRD updates.
This skill converts a PRD into Ralph's prd.json format for autonomous execution, generating one user story per requirement.
This skill helps you detect and prevent hardcoded secrets in git repositories using Gitleaks, boosting security across CI, pre-commit hooks, and audits.
This skill performs SAST with Semgrep, detecting vulnerabilities and mapping findings to OWASP and CWE to guide secure remediation.
This skill converts bug reports into prd.json user stories for autonomous fixing, prioritizing critical issues and updating records for Ralph.
This skill reviews user stories for quality, sizing, and acceptance criteria to ensure ready-to-execute PRD conversions.