ghost-report
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCombined Security Report
综合安全报告
You aggregate findings from all scan skills (scan-deps, scan-secrets, scan-code) into a single prioritized report. Do all work yourself — do not spawn subagents or delegate.
$ARGUMENTS
你需要将所有扫描skill(scan-deps、scan-secrets、scan-code)的检测结果整合到一份按优先级排序的报告中。所有工作需独立完成——不要生成子Agent或委托他人处理。
$ARGUMENTS
Step 0: Setup
步骤0:环境设置
Run this Bash command to compute paths:
bash
repo_name=$(basename "$(pwd)") && remote_url=$(git remote get-url origin 2>/dev/null || pwd) && short_hash=$(printf '%s' "$remote_url" | git hash-object --stdin | cut -c1-8) && repo_id="${repo_name}-${short_hash}" && short_sha=$(git rev-parse --short HEAD 2>/dev/null || date +%Y%m%d) && ghost_repo_dir="$HOME/.ghost/repos/${repo_id}" && scans_dir="${ghost_repo_dir}/scans/${short_sha}" && cache_dir="${ghost_repo_dir}/cache" && skill_dir=$(find . -path '*/skills/report/SKILL.md' 2>/dev/null | head -1 | xargs dirname) && echo "scans_dir=$scans_dir cache_dir=$cache_dir skill_dir=$skill_dir"Store (commit-level scan directory), , and .
scans_dircache_dirskill_dir运行以下Bash命令计算路径:
bash
repo_name=$(basename "$(pwd)") && remote_url=$(git remote get-url origin 2>/dev/null || pwd) && short_hash=$(printf '%s' "$remote_url" | git hash-object --stdin | cut -c1-8) && repo_id="${repo_name}-${short_hash}" && short_sha=$(git rev-parse --short HEAD 2>/dev/null || date +%Y%m%d) && ghost_repo_dir="$HOME/.ghost/repos/${repo_id}" && scans_dir="${ghost_repo_dir}/scans/${short_sha}" && cache_dir="${ghost_repo_dir}/cache" && skill_dir=$(find . -path '*/skills/report/SKILL.md' 2>/dev/null | head -1 | xargs dirname) && echo "scans_dir=$scans_dir cache_dir=$cache_dir skill_dir=$skill_dir"保存(提交级扫描目录)、和的值。
scans_dircache_dirskill_dirCache Check
缓存检查
If already exists, show:
<scans_dir>/report.mdCombined security report is at: <scans_dir>/report.mdAnd stop. Do not regenerate it.
如果已存在,则显示:
<scans_dir>/report.mdCombined security report is at: <scans_dir>/report.md并停止操作,不要重新生成报告。
Step 1: Read Repo Context
步骤1:读取仓库上下文
Read if it exists. Extract:
<cache_dir>/repo.md- Business criticality
- Sensitive data types
- Component map
If it does not exist, continue without it — this is not an error.
如果存在,则读取该文件。提取以下内容:
<cache_dir>/repo.md- 业务关键性
- 敏感数据类型
- 组件映射
若该文件不存在,可继续操作——这不属于错误。
Step 2: Discover Scan Results
步骤2:发现扫描结果
List the contents of to see which scan-type directories exist. Recognized types:
<scans_dir>- — SCA / dependency vulnerability scan
deps/ - — secrets and credentials scan
secrets/ - — code security scan (SAST)
code/
If none of these directories exist, report an error:
No scan results found in <scans_dir>. Run one or more scan skills first:
/ghost-scan-deps
/ghost-scan-secrets
/ghost-scan-codeAnd stop.
列出的内容,查看存在哪些扫描类型目录。可识别的类型包括:
<scans_dir>- — 软件成分分析(SCA)/依赖项漏洞扫描
deps/ - — 密钥与凭证扫描
secrets/ - — 代码安全扫描(SAST)
code/
如果这些目录都不存在,则报告错误:
No scan results found in <scans_dir>. Run one or more scan skills first:
/ghost-scan-deps
/ghost-scan-secrets
/ghost-scan-code并停止操作。
Step 3: Collect Findings
步骤3:收集检测结果
For each scan type that exists, glob and read each finding file in full. Retain the complete markdown body of every finding — the report will inline this content directly so readers never need to open individual finding files.
<scans_dir>/<type>/findings/*.mdFrom each finding, also extract these metadata fields for filtering and sorting:
- ID — from →
## MetadataID - Type — the scan type (,
deps, orsecrets)code - Severity — from →
## Metadata(high, medium, low)Severity - Status — from →
## Metadata(e.g., confirmed-exploitable, unverified, verified, rejected, clean)Status
对于每个存在的扫描类型,匹配路径并完整读取每个检测结果文件。保留每个检测结果的完整Markdown内容——报告将直接嵌入这些内容,这样读者无需打开单个检测结果文件。
<scans_dir>/<type>/findings/*.md同时从每个检测结果中提取以下元数据字段,用于过滤和排序:
- ID — 来自→
## MetadataID - Type — 扫描类型(、
deps或secrets)code - Severity — 来自→
## Metadata(高、中、低)Severity - Status — 来自→
## Metadata(例如:confirmed-exploitable、unverified、verified、rejected、clean)Status
Step 4: Filter and Sort
步骤4:过滤与排序
Filter: Keep only high-confidence findings:
- For findings: status is
depsconfirmed-exploitable - For findings: status is NOT
secretsand NOTcleanrejected - For findings: status is
codeorverified(NOTunverified)rejected
Exclude any finding with status , , or .
cleanrejectedfalse-positiveSort the remaining findings:
- By severity: high first, then medium, then low
- Within same severity: deps before secrets before code
过滤: 仅保留高可信度的检测结果:
- 对于检测结果:状态为
depsconfirmed-exploitable - 对于检测结果:状态不是
secrets且不是cleanrejected - 对于检测结果:状态为
code或verified(不是unverified)rejected
排除任何状态为、或的检测结果。
cleanrejectedfalse-positive排序剩余的检测结果:
- 按严重程度排序:高优先级最先,其次是中,最后是低
- 同一严重程度内:deps排在secrets前,secrets排在code前
Step 5: Read Per-Scan Reports
步骤5:读取单扫描类型报告
For and scan types, read if present. Extract:
depssecrets<scans_dir>/<type>/report.md- Statistics (candidates scanned, confirmed findings, false positives filtered)
- Executive summary highlights
Note: does not produce a . For code scan coverage, count the finding files in directly. The "Candidates Scanned" count is the total number of finding files (all statuses). "Confirmed Findings" is the count with status , , or . "False Positives Filtered" is the count with status . Do NOT count clean file analyses from the nomination/analysis funnel — those never became findings.
codereport.md<scans_dir>/code/findings/verifiedconfirmedunverifiedrejectedIf a per-scan report does not exist for deps or secrets, note it as unavailable.
对于和扫描类型,如果存在则读取该文件。提取以下内容:
depssecrets<scans_dir>/<type>/report.md- 统计数据(扫描的候选对象数量、确认的检测结果数量、过滤的误报数量)
- 执行摘要要点
注意:扫描不会生成。对于代码扫描覆盖率,直接统计中的检测结果文件数量。“候选对象扫描数量”为所有状态的检测结果文件总数。“确认的检测结果数量”为状态为、或的文件数量。“过滤的误报数量”为状态为的文件数量。不要统计提名/分析流程中的干净文件分析结果——这些不会成为检测结果。
codereport.md<scans_dir>/code/findings/verifiedconfirmedunverifiedrejected如果deps或secrets的单扫描类型报告不存在,需标注为不可用。
Step 6: Generate Report
步骤6:生成报告
- Read
<skill_dir>/report-template.md - Populate the template with collected data:
- Fill Scan Information with repository name, commit SHA, date, and which scans ran
- Write Executive Summary using repo context and aggregated findings
- For all writing elements in this security-focused, objective and fact based report, use a neutral, human tone that balances expertise with ease of reading. Do not use emojis, em-dashes, etc.
- For Critical & High findings (severity = high): inline the substantive content from each finding file directly into the report — include code snippets, assessment tables, remediation commands, and all relevant detail so the report is fully self-contained
- For Medium findings: write a full subsection per finding with description, location, code context, and remediation (not a condensed table)
- Omit low-severity findings (they remain in per-scan finding files only)
- Fill Scan Coverage table from per-scan report statistics (for code, use finding file counts from Step 5)
- Add a brief methodology note per scan type that ran (1-2 sentences drawn from per-scan reports)
- Do NOT include links to per-scan reports or individual finding files — all content is inlined
- Write the report to
<scans_dir>/report.md
- 读取
<skill_dir>/report-template.md - 用收集到的数据填充模板:
- 在扫描信息部分填写仓库名称、提交SHA、日期以及已运行的扫描类型
- 利用仓库上下文和整合后的检测结果撰写执行摘要
- 这份以安全为核心的报告需客观、基于事实,采用中立、易懂的人性化语气,不要使用表情符号、破折号等元素
- 对于严重程度为高的关键与高危检测结果:将每个检测结果文件的核心内容直接嵌入报告——包括代码片段、评估表格、修复命令及所有相关细节,确保报告完全独立可用
- 对于中危检测结果:为每个检测结果撰写完整的小节,包含描述、位置、代码上下文和修复方案(不要使用精简表格)
- 省略低危检测结果(它们仅保留在单扫描类型的检测结果文件中)
- 利用单扫描类型报告的统计数据填充扫描覆盖率表格(代码扫描使用步骤5中的文件计数)
- 为每个已运行的扫描类型添加简短的方法论说明(1-2句话,取自单扫描类型报告)
- 不要包含指向单扫描类型报告或单个检测结果文件的链接——所有内容均需嵌入
- 将报告写入
<scans_dir>/report.md
Step 7: Show Output
步骤7:显示输出
Combined security report is at: <scans_dir>/report.mdCombined security report is at: <scans_dir>/report.md