Back to Details

threat-patch

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Threat Patch

Threat Patch

Reads security findings and produces minimal, surgical code patches with structured documentation. Fixes are code-grounded — each patch targets specific files and functions identified in the finding. Output includes a summary, validation steps, and the code changes.
读取安全问题并生成带有结构化文档的最小化、精准代码补丁。修复基于代码实现——每个补丁针对问题中标识的特定文件和函数。输出内容包含摘要、验证步骤以及代码变更。

When to Apply

适用场景

  • User provides a 
    findings.json
    (from threat-model) and wants fixes
  • User provides a Codex security findings CSV and wants fixes
  • User has a THREAT-MODEL.md and wants to remediate identified risks
  • User describes a specific vulnerability and wants a patch
  • Reviewing security scanner output and needs actionable fixes
  • After a security audit, turning findings into code changes
  • 用户提供
    findings.json
    (来自威胁建模)并需要修复方案
  • 用户提供Codex安全问题CSV并需要修复方案
  • 用户拥有THREAT-MODEL.md并希望修复已识别的风险
  • 用户描述特定漏洞并需要补丁
  • 查看安全扫描器输出并需要可执行的修复方案
  • 安全审计后,将问题转化为代码变更

Input Sources (priority order)

输入来源(优先级顺序)

SourceWhat It ProvidesHow to Use
findings.json (from threat-model)Structured findings with data flow traces, systemic groupings, exploit chains, and severity ratingsRead directly — richest input, already triaged and grouped
Codex CSVTitle, description, severity, relevant_paths per findingRun 
scripts/parse-findings.sh <csv-path>
to extract structured output
THREAT-MODEL.mdHuman-readable threat modelExtract findings from Criticality Calibration section
Inline descriptionUser describes a specific vulnerabilityParse from conversation context
When 
findings.json
is available, it's the preferred input — it includes data flow traces (entry → chain → sink) that directly inform where to apply fixes, and systemic groupings that suggest centralized fixes over individual patches.
来源提供内容使用方式
findings.json (from threat-model)包含数据流追踪、系统分组、利用链和严重程度评级的结构化问题直接读取——最丰富的输入,已完成分类和分组
Codex CSV标题、描述、严重程度、每个问题的relevant_paths运行
scripts/parse-findings.sh <csv-path>
提取结构化输出
THREAT-MODEL.md人类可读的威胁模型从Criticality Calibration部分提取问题
Inline description用户描述的特定漏洞从对话上下文解析
findings.json
可用时,它是首选输入——它包含直接指导修复位置的数据流追踪(入口→链→ sink),以及建议集中修复而非单独补丁的系统分组。

Workflow Overview

工作流程概述

1. Ingest Findings   → Read findings.json / CSV / descriptions
2. Triage & Group    → Sort by severity, use systemic groupings if available
3. For each finding:
   a. Read Code      → Open relevant_paths, understand the pattern
   b. Confirm        → Verify issue is still present in HEAD
   c. Design Fix     → Determine minimal fix approach
   d. Implement      → Write the code changes
   e. Document       → Summary + Validation + Attack-path (if needed)
   f. Test           → Run relevant tests
4. Output            → Per-patch deliverable with summary and diff
5. Update State      → Mark patched findings in findings.json (if present)
1. Ingest Findings   → Read findings.json / CSV / descriptions
2. Triage & Group    → Sort by severity, use systemic groupings if available
3. For each finding:
   a. Read Code      → Open relevant_paths, understand the pattern
   b. Confirm        → Verify issue is still present in HEAD
   c. Design Fix     → Determine minimal fix approach
   d. Implement      → Write the code changes
   e. Document       → Summary + Validation + Attack-path (if needed)
   f. Test           → Run relevant tests
4. Output            → Per-patch deliverable with summary and diff
5. Update State      → Mark patched findings in findings.json (if present)

How to Use

使用方法

  1. Read workflow for the detailed patching methodology at each step
  2. Read fix patterns when designing fixes — common patterns by vulnerability class
  3. Read output format for the documentation template per patch
  4. If input is findings.json: read it directly — it's already structured
  5. If input is Codex CSV: run 
    scripts/parse-findings.sh <csv-path>
    to extract structured output
  1. 阅读workflow了解每个补丁阶段的详细修复方法
  2. 设计修复方案时阅读fix patterns——按漏洞类别划分的常见修复模式
  3. 编写文档时阅读output format——每个补丁的文档模板
  4. 如果输入是findings.json:直接读取——它已经是结构化的
  5. 如果输入是Codex CSV:运行
    scripts/parse-findings.sh <csv-path>
    提取结构化输出

Key Principles

核心原则

  • Minimal diff: Fix the vulnerability, don't refactor surrounding code. The smallest correct patch is the best patch
  • Centralize over duplicate: When multiple code paths share the same vulnerability pattern, extract a shared helper rather than patching each site independently
  • Explicit error paths: Add specific error types for rejected inputs with clear operator feedback, not silent failures or generic errors
  • Confirm before fixing: Always verify the finding is still present in HEAD — code may have moved or been refactored since the finding was detected
  • User approval before edits: Present the fix design (files to change, approach) and wait for approval before modifying source code. Hooks gate Edit/Write tool calls for additional safety
  • Document even failures: When a fix can't be tested due to environment limitations, document the test command and the limitation
  • 最小化差异:修复漏洞,不要重构周边代码。最小且正确的补丁就是最佳补丁
  • 集中处理而非重复修复:当多个代码路径存在相同漏洞模式时,提取共享辅助代码而非单独修补每个位置
  • 明确错误路径:为被拒绝的输入添加特定错误类型,提供清晰的操作反馈,而非静默失败或通用错误
  • 修复前确认:始终验证问题在HEAD分支中是否仍然存在——自问题被检测以来,代码可能已移动或重构
  • 编辑前需用户批准:提交修复设计(要修改的文件、方法)并等待批准后再修改源代码。钩子会限制Edit/Write工具调用以提升安全性
  • 即使失败也要记录:当因环境限制无法测试修复时,记录测试命令和限制条件

Guardrails

安全防护

This skill modifies source code. Safety measures:
  • PreToolUse hooks on Edit and Write tools prompt for confirmation before each file change
  • Confirmation gate in the workflow between fix design and implementation
  • Revert path: Without commits (default), use 
    git checkout -- <files>
    to undo. With commits, use 
    git revert
此技能会修改源代码。安全措施:
  • Edit和Write工具的PreToolUse钩子会在每次文件变更前提示确认
  • 工作流程中在修复设计与实现之间设置确认关卡
  • 回退路径:默认无提交时,使用
    git checkout -- <files>
    撤销。有提交时,使用
    git revert

Output Modes

输出模式

Code patch — when a fix is implemented:
  • Summary of what was confirmed and what the fix does
  • Testing section with build/test commands
  • The actual code changes
Analysis only — when the fix needs user decision or architectural changes:
  • Summary of what was confirmed
  • Validation checklist
  • Attack-path analysis (path, likelihood, impact, assumptions, controls, blindspots)
代码补丁——当修复方案已实现时:
  • 确认内容和修复作用的摘要
  • 包含构建/测试命令的测试部分
  • 实际代码变更
仅分析——当修复需要用户决策或架构变更时:
  • 确认内容的摘要
  • 验证清单
  • 攻击路径分析(路径、可能性、影响、假设、控制措施、盲点)

References

参考资料

FileWhen to Read
references/workflow.mdBefore starting — detailed approach for each patching phase
references/fix-patterns.mdWhen designing fixes — patterns by vulnerability class
references/output-format.mdWhen documenting — templates for both output modes
文件阅读时机
references/workflow.md开始前——每个补丁阶段的详细方法
references/fix-patterns.md设计修复方案时——按漏洞类别划分的模式
references/output-format.md编写文档时——两种输出模式的模板