ghost-report

Original：🇺🇸 English

Translated

Ghost Security — combined security report. Aggregates findings from all scan skills (scan-deps, scan-secrets, scan-code) into a single prioritized report focused on the highest risk, highest confidence issues. Use when the user requests a security overview, vulnerability summary, full security audit, or combined scan results.

2installs

Sourceghostsecurity/skills

Added on2026-02-24

NPX Install

npx skill4agent add ghostsecurity/skills ghost-report

SKILL.md Content

View Translation Comparison →

Combined Security Report

You aggregate findings from all scan skills (scan-deps, scan-secrets, scan-code) into a single prioritized report. Do all work yourself — do not spawn subagents or delegate.

$ARGUMENTS

Step 0: Setup

Run this Bash command to compute paths:

bash

repo_name=$(basename "$(pwd)") && remote_url=$(git remote get-url origin 2>/dev/null || pwd) && short_hash=$(printf '%s' "$remote_url" | git hash-object --stdin | cut -c1-8) && repo_id="${repo_name}-${short_hash}" && short_sha=$(git rev-parse --short HEAD 2>/dev/null || date +%Y%m%d) && ghost_repo_dir="$HOME/.ghost/repos/${repo_id}" && scans_dir="${ghost_repo_dir}/scans/${short_sha}" && cache_dir="${ghost_repo_dir}/cache" && skill_dir=$(find . -path '*/skills/report/SKILL.md' 2>/dev/null | head -1 | xargs dirname) && echo "scans_dir=$scans_dir cache_dir=$cache_dir skill_dir=$skill_dir"

Store

scans_dir

(commit-level scan directory),

cache_dir

, and

skill_dir

.

Cache Check

If

<scans_dir>/report.md

already exists, show:

Combined security report is at: <scans_dir>/report.md

And stop. Do not regenerate it.

Step 1: Read Repo Context

Read

<cache_dir>/repo.md

if it exists. Extract:

Business criticality
Sensitive data types
Component map

If it does not exist, continue without it — this is not an error.

Step 2: Discover Scan Results

List the contents of

<scans_dir>

to see which scan-type directories exist. Recognized types:

```
deps/
```
— SCA / dependency vulnerability scan
```
secrets/
```
— secrets and credentials scan
```
code/
```
— code security scan (SAST)

If none of these directories exist, report an error:

No scan results found in <scans_dir>. Run one or more scan skills first:
  /ghost-scan-deps
  /ghost-scan-secrets
  /ghost-scan-code

And stop.

Step 3: Collect Findings

For each scan type that exists, glob

<scans_dir>/<type>/findings/*.md

and read each finding file in full. Retain the complete markdown body of every finding — the report will inline this content directly so readers never need to open individual finding files.

From each finding, also extract these metadata fields for filtering and sorting:

ID — from
```
## Metadata
```
→
```
ID
```
Type — the scan type (
```
deps
```
,
```
secrets
```
, or
```
code
```
)
Severity — from
```
## Metadata
```
→
```
Severity
```
(high, medium, low)
Status — from
```
## Metadata
```
→
```
Status
```
(e.g., confirmed-exploitable, unverified, verified, rejected, clean)

Step 4: Filter and Sort

Filter: Keep only high-confidence findings:

For
```
deps
```
findings: status is
```
confirmed-exploitable
```
For
```
secrets
```
findings: status is NOT
```
clean
```
and NOT
```
rejected
```
For
```
code
```
findings: status is
```
verified
```
or
```
unverified
```
(NOT
```
rejected
```
)

Exclude any finding with status

clean

,

rejected

, or

false-positive

.

Sort the remaining findings:

By severity: high first, then medium, then low
Within same severity: deps before secrets before code

Step 5: Read Per-Scan Reports

For

deps

and

secrets

scan types, read

<scans_dir>/<type>/report.md

if present. Extract:

Statistics (candidates scanned, confirmed findings, false positives filtered)
Executive summary highlights

Note:

code

does not produce a

report.md

. For code scan coverage, count the finding files in

<scans_dir>/code/findings/

directly. The "Candidates Scanned" count is the total number of finding files (all statuses). "Confirmed Findings" is the count with status

verified

,

confirmed