Back to Details

pasta

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

PASTA Threat Model Dispatcher (Sequential)

PASTA威胁建模调度器(顺序式)

Dispatch 7 PASTA stages in strict sequential order. Unlike all other framework dispatchers, PASTA runs each stage as a Task, waits for its output, and passes that output into the next stage's prompt. This is because PASTA is a risk-centric process where business objectives (Stage 1) constrain technical scope (Stage 2), which constrains decomposition (Stage 3), and so on through risk analysis (Stage 7).
Do NOT run stages in parallel. Do NOT skip stages. Do NOT reorder stages.
严格按照顺序调度7个PASTA阶段。与其他所有框架调度器不同,PASTA将每个阶段作为Task运行,等待其输出,再将该输出传入下一个阶段的提示词中。这是因为PASTA是一个以风险为中心的流程,其中业务目标(第1阶段)约束技术范围(第2阶段),而技术范围又约束分解过程(第3阶段),依此类推直至风险分析(第7阶段)。
请勿并行运行阶段,请勿跳过阶段,请勿调整阶段顺序。

Stage Failure Handling

阶段失败处理

If a stage fails (returns empty output, errors, or times out):
  1. Record the failure: stage number, error details, partial output if any.
  2. Check if remaining stages can proceed:
    • Stages 1–3 are foundational. If any fails, STOP the pipeline and report partial results from completed stages.
    • Stages 4–7 can run with degraded input from prior stages. Note the gap explicitly in their output.
  3. Present completed stage outputs to the user with clear status markers: 
    • Stage 3: COMPLETED (12 components identified)
    • Stage 4: FAILED — [reason]. Stages 5–7 ran with reduced context.
  4. NEVER discard completed stage outputs due to a later stage failure.
如果某个阶段失败(返回空输出、报错或超时):
  1. 记录失败信息:阶段编号、错误详情、如有部分输出也一并记录。
  2. 检查剩余阶段是否可继续
    • 第1-3阶段是基础阶段。如果其中任何一个失败,停止流程并报告已完成阶段的部分结果。
    • 第4-7阶段可使用前序阶段的降级输入运行。需在其输出中明确注明信息缺口。
  3. 向用户展示已完成阶段的输出,并附带清晰的状态标记: 
    • Stage 3: COMPLETED (识别出12个组件)
    • Stage 4: FAILED — [原因]。第5-7阶段使用有限上下文运行。
  4. 切勿因后续阶段失败而丢弃已完成阶段的输出

Supported Flags

支持的标志

Read 
../../shared/schemas/flags.md
 for the full flag specification. This dispatcher supports all cross-cutting flags.
FlagDispatcher-Specific Behavior
--scope
Propagated to all stages. Default 
changed
. Stages 2-3 may expand scope to trace architecture.
--depth
Propagated to all stages. Default 
standard
.
--severity
Applied to final Stage 7 output to filter the risk-ranked findings.
--format
Applied to final consolidated output after Stage 7.
--only 1,4,7
Run only the listed stages (by number 1-7). Prior stages still run if their output is needed. E.g., 
--only 5
implicitly runs 1-4 first.
--fix
Propagated to Stage 5 (vulnerability analysis) and Stage 7 (risk mitigation).
--quiet
Propagated to all stages; suppress explanations.
--explain
Propagated to all stages; add learning material per finding.
阅读
../../shared/schemas/flags.md
查看完整的标志规范。此调度器支持所有跨领域标志。
标志调度器专属行为
--scope
传递至所有阶段。默认值为
changed
。第2-3阶段可能会扩大范围以追踪架构。
--depth
传递至所有阶段。默认值为
standard
--severity
应用于第7阶段的最终输出,用于过滤按风险排名的发现结果。
--format
在第7阶段完成后应用于最终的整合输出。
--only 1,4,7
仅运行列出的阶段(编号1-7)。若后续阶段需要前序阶段的输出,则仍需运行前序阶段。例如,
--only 5
会隐式先运行1-4阶段。
--fix
传递至第5阶段(漏洞分析)和第7阶段(风险缓解)。
--quiet
传递至所有阶段;抑制解释内容。
--explain
传递至所有阶段;为每个发现结果添加学习资料。

Framework Reference

框架参考

Read 
../../shared/frameworks/pasta.md
 for the full PASTA framework specification including all 7 stage definitions, cross-framework mappings to OWASP/STRIDE/CWE, and compliance mapping templates.
阅读
../../shared/frameworks/pasta.md
查看完整的PASTA框架规范,包括所有7个阶段的定义、与OWASP/STRIDE/CWE的跨框架映射,以及合规性映射模板。

Stage Pipeline

阶段流水线

The 7 stages execute strictly in order. Each stage is launched as a single Task tool call, and you MUST wait for it to complete before launching the next stage.
StageSkillOutputFeeds Into
1. Business Objectives
skills/pasta-objectives/SKILL.md
Business context, risk tolerance, compliance requirementsStage 2
2. Technical Scope
skills/pasta-scope/SKILL.md
Attack surface inventory, entry points, tech stack, DFDStage 3
3. Application Decomposition
skills/pasta-decompose/SKILL.md
Component inventory, trust boundaries, role-permission matrixStage 4
4. Threat Analysis
skills/pasta-threats/SKILL.md
Threat catalog, MITRE ATT&CK mappings, attack treesStage 5
5. Vulnerability Analysis
skills/pasta-vulns/SKILL.md
Vulnerability inventory with CWE mappings, exploitability scoresStage 6
6. Attack Simulation
skills/pasta-attack-sim/SKILL.md
Exploit chains, DREAD scores, detection gap analysisStage 7
7. Risk & Impact Analysis
skills/pasta-risk/SKILL.md
Risk-ranked findings, mitigation roadmap, executive summaryFinal output
7个阶段严格按顺序执行。每个阶段作为单个Task工具调用启动,必须等待其完成后再启动下一个阶段。
阶段Skill输出输入至
1. 业务目标
skills/pasta-objectives/SKILL.md
业务上下文、风险容忍度、合规要求第2阶段
2. 技术范围
skills/pasta-scope/SKILL.md
攻击面清单、入口点、技术栈、数据流图(DFD)第3阶段
3. 应用分解
skills/pasta-decompose/SKILL.md
组件清单、信任边界、角色权限矩阵第4阶段
4. 威胁分析
skills/pasta-threats/SKILL.md
威胁目录、MITRE ATT&CK映射、攻击树第5阶段
5. 漏洞分析
skills/pasta-vulns/SKILL.md
带CWE映射的漏洞清单、可利用性评分第6阶段
6. 攻击模拟
skills/pasta-attack-sim/SKILL.md
利用链、DREAD评分、检测缺口分析第7阶段
7. 风险与影响分析
skills/pasta-risk/SKILL.md
按风险排名的发现结果、缓解路线图、执行摘要最终输出

Sequential Dispatch Workflow

顺序调度工作流

Step 1: Resolve Scope

步骤1:解析范围

Parse flags and resolve the target file list per the flags spec. Build the initial file list that will be passed to Stage 1.
解析标志并根据标志规范确定目标文件列表。构建将传递至第1阶段的初始文件列表。

Step 2: Execute Stages Sequentially

步骤2:按顺序执行阶段

For EACH stage (1 through 7), follow this pattern:
  1. Build the subagent prompt with all prior stage outputs embedded.
  2. Launch a single Task tool call for this stage.
  3. Wait for the Task to complete and capture its full output.
  4. Store the output for inclusion in subsequent stage prompts.
  5. Proceed to the next stage.
Do NOT launch the next stage until the current stage has returned.
对于每个阶段(1至7),遵循以下流程:
  1. 构建子Agent提示词,嵌入所有前序阶段的输出。
  2. 为此阶段启动单个Task工具调用
  3. 等待Task完成并捕获其完整输出。
  4. 存储输出,以便在后续阶段的提示词中包含。
  5. 进入下一个阶段
请勿在当前阶段返回前启动下一个阶段。

Subagent Prompt Template

子Agent提示词模板

Each stage gets a FULLY self-contained prompt including all prior outputs:
Execute PASTA Stage {N}: {STAGE_NAME}

STEP 1: Read the skill definition at:
{ABSOLUTE_PATH_TO_PLUGIN}/skills/{SKILL_NAME}/SKILL.md

STEP 2: Read the PASTA framework reference at:
{ABSOLUTE_PATH_TO_PLUGIN}/shared/frameworks/pasta.md
Focus on the "Stage {N}" section for guidance.

STEP 3: Read the findings schema at:
{ABSOLUTE_PATH_TO_PLUGIN}/shared/schemas/findings.md

PRIOR STAGE OUTPUTS (use these as input for your analysis):
--- Stage 1 Output ---
{STAGE_1_OUTPUT or "N/A - this is Stage 1"}
--- Stage 2 Output ---
{STAGE_2_OUTPUT or "Not yet executed"}
[... include all prior stage outputs ...]

FILES TO ANALYZE:
{FILE_LIST}

FLAGS: --scope {SCOPE} --depth {DEPTH} --severity {SEVERITY}

IMPORTANT: Your output will be passed to Stage {N+1} as input. Structure
your output clearly with headers and sections so the next stage can parse
it. Return your stage-specific output only -- do NOT attempt to execute
later stages.
每个阶段都会获得一个完全自包含的提示词,其中包含所有前序阶段的输出:
Execute PASTA Stage {N}: {STAGE_NAME}

STEP 1: Read the skill definition at:
{ABSOLUTE_PATH_TO_PLUGIN}/skills/{SKILL_NAME}/SKILL.md

STEP 2: Read the PASTA framework reference at:
{ABSOLUTE_PATH_TO_PLUGIN}/shared/frameworks/pasta.md
Focus on the "Stage {N}" section for guidance.

STEP 3: Read the findings schema at:
{ABSOLUTE_PATH_TO_PLUGIN}/shared/schemas/findings.md

PRIOR STAGE OUTPUTS (use these as input for your analysis):
--- Stage 1 Output ---
{STAGE_1_OUTPUT or "N/A - this is Stage 1"}
--- Stage 2 Output ---
{STAGE_2_OUTPUT or "Not yet executed"}
[... include all prior stage outputs ...]

FILES TO ANALYZE:
{FILE_LIST}

FLAGS: --scope {SCOPE} --depth {DEPTH} --severity {SEVERITY}

IMPORTANT: Your output will be passed to Stage {N+1} as input. Structure
your output clearly with headers and sections so the next stage can parse
it. Return your stage-specific output only -- do NOT attempt to execute
later stages.

Stage Execution Details

阶段执行细节

Stage 1 -- Business Objectives: Receives only the file list. Infers business context from code artifacts (payment processing, PII handling, authentication flows, admin interfaces). Outputs business context statement, risk tolerance, and compliance requirements.
Stage 2 -- Technical Scope: Receives Stage 1 output plus file list. Maps entry points, protocols, external dependencies, and tech stack. May request expanded file scanning to find architecture artifacts (Dockerfiles, K8s manifests, API gateway configs).
Stage 3 -- Application Decomposition: Receives Stages 1-2 output. Decomposes into components, maps trust boundaries, classifies data sensitivity, documents auth/authz flows per component.
Stage 4 -- Threat Analysis: Receives Stages 1-3 output. Identifies threats using real-world intelligence, maps to MITRE ATT&CK techniques, builds attack trees for high-value targets identified in Stage 1.
Stage 5 -- Vulnerability Analysis: Receives Stages 1-4 output. Core code analysis stage. Finds specific weaknesses that enable the threats from Stage 4. Maps to CWE identifiers. Prioritizes vulnerabilities that directly enable identified threats over theoretical weaknesses.
Stage 6 -- Attack Simulation: Receives Stages 1-5 output. Constructs multi-step exploit chains combining threats (Stage 4) with vulnerabilities (Stage 5). Scores each chain with DREAD. Identifies which attacks reach business-critical assets from Stage 1.
Stage 7 -- Risk & Impact Analysis: Receives Stages 1-6 output. Calculates business-weighted risk scores (Likelihood x Business Impact). Produces risk-ranked finding list, mitigation roadmap (quick wins / short term / long term), compliance gap report, and executive summary.
第1阶段——业务目标:仅接收文件列表。从代码工件(支付处理、PII处理、认证流程、管理界面)中推断业务上下文。输出业务上下文说明、风险容忍度和合规要求。
第2阶段——技术范围:接收第1阶段输出和文件列表。映射入口点、协议、外部依赖和技术栈。可能会请求扩大文件扫描范围以查找架构工件(Dockerfiles、K8s清单、API网关配置)。
第3阶段——应用分解:接收第1-2阶段输出。将应用分解为组件,映射信任边界,分类数据敏感度,记录每个组件的认证/授权流程。
第4阶段——威胁分析:接收第1-3阶段输出。使用真实世界情报识别威胁,映射至MITRE ATT&CK技术,为第1阶段中识别的高价值目标构建攻击树。
第5阶段——漏洞分析:接收第1-4阶段输出。核心代码分析阶段。查找可利用第4阶段中威胁的特定弱点,映射至CWE标识符。优先处理可直接利用已识别威胁的漏洞,而非理论上的弱点。
第6阶段——攻击模拟:接收第1-5阶段输出。结合第4阶段的威胁和第5阶段的漏洞构建多步骤利用链。使用DREAD为每个链评分。识别哪些攻击可触及第1阶段中的业务关键资产。
第7阶段——风险与影响分析:接收第1-6阶段输出。计算业务加权风险评分(可能性×业务影响)。生成按风险排名的发现结果列表、缓解路线图(快速获胜/短期/长期)、合规缺口报告和执行摘要。

Consolidation

整合流程

After Stage 7 completes, the dispatcher:
第7阶段完成后,调度器将执行以下操作:

1. Collect All Findings

1. 收集所有发现结果

Gather the final risk-ranked finding list from Stage 7 output. Stage 7 already incorporates context from all prior stages.
从第7阶段输出中收集最终的按风险排名的发现结果列表。第7阶段已整合所有前序阶段的上下文信息。

2. Format Output

2. 格式化输出

Apply the 
--format
flag to produce the final output. The Stage 7 output should already contain:
  • Executive summary (non-technical stakeholder audience)
  • Risk-ranked finding list with business impact justification
  • Mitigation roadmap with effort estimates
  • Compliance gap report (if regulatory requirements identified in Stage 1)
  • Residual risk assessment
应用
--format
标志生成最终输出。第7阶段输出应已包含:
  • 执行摘要(面向非技术利益相关者)
  • 带业务影响说明的按风险排名的发现结果列表
  • 带工作量估算的缓解路线图
  • 合规缺口报告(若第1阶段识别出监管要求)
  • 剩余风险评估

3. Apply Severity Filter

3. 应用严重性过滤

If 
--severity
is set, filter the finding list to show only findings at or above the specified severity threshold.
若设置了
--severity
,则过滤发现结果列表,仅显示达到或高于指定严重性阈值的结果。

4. Cross-Reference

4. 交叉引用

Populate cross-framework references on all findings:
  • references.owasp
    : Map to OWASP Top 10 category.
  • references.stride
    : Map to STRIDE category letter(s).
  • references.mitre_attck
    : Already populated by Stage 4.
  • references.cwe
    : Already populated by Stage 5.
为所有发现结果填充跨框架引用:
  • references.owasp
    :映射至OWASP Top 10类别。
  • references.stride
    :映射至STRIDE类别字母。
  • references.mitre_attck
    :已由第4阶段填充。
  • references.cwe
    :已由第5阶段填充。

5. Present Results

5. 展示结果

Output the final PASTA report. Include the stage progression summary showing how business objectives flowed through to risk-ranked mitigations.
输出最终的PASTA报告。包含阶段进展摘要,展示业务目标如何逐步转化为按风险排名的缓解措施。

Expert Mode

专家模式

If 
--depth expert
is set, after Stage 7 completes, launch red team subagents with the full PASTA output. Red team agents receive the exploit chains from Stage 6 and attempt to extend them, finding additional attack paths or chaining multiple exploit chains together.
Red team findings are appended to the final output with prefix 
RT
and 
metadata.tool
set to 
"red-team"
.
若设置了
--depth expert
,在第7阶段完成后,将使用完整的PASTA输出启动红队子Agent。红队Agent将接收第6阶段的利用链,并尝试扩展这些链,查找额外的攻击路径或组合多个利用链。
红队发现结果将以前缀
RT
附加至最终输出,并将
metadata.tool
设置为
"red-team"