Does it support modern frameworks like JWT and OAuth?

Yes, it includes built-in search patterns for JWT, OAuth, OIDC, and common Node.js security libraries like Passport and Bcrypt.

How does tm-verify find security controls?

It uses advanced Grep patterns to search for known implementation signatures of authentication, authorization, cryptography, and input validation libraries and decorators.

What happens if a control is only partially implemented?

The skill marks the control as 'partial' and generates a specific gap report detailing what is missing compared to the expected security standard.

Can I use this without a threat model?

It is designed to work as part of the threat-modeling-toolkit; you should run the /tm-threats command first to generate the necessary threat baseline.

Security Control Verifier

Name: Security Control Verifier
Author: josemlopez

byjosemlopez

0•

Security & Testing

Verifies the implementation of security controls within your codebase against documented threat models to identify gaps and ensure compliance.

The tm-verify skill automates the critical validation phase of the threat modeling lifecycle by mapping high-level security requirements to actual source code implementations. By performing deep analysis using specialized search patterns for authentication, authorization, cryptography, and input validation, it provides developers with actionable insights through detailed gap analysis reports and structured JSON evidence. This tool is essential for security engineers and developers looking to ensure that mitigations identified during the design phase are correctly realized in the code, facilitating continuous security verification and audit readiness.

Key Features

01Detailed visual reporting with ASCII status bars and severity-based gap details

02Support for multi-framework mapping including STRIDE and PASTA

030 GitHub stars

04Comprehensive gap analysis comparing expected mitigations vs. actual code

05Automated discovery of security controls using domain-specific Grep patterns

06Evidence collection including file paths and line numbers for audit trails

Use Cases

01Generating compliance evidence for security controls across large software projects

02Validating that design-phase threat mitigations are correctly implemented in the codebase

03Conducting automated security audits to identify missing authentication or authorization checks

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add josemlopez/threat-modeling-toolkit tm-verify

For use in Claude.ai and ChatGPT

Download Skill