threat-patch

Original：🇺🇸 English

Translated

1 scripts

Use this skill to remediate security findings by producing minimal, surgical code patches. Triggers on 'patch security findings', 'fix vulnerabilities', 'remediate findings', 'threat patch', or when the user provides a findings.json (from threat-model), a Codex security findings CSV, a THREAT-MODEL.md, or individual vulnerability descriptions and wants them fixed. Also trigger when reviewing code flagged by a security scanner and the user wants actionable fixes rather than just reports.

2installs

Sourcepproenca/dot-skills

Added on2026-04-15

NPX Install

npx skill4agent add pproenca/dot-skills threat-patch

SKILL.md Content

View Translation Comparison →

Threat Patch

Reads security findings and produces minimal, surgical code patches with structured documentation. Fixes are code-grounded — each patch targets specific files and functions identified in the finding. Output includes a summary, validation steps, and the code changes.

When to Apply

User provides a
```
findings.json
```
(from threat-model) and wants fixes
User provides a Codex security findings CSV and wants fixes
User has a THREAT-MODEL.md and wants to remediate identified risks
User describes a specific vulnerability and wants a patch
Reviewing security scanner output and needs actionable fixes
After a security audit, turning findings into code changes

Input Sources (priority order)

Source	What It Provides	How to Use
findings.json (from threat-model)	Structured findings with data flow traces, systemic groupings, exploit chains, and severity ratings	Read directly — richest input, already triaged and grouped
Codex CSV	Title, description, severity, relevant_paths per finding	Run `scripts/parse-findings.sh <csv-path>` to extract structured output
THREAT-MODEL.md	Human-readable threat model	Extract findings from Criticality Calibration section
Inline description	User describes a specific vulnerability	Parse from conversation context

When

findings.json

is available, it's the preferred input — it includes data flow traces (entry → chain → sink) that directly inform where to apply fixes, and systemic groupings that suggest centralized fixes over individual patches.

Workflow Overview

1. Ingest Findings   → Read findings.json / CSV / descriptions
2. Triage & Group    → Sort by severity, use systemic groupings if available
3. For each finding:
   a. Read Code      → Open relevant_paths, understand the pattern
   b. Confirm        → Verify issue is still present in HEAD
   c. Design Fix     → Determine minimal fix approach
   d. Implement      → Write the code changes
   e. Document       → Summary + Validation + Attack-path (if needed)
   f. Test           → Run relevant tests
4. Output            → Per-patch deliverable with summary and diff
5. Update State      → Mark patched findings in findings.json (if present)

How to Use

Read workflow for the detailed patching methodology at each step
Read fix patterns when designing fixes — common patterns by vulnerability class
Read output format for the documentation template per patch
If input is findings.json: read it directly — it's already structured
If input is Codex CSV: run
```
scripts/parse-findings.sh <csv-path>
```
to extract structured output

Key Principles

Minimal diff: Fix the vulnerability, don't refactor surrounding code. The smallest correct patch is the best patch
Centralize over duplicate: When multiple code paths share the same vulnerability pattern, extract a shared helper rather than patching each site independently
Explicit error paths: Add specific error types for rejected inputs with clear operator feedback, not silent failures or generic errors
Confirm before fixing: Always verify the finding is still present in HEAD — code may have moved or been refactored since the finding was detected
User approval before edits: Present the fix design (files to change, approach) and wait for approval before modifying source code. Hooks gate Edit/Write tool calls for additional safety
Document even failures: When a fix can't be tested due to environment limitations, document the test command and the limitation

Guardrails

This skill modifies source code. Safety measures:

PreToolUse hooks on Edit and Write tools prompt for confirmation before each file change
Confirmation gate in the workflow between fix design and implementation
Revert path: Without commits (default), use
```
git checkout -- <files>
```
to undo. With commits, use
```
git revert
```

Output Modes

Code patch — when a fix is implemented:

Summary of what was confirmed and what the fix does
Testing section with build/test commands
The actual code changes

Analysis only — when the fix needs user decision or architectural changes:

Summary of what was confirmed
Validation checklist
Attack-path analysis (path, likelihood, impact, assumptions, controls, blindspots)

References

File	When to Read
references/workflow.md	Before starting — detailed approach for each patching phase
references/fix-patterns.md	When designing fixes — patterns by vulnerability class
references/output-format.md	When documenting — templates for both output modes