Verify that security controls documented in the threat model actually exist in the codebase. Searches for control implementations, validates configurations, identifies gaps. Use when validating threat model against code, checking security control implementation, or finding security gaps.
View on GitHubjosemlopez/threat-modeling-toolkit
threat-modeling-toolkit
skills/tm-verify/SKILL.md
January 22, 2026
Select agents to install to:
npx add-skill https://github.com/josemlopez/threat-modeling-toolkit/blob/main/skills/tm-verify/SKILL.md -a claude-code --skill tm-verifyInstallation paths:
.claude/skills/tm-verify/# Control Verification ## Purpose Verify that security controls exist in your codebase by: - Searching for control implementations - Validating security configurations - Checking for security middleware/decorators - Identifying implementation gaps - Collecting evidence for each control ## Usage ``` /tm-verify [--control <id>] [--category <name>] [--thorough] [--evidence] ``` **Arguments**: - `--control`: Verify specific control by ID - `--category`: Verify controls in category (auth, crypto, access-control, etc.) - `--thorough`: Deep code analysis - `--evidence`: Collect code evidence for documentation ## Prerequisites Requires threat analysis. Run `/tm-threats` first if threats.json doesn't exist. ## Control Categories ### Authentication Controls ``` Search patterns: - passport, authenticate, login, signin - bcrypt, argon2, scrypt, pbkdf2 - jwt, jsonwebtoken, jose - session, cookie - oauth, oidc, saml - mfa, totp, 2fa, two-factor ``` ### Authorization Controls ``` Search patterns: - authorize, isAuthorized, checkPermission - hasRole, requireRole, role - rbac, abac, acl - permission, policy - canAccess, isAllowed ``` ### Input Validation Controls ``` Search patterns: - validate, validator, sanitize - joi, yup, zod, ajv - escape, encode - xss, html-entities ``` ### Cryptography Controls ``` Search patterns: - crypto, cipher, encrypt, decrypt - hash, hmac, sign, verify - tls, ssl, https - certificate, key, secret ``` ### Rate Limiting Controls ``` Search patterns: - rate-limit, rateLimit, throttle - express-rate-limit - slowDown - quota, limit ``` ### Logging/Audit Controls ``` Search patterns: - audit, log, logger - winston, bunyan, pino - monitor, track - event, activity ``` ### Error Handling Controls ``` Search patterns: - error, exception, catch - errorHandler, onError - try, catch, finally ``` ## Verification Process ### For Each Required Control 1. **Search for implementation patterns** - Use Grep with control-specific patterns - Search