Stats
Actions
Tags
From threat-model
Analyze a PR for SNO (Single Node OpenShift) security threats with STRIDE/DFD analysis, MITRE ATT&CK and OWASP mapping
How this skill is triggered — by the user, by Claude, or both
Slash command
/threat-model:sno-threat-modelThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze a pull request for security threats against the **SNO (Single Node OpenShift)** topology, map to MITRE ATT&CK, and generate a formal report.
Analyze a pull request for security threats against the SNO (Single Node OpenShift) topology, map to MITRE ATT&CK, and generate a formal report.
This skill focuses on SNO-specific DFD elements, trust boundaries, and code paths. For TNF analysis, use /threat-model:tnf. For TNA, use /threat-model:tna.
Bundled with this skill:
dfd-elements-sno.md — SNO DFD element catalog (SNO-P1–P6, SNO-DS1–DS6, SNO-DF1–DF10, SNO-TB1–TB3)Shared references (in ../../references/):
mitre-reference.md — MITRE ATT&CK lookup with DFD element mappingsowasp-reference.md — OWASP Top 10:2025 mapping with DFD element cross-referencesmitre-findings-template.md — Template for cumulative findings trackerDiscovered at runtime from the workspace:
$THREAT_MODEL_DIR/SNO-THREAT-MODEL.md — SNO formal threat model (when available)$FINDINGS_FILE — SNO findings tracker (created from template on first use)Before starting analysis, discover the workspace layout.
Find workspace root: Walk upward from $PWD until a directory containing repos/ is found. If no parent qualifies, fall back to checking whether the current git repo sits inside a repos/ directory:
d="$PWD"
while [ "$d" != "/" ]; do
if [ -d "$d/repos" ]; then
echo "$d"
break
fi
d="$(dirname "$d")"
done
if [ "$d" = "/" ]; then
repo_root="$(git rev-parse --show-toplevel 2>/dev/null || true)"
if [ -n "$repo_root" ] && [ "$(basename "$(dirname "$repo_root")")" = "repos" ]; then
echo "$(dirname "$(dirname "$repo_root")")"
fi
fi
Set workspace paths: Once the workspace root (WORKSPACE) is found:
$WORKSPACE/repos/SNO-THREAT-MODEL.md in:
$WORKSPACE/repos/sno-deploy/docs/$WORKSPACE/docs/$WORKSPACE/reports/ (create if needed).$WORKSPACE/.claude/skills/threat-model/mitre-findings-sno.md — initialized from ../../references/mitre-findings-template.md on first use.Validate workspace: Warn the user if:
repos/ directory is foundSNO-THREAT-MODEL.md) is not found (analysis can still proceed, but cross-referencing will be skipped)| Variable | Description | Example |
|---|---|---|
$WORKSPACE | Root directory containing repos/ | /home/user/Projects/sno-dev-env |
$REPOS | Repos directory | $WORKSPACE/repos |
$THREAT_MODEL_DIR | Directory containing formal threat model | $REPOS/sno-deploy/docs |
$REPORT_DIR | Directory for generated reports | Same as $THREAT_MODEL_DIR or $WORKSPACE/reports |
$FINDINGS_FILE | SNO findings tracker | $WORKSPACE/.claude/skills/threat-model/mitre-findings-sno.md |
Each threat-model skill writes to its own findings file (mitre-findings-tnf.md, mitre-findings-tna.md, mitre-findings-sno.md, mitre-findings-lvms.md), so no file locking is required during concurrent execution.
Append protocol (use in step 12):
FINDINGS_FILE="$WORKSPACE/.claude/skills/threat-model/mitre-findings-sno.md"
mkdir -p "$(dirname "$FINDINGS_FILE")"
cp -n "RESOLVED_TEMPLATE_PATH" "$FINDINGS_FILE"
cat >> "$FINDINGS_FILE" <<'FINDINGS_BLOCK'
## SNO — REPO PR #NUMBER (YYYY-MM-DD)
| Technique ID | Technique Name | Finding | Severity | Status | Notes |
|--------------|----------------|---------|----------|--------|-------|
| T#### | Name | VULN-# | Severity | Open | Description |
---
FINDINGS_BLOCK
Substitute RESOLVED_TEMPLATE_PATH with the absolute path to ../../references/mitre-findings-template.md (resolved from this skill's directory). Fill in REPO, NUMBER, YYYY-MM-DD, and the table rows from the current analysis.
/threat-model:sno 10498
Detects the repository from the current working directory.
/threat-model:sno https://github.com/openshift/installer/pull/10498
/threat-model:sno installer 10498
If input is a URL (contains github.com):
https://github.com/<org>/<repo>/pull/<PR>If input is a single number:
repos/<repo-name>/ in the working directoryIf input is <repo> <number>:
| Repo | GitHub Org |
|---|---|
| installer | openshift |
| machine-config-operator | openshift |
| cluster-etcd-operator | openshift |
| assisted-service | openshift |
| origin | openshift |
| dev-scripts | openshift-metal3 |
| release | openshift |
gh pr view <PR> --repo <org>/<repo> or WebFetchgh pr diff <PR> --repo <org>/<repo> or WebFetchdfd-elements-sno.md$THREAT_MODEL_DIR/SNO-THREAT-MODEL.md (if found)../../references/mitre-reference.md)$REPORT_DIR/$FINDINGS_FILEShellCheck is available in RHEL/Fedora repos (dnf install ShellCheck) - no external downloads required.
command -v shellcheck >/dev/null && echo "shellcheck: installed" || echo "shellcheck: NOT installed (run: dnf install ShellCheck)"
shellcheck -f json <script-file>
shellcheck -S warning <script-file>
shellcheck -s bash <script-file>
| Code | Severity | Security Relevance | MITRE |
|---|---|---|---|
| SC2086 | Warning | Unquoted variable - command injection risk | T1059 |
| SC2091 | Warning | Command in $() used as condition - injection | T1059 |
| SC2046 | Warning | Unquoted command substitution | T1059 |
| SC2012 | Info | Parsing ls output - can be exploited | T1059 |
| SC2029 | Warning | ssh command with unescaped variables | T1059 |
| SC2087 | Warning | Unquoted heredoc - variable expansion | T1059 |
| SC2155 | Warning | Declare/assign separately to avoid masking errors | - |
| SC2164 | Warning | cd without error-exit guard - path traversal risk | T1083 |
| Tool | Source | Risks | Mitigations |
|---|---|---|---|
| Semgrep | pip/GitHub | Fetches rules from semgrep.dev; may send telemetry | Use --offline mode with local rules |
| Gitleaks | GitHub releases | Binary from external source | Verify checksums; use container image |
| gosec | GitHub/go install | Binary from external source | Verify checksums; audit source |
| Category | Patterns | MITRE | Severity |
|---|---|---|---|
| Command Injection | shell exec, os.system, subprocess, fmt.Sprintf with shell | T1059 | Critical |
| Credentials | hardcoded secrets, API keys, tokens, passwords in code | T1552 | Critical |
| Privilege Escalation | setuid, capabilities, privileged containers, sudo, nsenter | T1548 | High |
| Authentication | auth bypass, weak validation, token handling flaws | T1078 | High |
| Crypto Weakness | weak algorithms, hardcoded keys, disabled TLS verify | T1573 | High |
| Path Traversal | unsanitized file paths, symlink attacks | T1083 | Medium |
| Container Escape | host mounts, hostPID, hostNetwork, privileged mode | T1611 | Critical |
| Logging Exposure | sensitive data in logs, credential printing | T1005 | Medium |
| SSRF/Network | unvalidated URLs, exposed internal endpoints | T1046 | Medium |
| Deserialization | unsafe unmarshal, pickle, yaml.load | T1059 | High |
See dfd-elements-sno.md for the full element catalog.
| Code Path Pattern | DFD Element | STRIDE Focus |
|---|---|---|
installer/pkg/types/installconfig.go (IsSingleNodeOpenShift, BootstrapInPlace) | SNO-P1 (Installer) | T, D |
installer/pkg/asset/machines/master.go (SingleReplicaTopologyMode) | SNO-P1 | T, D |
installer/pkg/types/validation/installconfig.go (BootstrapInPlace) | SNO-P1 | T |
installer/data/data/bootstrap/bootstrap-in-place/ | SNO-P5 (Bootstrap Agent) | T, I, E |
assisted-service/internal/common/common.go (IsSingleNodeCluster) | SNO-P2 (Assisted Service) | T |
assisted-service/internal/cluster/validator.go (SNO validations) | SNO-P2 | S, T |
assisted-service/internal/host/validator.go (SNO host checks) | SNO-P2 | T |
cluster-etcd-operator/pkg/operator/ceohelpers/bootstrap.go (UnsafeScalingStrategy) | SNO-P4 (CEO) | T, D |
cluster-etcd-operator/pkg/operator/ceohelpers/control_plane_topology.go | SNO-P4 | T, D |
machine-config-operator/ (MachineConfig, kubelet config) | SNO-P3 (MCO) | T, E |
sno-deploy/day_two/templates/ (DU policy generation, workload partitioning) | SNO-P3 (MCO), SNO-DS6 | T |
origin/test/extended/ (SNO test code) | Test | - |
When a PR modifies code that crosses a trust boundary, apply additional scrutiny:
| Boundary Crossing | Code Indicators | Key Threats |
|---|---|---|
| SNO-TB1->SNO-TB2 (Admin -> Assisted Service) | install-config, offline-token, pull-secret, API calls to console.redhat.com | I (credential exposure), T (config tampering) |
| SNO-TB2->SNO-TB3 (Assisted Service -> SNO Node) | Discovery ISO generation, ignition delivery, host inventory | T (ISO tampering), I (ignition secrets), E (privileged bootstrap) |
| SNO-TB1->SNO-TB3 (Admin -> SNO Node) | oc/kubectl, kubeconfig, kubeadmin-password | S (admin impersonation), I (credential theft) |
For each affected DFD element, ask these questions:
Processes (all 6 STRIDE categories):
Data Stores (T, I, D):
Data Flows (T, I, D):
External Entities (S, R):
After identifying per-element threats, check against $THREAT_MODEL_DIR/SNO-THREAT-MODEL.md:
PE-SNO-<element>-* IDs in the Per-Element STRIDE Analysis sectionIf the formal threat model file is not found, skip cross-referencing and note this in the report.
PR<number>-THREAT-MODEL-<repo>.mdVULN-PR<number>-<short-desc>.md# PR #<number> Threat Analysis: <PR Title>
**Document Version**: 1.0
**Date**: YYYY-MM-DD
**Classification**: Internal - Security Sensitive
**Repository**: <repo>
**Topology**: SNO
**PR Author**: <author>
**PR URL**: <url>
---
## Executive Summary
[Brief overview of the PR and key security findings]
### Findings Summary
| Severity | Count | Summary |
|----------|-------|---------|
| Critical | X | [brief] |
| High | X | [brief] |
| Medium | X | [brief] |
| Low | X | [brief] |
---
## Change Overview
[What this PR does, its purpose, and security-relevant changes]
---
## Affected Files
| File | Changes | Security Relevance |
|------|---------|-------------------|
| path/to/file.go | +X/-Y lines | [relevance] |
---
## DFD Impact Analysis
This PR affects the following elements in the SNO Data Flow Diagram
(see SNO-THREAT-MODEL.md):
### Affected DFD Elements
| Element | Name | Impact | Trust Boundary |
|---------|------|--------|----------------|
| SNO-P# | [process name] | [what changed] | SNO-TB# |
| SNO-DS# | [store name] | [what changed] | SNO-TB# |
### Trust Boundary Crossings
[Describe any trust boundaries crossed by the changed code]
### Per-Element STRIDE
| Element | S | T | R | I | D | E | Notes |
|---------|---|---|---|---|---|---|-------|
| SNO-P# | - | - | - | - | - | - | [Processes: all 6] |
| SNO-DS# | N/A | - | N/A | - | - | N/A | [Data Stores: T, I, D] |
**Legend**: **X** = new threat found, **~** = existing threat modified, **-** = no impact, N/A = not applicable
### Threat Model Cross-Reference
| PR Finding | Existing PE-* ID | Status |
|------------|-----------------|--------|
| [finding] | PE-SNO-XX-X-X | Matches existing / New gap / Mitigated |
---
## Threat Analysis
### VULN-1: [Vulnerability Title]
**Severity**: Critical/High/Medium/Low
**OWASP**: A##:2025 - Category Name
**MITRE ATT&CK**: T#### - Technique Name
**CWE**: CWE-###
#### Affected Code
**File**: `path/to/file.go:line`
#### Description
[Detailed description]
#### Attack Vector
[How this could be exploited]
#### Impact
- **Confidentiality**: [impact]
- **Integrity**: [impact]
- **Availability**: [impact]
#### Recommended Fix
[Code showing the fix]
---
## OWASP & MITRE ATT&CK Mapping
| Finding | OWASP | MITRE | CWE | Status |
|---------|-------|-------|-----|--------|
| VULN-1 | A05:2025 Injection | T1059 | CWE-78 | Open |
---
## Risk Assessment
| Finding | Likelihood | Impact | Risk |
|---------|------------|--------|------|
| VULN-1 | High | Critical | Critical |
---
## Recommendations
### For Developers (Code Changes)
1. [Recommendations]
### For Customers (Deployment & Operations)
1. [Recommendations]
---
## References
- [OWASP Top 10:2025](https://owasp.org/Top10/2025/)
- [MITRE ATT&CK](https://attack.mitre.org/)
| Repo | Org | Focus Areas |
|---|---|---|
| installer | openshift | Install config, ignition |
| machine-config-operator | openshift | Node config, privilege escalation |
| cluster-etcd-operator | openshift | Etcd management |
| assisted-service | openshift | API security, credential handling |
| origin | openshift | Test code security |
| dev-scripts | openshift-metal3 | Shell scripts, credential handling |
| release | openshift | Release artifacts, CI/CD, manifests |
npx claudepluginhub openshift-eng/edge-tooling --plugin threat-modelProvides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.