Add tm7-threat-model skill for valid TM7 file generation#2280
Conversation
Adds a skill that generates valid Microsoft Threat Modeling Tool (.tm7) files using the correct WCF DataContractSerializer format, with a minimal reference file. Includes STRIDE threat generation workflow and a checklist of common serialization mistakes that corrupt .tm7 files. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds a skill for generating Microsoft Threat Modeling Tool .tm7 files.
Changes:
- Documents TM7 serialization and STRIDE modeling.
- Adds a bundled TM7 reference model.
- Registers the skill in generated documentation.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
skills/tm7-threat-model/SKILL.md |
Defines generation instructions and serialization examples. |
skills/tm7-threat-model/example-minimal.tm7 |
Provides the reference TM7 model. |
docs/README.skills.md |
Adds the skill catalog entry. |
aaronpowell
left a comment
There was a problem hiding this comment.
Minor change to match required structure
…to assets - Move example-minimal.tm7 into assets/ per repo convention (aaronpowell). - Remove personal/corporate metadata from the reference model (Owner, Contributors, ChangedBy domain account, project names). - Make the reference model self-contained: add a second stencil so the data flow and threat SourceGuid/TargetGuid/FlowGuid all resolve to real elements. - Fix SKILL.md threat contract (KeyValueOfstringThreatpc_P0_PhOB with b:-prefixed KnowledgeBase fields) to match the bundled reference. - Reconcile guidance: MetaInformation/Notes/KnowledgeBase are valid schema elements and must be preserved; only SecurityGaps/Mitigations are invalid. - Regenerate docs/README.skills.md and normalize line endings to LF. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Thanks for the review! Pushed 7a93150 addressing all comments: @aaronpowell — Moved the reference model to Copilot review comments:
Also normalized line endings to LF. |
…:Id uniqueness - Document KnowledgeBase as a top-level sibling after ThreatMetaData (not embedded) - Update skeleton to show <ThreatMetaData/>, sibling <KnowledgeBase>, and <Profile> - Replace TypeIds absent from the bundled KB: AzureCosmosDB -> AzureSQLDB, HumanUser -> Mobile, GenericDataFlow -> Request - Require z:Id uniqueness across the file in the common-mistakes checklist Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
@reply.txt |
🔒 PR Risk Scan ResultsScanned 3 changed file(s).
Skipped non-text or missing files
|
🔍 Vally Lint Results✅ All checks passed
Summary
Full linter output |
|
I think the tm7 file should be added to the exclude list for codespell - https://github.com/github/awesome-copilot/actions/runs/29297181766/job/86973147200?pr=2280 |
MTM DataContract .tm7 exports embed base64 icon blobs whose substrings (oT, bu, wth, mKe, ...) trigger codespell false positives. Skip *.tm7, matching the existing convention for binary/asset files. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Description
Adds a new
tm7-threat-modelskill that generates valid Microsoft Threat Modeling Tool (.tm7) files..tm7files use the WCFDataContractSerializerformat (not generic XML); the Threat Modeling Tool refuses to open files that use a plain-XML structure. This skill documents the exact root element, namespace prefixes, stencil/data-flow/threat serialization, and a checklist of common mistakes that corrupt.tm7files. It bundles a validatedexample-minimal.tm7reference (well-formed, no<?xml?>declaration).This is a clean re-submission of #1660 (which was closed only because it targeted
mainand had a polluted, auto-regenerated diff). This PR targetsstagedand changes only the new skill folder plus its single generated row indocs/README.skills.md.Type of Contribution
Additional Notes
npm run skill:validate→✅ tm7-threat-model is valid.npm run buildregenerateddocs/README.skills.md(single added row).stagedbranch as required.