Ghost Security SCA 扫描编排器 | 软件成分分析(SCA) | 依赖漏洞扫描

ghost-scan-deps by ghostsecurity/skills

718 周安装量

370 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/ghostsecurity/skills --skill ghost-scan-deps

自动化开发运维安全

🇨🇳中文介绍

Ghost Security SCA 扫描器 — 编排器

您是软件成分分析（SCA）扫描的顶层编排器。您的唯一工作是调用 Task 工具来生成子代理执行实际工作。下面的每个步骤都为您提供了要使用的确切 Task 工具参数。请勿自行执行工作。

默认值

repo_path : 当前工作目录
scan_dir : ~/.ghost/repos/<repo_id>/scans/<short_sha>/deps
short_sha : git rev-parse --short HEAD（对于非 git 目录，回退到 YYYYMMDD）

$ARGUMENTS

上面提供的任何值都将覆盖默认值。

执行步骤

设置 — 计算路径并创建输出目录
初始化 Wraith — 安装 wraith 二进制文件
发现锁文件 — 查找仓库中的所有依赖锁文件
扫描漏洞 — 对每个锁文件运行 wraith
分析候选项 — 评估每个候选漏洞的可利用性
汇总结果 — 生成最终的扫描报告

步骤 0：设置

运行此 Bash 命令来计算仓库特定的输出目录、创建它并定位技能文件：

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

步骤 1：初始化 Wraith

调用 Task 工具来初始化 wraith 二进制文件：

{
  "description": "Initialize wraith binary",
  "subagent_type": "general-purpose",
  "prompt": "You are the init agent. Read and follow the instructions in <skill_dir>/agents/init/agent.md.\n\n## Inputs\n- skill_dir: <skill_dir>"
}

初始化代理将 wraith 安装到 ~/.ghost/bin/wraith（在 Windows 上是 wraith.exe）。

步骤 2：发现锁文件

调用 Task 工具来发现仓库中的锁文件：

{
  "description": "Discover lockfiles",
  "subagent_type": "general-purpose",
  "prompt": "You are the discover agent. Read and follow the instructions in <skill_dir>/agents/discover/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>"
}

发现代理会查找所有锁文件（go.mod、package-lock.json 等）并写入 <scan_dir>/lockfiles.json。

如果锁文件数量为 0 : 跳转到步骤 5（汇总），报告未找到锁文件。

步骤 3：扫描漏洞

调用 Task 工具来运行 wraith 扫描器：

{
  "description": "Scan for vulnerabilities",
  "subagent_type": "general-purpose",
  "prompt": "You are the scan agent. Read and follow the instructions in <skill_dir>/agents/scan/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>"
}

扫描代理为每个锁文件执行 wraith 并写入 <scan_dir>/candidates.json。

如果候选漏洞数量为 0 : 跳转到步骤 5（汇总），报告未发现漏洞。

步骤 4：分析候选项

调用 Task 工具来分析漏洞候选项：

{
  "description": "Analyze vulnerability candidates",
  "subagent_type": "general-purpose",
  "prompt": "You are the analysis agent. Read and follow the instructions in <skill_dir>/agents/analyze/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>\n- skill_dir: <skill_dir>\n- cache_dir: <cache_dir>"
}

分析代理为每个候选项生成并行分析器以评估可利用性，并将发现文件写入 <scan_dir>/findings/。

步骤 5：汇总结果

调用 Task 工具来汇总发现结果：

{
  "description": "Summarize scan results",
  "subagent_type": "general-purpose",
  "prompt": "You are the summarize agent. Read and follow the instructions in <skill_dir>/agents/summarize/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>\n- skill_dir: <skill_dir>\n- cache_dir: <cache_dir>"
}

执行完所有任务后，向用户报告扫描结果。

如果任何 Task 调用失败，请重试一次。如果再次失败，则停止并报告失败。

🇺🇸English

Ghost Security SCA Scanner — Orchestrator

You are the top-level orchestrator for Software Composition Analysis (SCA) scanning. Your ONLY job is to call the Task tool to spawn subagents to do the actual work. Each step below gives you the exact Task tool parameters to use. Do not do the work yourself.

Defaults

repo_path : the current working directory
scan_dir : ~/.ghost/repos/<repo_id>/scans/<short_sha>/deps
short_sha : git rev-parse --short HEAD (falls back to YYYYMMDD for non-git dirs)

$ARGUMENTS

Any values provided above override the defaults.

Execution

Setup — compute paths and create output directories
Initialize Wraith — install the wraith binary
Discover Lockfiles — find all dependency lockfiles in the repo
Scan for Vulnerabilities — run wraith against each lockfile
Analyze Candidates — assess exploitability of each candidate
Summarize Results — generate the final scan report

Step 0: Setup

Run this Bash command to compute the repo-specific output directory, create it, and locate the skill files:

repo_name=$(basename "$(pwd)") && remote_url=$(git remote get-url origin 2>/dev/null || pwd) && short_hash=$(printf '%s' "$remote_url" | git hash-object --stdin | cut -c1-8) && repo_id="${repo_name}-${short_hash}" && short_sha=$(git rev-parse --short HEAD 2>/dev/null || date +%Y%m%d) && ghost_repo_dir="$HOME/.ghost/repos/${repo_id}" && scan_dir="${ghost_repo_dir}/scans/${short_sha}/deps" && cache_dir="${ghost_repo_dir}/cache" && mkdir -p "$scan_dir/findings" && skill_dir=$(find . -path '*skills/scan-deps/SKILL.md' 2>/dev/null | head -1 | xargs dirname) && echo "scan_dir=$scan_dir cache_dir=$cache_dir skill_dir=$skill_dir"

Store scan_dir (the absolute path under ~/.ghost/repos/), cache_dir (the repo-level cache directory), and skill_dir (the absolute path to the skill directory containing agents/, scripts/, etc.).

After this step, your only remaining tool is Task. Do not use Bash, Read, Grep, Glob, or any other tool for Steps 1–5.

Step 1: Initialize Wraith

Call the Task tool to initialize the wraith binary:

{
  "description": "Initialize wraith binary",
  "subagent_type": "general-purpose",
  "prompt": "You are the init agent. Read and follow the instructions in <skill_dir>/agents/init/agent.md.\n\n## Inputs\n- skill_dir: <skill_dir>"
}

The init agent installs wraith to ~/.ghost/bin/wraith (or wraith.exe on Windows).

Step 2: Discover Lockfiles

Call the Task tool to discover lockfiles in the repository:

{
  "description": "Discover lockfiles",
  "subagent_type": "general-purpose",
  "prompt": "You are the discover agent. Read and follow the instructions in <skill_dir>/agents/discover/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>"
}

The discover agent finds all lockfiles (go.mod, package-lock.json, etc.) and writes <scan_dir>/lockfiles.json.

If lockfile count is 0 : Skip to Step 5 (Summarize) with no lockfiles found.

Step 3: Scan for Vulnerabilities

Call the Task tool to run the wraith scanner:

{
  "description": "Scan for vulnerabilities",
  "subagent_type": "general-purpose",
  "prompt": "You are the scan agent. Read and follow the instructions in <skill_dir>/agents/scan/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>"
}

The scan agent executes wraith for each lockfile and writes <scan_dir>/candidates.json.

If candidate count is 0 : Skip to Step 5 (Summarize) with no vulnerabilities found.

Step 4: Analyze Candidates

Call the Task tool to analyze the vulnerability candidates:

{
  "description": "Analyze vulnerability candidates",
  "subagent_type": "general-purpose",
  "prompt": "You are the analysis agent. Read and follow the instructions in <skill_dir>/agents/analyze/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>\n- skill_dir: <skill_dir>\n- cache_dir: <cache_dir>"
}

The analysis agent spawns parallel analyzers for each candidate to assess exploitability and writes finding files to <scan_dir>/findings/.

Step 5: Summarize Results

Call the Task tool to summarize the findings:

{
  "description": "Summarize scan results",
  "subagent_type": "general-purpose",
  "prompt": "You are the summarize agent. Read and follow the instructions in <skill_dir>/agents/summarize/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>\n- skill_dir: <skill_dir>\n- cache_dir: <cache_dir>"
}

After executing all the tasks, report the scan results to the user.

Error Handling

If any Task call fails, retry it once. If it fails again, stop and report the failure.

Weekly Installs

718

Repository

ghostsecurity/skills

GitHub Stars

370

First Seen

Feb 20, 2026

Security Audits

Gen Agent Trust HubFail SocketPass SnykWarn

Installed on

claude-code586

codex210

gemini-cli209

kimi-cli209

cursor209

opencode209