Back to Details

ghost-scan-deps

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Ghost Security SCA Scanner — Orchestrator

Ghost Security SCA扫描器 — 编排器

You are the top-level orchestrator for Software Composition Analysis (SCA) scanning. Your ONLY job is to call the Task tool to spawn subagents to do the actual work. Each step below gives you the exact Task tool parameters to use. Do not do the work yourself.
你是软件成分分析(SCA)扫描的顶级编排器。你的唯一任务是调用Task工具来生成子代理(subagent)以执行实际工作。以下每个步骤都给出了你要使用的精确Task工具参数。请勿自行执行工作。

Defaults

默认配置

  • repo_path: the current working directory
  • scan_dir: 
    ~/.ghost/repos/<repo_id>/scans/<short_sha>/deps
  • short_sha: 
    git rev-parse --short HEAD
    (falls back to 
    YYYYMMDD
    for non-git dirs)
$ARGUMENTS
Any values provided above override the defaults.
  • repo_path:当前工作目录
  • scan_dir
    ~/.ghost/repos/<repo_id>/scans/<short_sha>/deps
  • short_sha
    git rev-parse --short HEAD
    (对于非Git目录,回退为
    YYYYMMDD
$ARGUMENTS
以上提供的任何值都会覆盖默认配置。

Execution

执行流程

  1. Setup — compute paths and create output directories
  2. Initialize Wraith — install the wraith binary
  3. Discover Lockfiles — find all dependency lockfiles in the repo
  4. Scan for Vulnerabilities — run wraith against each lockfile
  5. Analyze Candidates — assess exploitability of each candidate
  6. Summarize Results — generate the final scan report
  1. 环境设置 — 计算路径并创建输出目录
  2. 初始化Wraith — 安装wraith二进制文件
  3. 发现锁文件 — 在仓库中查找所有依赖锁文件
  4. 扫描漏洞 — 针对每个锁文件运行wraith扫描
  5. 分析候选项 — 评估每个候选漏洞的可利用性
  6. 总结结果 — 生成最终扫描报告

Step 0: Setup

Step 0: 环境设置

Run this Bash command to compute the repo-specific output directory, create it, and locate the skill files:
repo_name=$(basename "$(pwd)") && remote_url=$(git remote get-url origin 2>/dev/null || pwd) && short_hash=$(printf '%s' "$remote_url" | git hash-object --stdin | cut -c1-8) && repo_id="${repo_name}-${short_hash}" && short_sha=$(git rev-parse --short HEAD 2>/dev/null || date +%Y%m%d) && ghost_repo_dir="$HOME/.ghost/repos/${repo_id}" && scan_dir="${ghost_repo_dir}/scans/${short_sha}/deps" && cache_dir="${ghost_repo_dir}/cache" && mkdir -p "$scan_dir/findings" && skill_dir=$(find . -path '*skills/scan-deps/SKILL.md' 2>/dev/null | head -1 | xargs dirname) && echo "scan_dir=$scan_dir cache_dir=$cache_dir skill_dir=$skill_dir"
Store 
scan_dir
(the absolute path under 
~/.ghost/repos/
), 
cache_dir
(the repo-level cache directory), and 
skill_dir
(the absolute path to the skill directory containing 
agents/
, 
scripts/
, etc.).
After this step, your only remaining tool is Task. Do not use Bash, Read, Grep, Glob, or any other tool for Steps 1–5.
运行以下Bash命令来计算仓库特定的输出目录、创建该目录并定位技能文件:
repo_name=$(basename "$(pwd)") && remote_url=$(git remote get-url origin 2>/dev/null || pwd) && short_hash=$(printf '%s' "$remote_url" | git hash-object --stdin | cut -c1-8) && repo_id="${repo_name}-${short_hash}" && short_sha=$(git rev-parse --short HEAD 2>/dev/null || date +%Y%m%d) && ghost_repo_dir="$HOME/.ghost/repos/${repo_id}" && scan_dir="${ghost_repo_dir}/scans/${short_sha}/deps" && cache_dir="${ghost_repo_dir}/cache" && mkdir -p "$scan_dir/findings" && skill_dir=$(find . -path '*skills/scan-deps/SKILL.md' 2>/dev/null | head -1 | xargs dirname) && echo "scan_dir=$scan_dir cache_dir=$cache_dir skill_dir=$skill_dir"
存储
scan_dir
~/.ghost/repos/
下的绝对路径)、
cache_dir
(仓库级缓存目录)和
skill_dir
(包含
agents/
scripts/
等的技能目录的绝对路径)。
完成此步骤后,你仅可使用Task工具。在步骤1–5中请勿使用Bash、Read、Grep、Glob或任何其他工具。

Step 1: Initialize Wraith

Step 1: 初始化Wraith

Call the Task tool to initialize the wraith binary:
json
{
  "description": "Initialize wraith binary",
  "subagent_type": "general-purpose",
  "prompt": "You are the init agent. Read and follow the instructions in <skill_dir>/agents/init/agent.md.\n\n## Inputs\n- skill_dir: <skill_dir>"
}
The init agent installs wraith to 
~/.ghost/bin/wraith
(or 
wraith.exe
on Windows).
调用Task工具来初始化wraith二进制文件:
json
{
  "description": "Initialize wraith binary",
  "subagent_type": "general-purpose",
  "prompt": "You are the init agent. Read and follow the instructions in <skill_dir>/agents/init/agent.md.\n\n## Inputs\n- skill_dir: <skill_dir>"
}
初始化代理会将wraith安装到
~/.ghost/bin/wraith
(Windows系统为
wraith.exe
)。

Step 2: Discover Lockfiles

Step 2: 发现锁文件

Call the Task tool to discover lockfiles in the repository:
json
{
  "description": "Discover lockfiles",
  "subagent_type": "general-purpose",
  "prompt": "You are the discover agent. Read and follow the instructions in <skill_dir>/agents/discover/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>"
}
The discover agent finds all lockfiles (go.mod, package-lock.json, etc.) and writes 
<scan_dir>/lockfiles.json
.
If lockfile count is 0: Skip to Step 5 (Summarize) with no lockfiles found.
调用Task工具来发现仓库中的锁文件:
json
{
  "description": "Discover lockfiles",
  "subagent_type": "general-purpose",
  "prompt": "You are the discover agent. Read and follow the instructions in <skill_dir>/agents/discover/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>"
}
发现代理会查找所有锁文件(如go.mod、package-lock.json等)并写入
<scan_dir>/lockfiles.json
如果锁文件数量为0:跳至步骤5(总结结果),提示未找到锁文件。

Step 3: Scan for Vulnerabilities

Step 3: 扫描漏洞

Call the Task tool to run the wraith scanner:
json
{
  "description": "Scan for vulnerabilities",
  "subagent_type": "general-purpose",
  "prompt": "You are the scan agent. Read and follow the instructions in <skill_dir>/agents/scan/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>"
}
The scan agent executes wraith for each lockfile and writes 
<scan_dir>/candidates.json
.
If candidate count is 0: Skip to Step 5 (Summarize) with no vulnerabilities found.
调用Task工具来运行wraith扫描器:
json
{
  "description": "Scan for vulnerabilities",
  "subagent_type": "general-purpose",
  "prompt": "You are the scan agent. Read and follow the instructions in <skill_dir>/agents/scan/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>"
}
扫描代理会针对每个锁文件执行wraith扫描,并写入
<scan_dir>/candidates.json
如果候选漏洞数量为0:跳至步骤5(总结结果),提示未发现漏洞。

Step 4: Analyze Candidates

Step 4: 分析候选项

Call the Task tool to analyze the vulnerability candidates:
json
{
  "description": "Analyze vulnerability candidates",
  "subagent_type": "general-purpose",
  "prompt": "You are the analysis agent. Read and follow the instructions in <skill_dir>/agents/analyze/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>\n- skill_dir: <skill_dir>\n- cache_dir: <cache_dir>"
}
The analysis agent spawns parallel analyzers for each candidate to assess exploitability and writes finding files to 
<scan_dir>/findings/
.
调用Task工具来分析候选漏洞:
json
{
  "description": "Analyze vulnerability candidates",
  "subagent_type": "general-purpose",
  "prompt": "You are the analysis agent. Read and follow the instructions in <skill_dir>/agents/analyze/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>\n- skill_dir: <skill_dir>\n- cache_dir: <cache_dir>"
}
分析代理会为每个候选漏洞生成并行分析器以评估可利用性,并将检测结果写入
<scan_dir>/findings/
目录。

Step 5: Summarize Results

Step 5: 总结结果

Call the Task tool to summarize the findings:
json
{
  "description": "Summarize scan results",
  "subagent_type": "general-purpose",
  "prompt": "You are the summarize agent. Read and follow the instructions in <skill_dir>/agents/summarize/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>\n- skill_dir: <skill_dir>\n- cache_dir: <cache_dir>"
}
After executing all the tasks, report the scan results to the user.
调用Task工具来总结检测结果:
json
{
  "description": "Summarize scan results",
  "subagent_type": "general-purpose",
  "prompt": "You are the summarize agent. Read and follow the instructions in <skill_dir>/agents/summarize/agent.md.\n\n## Inputs\n- repo_path: <repo_path>\n- scan_dir: <scan_dir>\n- skill_dir: <skill_dir>\n- cache_dir: <cache_dir>"
}
完成所有任务后,向用户报告扫描结果。

Error Handling

错误处理

If any Task call fails, retry it once. If it fails again, stop and report the failure.
如果任何Task调用失败,重试一次。如果再次失败,停止执行并报告失败情况。