pytm_skill
- Shell
214
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill rohunj/claude-build-workflow --skill pytm- SKILL.md17.3 KB
Overview
This skill provides programmatic threat modeling using the pytm Python library to produce STRIDE-based threat enumeration, data flow diagrams (DFDs), and automated threat reports. It treats architecture as code so teams can version, automate, and integrate threat models into CI/CD pipelines for continuous security analysis. The outputs include DFD images, JSON/Markdown threat reports, and structured mitigations mapped to STRIDE categories.
How this skill works
Define system components, actors, boundaries, and data flows using pytm Python objects. Run tm.process() to automatically detect STRIDE threats, generate diagrams via Graphviz, and export reports (Markdown/JSON). Integrate scripts to validate mitigations, add custom threats, and run models in CI to enforce shift-left security and continuous risk assessment.
When to use it
- When you need repeatable, version-controlled threat models as code for architectures
- To generate DFDs and automatic STRIDE threat identification for design reviews
- When integrating threat modeling into CI/CD pipelines and automated gating
- To analyze trust boundary crossings and map data sensitivity to threats
- When producing exportable threat reports with recommended mitigations
Best practices
- Model architecture programmatically and store models in version control, avoiding hardcoded secrets
- Label data flows with sensitivity and encryption attributes to reduce false positives
- Run threat model generation in CI on PRs to catch regressions early
- Use threat.conditions and custom Threat objects to tailor findings to your environment
- Restrict access to generated reports and diagrams; treat them as sensitive artifacts
Example use cases
- Create a microservices threat model that generates DFD PNGs and a JSON threat list during CI builds
- Automate STRIDE analysis for a web application template and export mitigations as Jira issues
- Add custom organization-specific threats (e.g., rate-limit bypass) to supplement pytm rules
- Run periodic threat model checks to ensure architecture changes didn’t introduce unmitigated cross-boundary flows
- Produce compliance-oriented threat reports aligned with NIST/ISO controls for audits
FAQ
pytm plus Graphviz (install via apt/brew/etc.). Ensure dot is on PATH before running tm.process().
How do I avoid irrelevant/false-positive threats?
Set accurate component and dataflow properties (encryption, protocols, service features) and use threat.condition or mark mitigations as N/A with rationale.