Can I use this skill on an existing codebase?

Yes, the skill includes a verification step that automatically searches your local codebase to confirm if identified security controls are actually implemented in the code.

What frameworks does this threat modeling skill support?

The skill primarily supports the STRIDE and PASTA frameworks for threat identification, with built-in compliance mapping for OWASP Top 10 and SOC2.

What kind of output files does the workflow generate?

It produces a comprehensive .threatmodel directory containing JSON state files, Mermaid architecture diagrams, executive summaries, and detailed markdown risk reports.

Do I need to run other toolkit commands separately?

No, the tm-full skill is designed to orchestrate the entire toolkit—including initialization, threat analysis, verification, and reporting—in a single sequential command.

Full Threat Modeling Workflow

Name: Full Threat Modeling Workflow
Author: josemlopez

byjosemlopez

Security & Testing

Automates the end-to-end threat modeling lifecycle from asset discovery to comprehensive risk reporting using industry-standard frameworks.

About

This skill provides a comprehensive security assessment engine for Claude Code, automating the entire threat modeling process in a single orchestrated workflow. It systematically identifies architectural assets, applies STRIDE or PASTA frameworks to discover vulnerabilities, verifies security controls directly within the codebase, and maps findings to compliance standards like OWASP and SOC2. By integrating deep security analysis into the development environment, it generates executive-level documentation and actionable technical reports, making it an essential tool for DevSecOps teams looking to maintain high security standards without manual overhead.

Key Features

Comprehensive compliance mapping to OWASP Top 10 and SOC2 requirements.
Generation of visual architecture diagrams and professional markdown reports.
Automated codebase scanning to verify the implementation of specific security controls.
Support for industry-standard threat frameworks including STRIDE and PASTA.
End-to-end orchestration of discovery, analysis, verification, compliance, and reporting.
0 GitHub stars

Use Cases

Performing a complete security audit before a major production release or architectural change.
Establishing a security baseline for a legacy codebase to prioritize remediation efforts.
Generating compliance-ready documentation for SOC2 audits or internal security reviews.

About

Key Features

Comprehensive compliance mapping to OWASP Top 10 and SOC2 requirements.
Generation of visual architecture diagrams and professional markdown reports.
Automated codebase scanning to verify the implementation of specific security controls.
Support for industry-standard threat frameworks including STRIDE and PASTA.
End-to-end orchestration of discovery, analysis, verification, compliance, and reporting.
0 GitHub stars

Use Cases

Performing a complete security audit before a major production release or architectural change.
Establishing a security baseline for a legacy codebase to prioritize remediation efforts.
Generating compliance-ready documentation for SOC2 audits or internal security reviews.