pytm_skill

This skill helps you model threats in code using pytm to generate STRIDE-based diagrams, threats, and mitigations for secure architectures.
  • Shell

214

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill rohunj/claude-build-workflow --skill pytm

  • SKILL.md17.3 KB

Overview

This skill provides programmatic threat modeling using the pytm Python library to produce STRIDE-based threat enumeration, data flow diagrams (DFDs), and automated threat reports. It treats architecture as code so teams can version, automate, and integrate threat models into CI/CD pipelines for continuous security analysis. The outputs include DFD images, JSON/Markdown threat reports, and structured mitigations mapped to STRIDE categories.

How this skill works

Define system components, actors, boundaries, and data flows using pytm Python objects. Run tm.process() to automatically detect STRIDE threats, generate diagrams via Graphviz, and export reports (Markdown/JSON). Integrate scripts to validate mitigations, add custom threats, and run models in CI to enforce shift-left security and continuous risk assessment.

When to use it

  • When you need repeatable, version-controlled threat models as code for architectures
  • To generate DFDs and automatic STRIDE threat identification for design reviews
  • When integrating threat modeling into CI/CD pipelines and automated gating
  • To analyze trust boundary crossings and map data sensitivity to threats
  • When producing exportable threat reports with recommended mitigations

Best practices

  • Model architecture programmatically and store models in version control, avoiding hardcoded secrets
  • Label data flows with sensitivity and encryption attributes to reduce false positives
  • Run threat model generation in CI on PRs to catch regressions early
  • Use threat.conditions and custom Threat objects to tailor findings to your environment
  • Restrict access to generated reports and diagrams; treat them as sensitive artifacts

Example use cases

  • Create a microservices threat model that generates DFD PNGs and a JSON threat list during CI builds
  • Automate STRIDE analysis for a web application template and export mitigations as Jira issues
  • Add custom organization-specific threats (e.g., rate-limit bypass) to supplement pytm rules
  • Run periodic threat model checks to ensure architecture changes didn’t introduce unmitigated cross-boundary flows
  • Produce compliance-oriented threat reports aligned with NIST/ISO controls for audits

FAQ

pytm plus Graphviz (install via apt/brew/etc.). Ensure dot is on PATH before running tm.process().

How do I avoid irrelevant/false-positive threats?

Set accurate component and dataflow properties (encryption, protocols, service features) and use threat.condition or mark mitigations as N/A with rationale.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational