Skip to content
/ ghostpatch Public

AI-powered security vulnerability scanner that runs locally via npm with zero infrastructure. 131+ OWASP rules, 15 languages, free AI analysis, MCP server for coding agents.

www.npmjs.com/package/ghostpatch

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

NeuralRays/ghostpatch

BranchesTags

Repository files navigation

GhostPatch

npm version GitHub release License: MIT Node.js TypeScript Tests OWASP Top 10 Security Rules Languages MCP AI Powered

AI-powered security vulnerability scanner that runs locally via npm with zero infrastructure setup.

Uses HuggingFace free models by default (zero cost), with optional Anthropic Claude and OpenAI GPT for deeper analysis. Includes CLI, library API, and MCP server for AI coding agent integration.

Features

  • 200+ security rules covering OWASP Top 10, CWE, and more
  • 15 languages: TypeScript, JavaScript, Python, Java, Go, Rust, C, C++, C#, PHP, Ruby, Swift, Kotlin, Shell, SQL
  • 10 specialized detectors: injection, auth, crypto, secrets, SSRF, path traversal, prototype pollution, deserialization, dependency, misconfiguration
  • AI-powered zero-day detection using HuggingFace (free), Anthropic, or OpenAI
  • 4 output formats: Terminal (colored), JSON, SARIF (GitHub/VS Code), HTML report
  • MCP server with 8 tools for AI coding agent integration
  • Watch mode for continuous scanning during development
  • Zero config — works out of the box, configurable via .ghostpatch.json

Quick Start

# Install globally
npm install -g ghostpatch

# Scan current directory
ghostpatch scan

# Scan specific path
ghostpatch scan ./src

# Short alias
gp scan

# Scan for secrets only
ghostpatch secrets

# Check dependencies
ghostpatch deps

# Generate HTML report
ghostpatch report

# Enable AI analysis
ghostpatch scan --ai
ghostpatch scan --ai --provider anthropic

CLI Commands

ghostpatch scan [path]           # Full security scan
  -o, --output <format>          # json | sarif | html | terminal (default: terminal)
  -s, --severity <level>         # critical | high | medium | low | info
  --ai                           # Enable AI-enhanced analysis
  --provider <name>              # huggingface | anthropic | openai
  --fix                          # Show fix suggestions
  -q, --quiet                    # Minimal output

ghostpatch secrets [path]        # Scan for hardcoded secrets only
ghostpatch deps [path]           # Dependency vulnerability check
ghostpatch watch [path]          # Watch mode — scan on file changes
ghostpatch report [path]         # Generate HTML report
ghostpatch serve                 # Start MCP server (stdio)
ghostpatch install               # Configure MCP for Claude Code

AI Providers

Provider Cost Setup Model
HuggingFace (default) Free Optional HF_TOKEN env var Qwen2.5-Coder-32B
Anthropic Paid ANTHROPIC_API_KEY env var Claude Sonnet 4.5
OpenAI Paid OPENAI_API_KEY env var GPT-4o 
# Use free HuggingFace (default)
ghostpatch scan --ai

# Use Anthropic Claude
export ANTHROPIC_API_KEY=sk-ant-...
ghostpatch scan --ai --provider anthropic

# Use OpenAI
export OPENAI_API_KEY=sk-...
ghostpatch scan --ai --provider openai

Library API

import { scan, generateReport, Severity } from 'ghostpatch';

// Full scan
const result = await scan('./my-project', {
  severity: Severity.MEDIUM,
  ai: true,
  provider: 'huggingface',
});

// Generate report
const html = generateReport(result, 'html');
const json = generateReport(result, 'json');
const sarif = generateReport(result, 'sarif');

// Access findings
console.log(`Found ${result.summary.total} issues`);
for (const finding of result.findings) {
  console.log(`${finding.severity}: ${finding.title} at ${finding.filePath}:${finding.line}`);
}

MCP Server (AI Coding Agent Integration)

GhostPatch includes an MCP server with 8 tools for seamless integration with AI coding agents like Claude Code.

# Auto-configure for Claude Code
ghostpatch install

# Or manually start
ghostpatch serve

MCP Tools

Tool Description
ghostpatch_scan Full security scan of project
ghostpatch_scan_file Scan a single file
ghostpatch_findings Get findings with filters
ghostpatch_finding Detailed info on specific finding
ghostpatch_secrets Scan for hardcoded secrets
ghostpatch_dependencies Check dependencies for CVEs
ghostpatch_ai_analyze AI-powered deep analysis
ghostpatch_status Scanner status and stats

Configuration

Create .ghostpatch.json in your project root:

{
  "exclude": ["node_modules/**", "dist/**", "*.min.js"],
  "severity": "medium",
  "ai": {
    "provider": "huggingface",
    "model": "auto"
  },
  "rules": {
    "disabled": ["LOG003"],
    "custom": []
  },
  "maxFileSize": 1048576,
  "languages": "auto"
}

Security Categories

OWASP Category Rules
A01 Broken Access Control BAC001–BAC010
A02 Cryptographic Failures CRYPTO001–CRYPTO012, SEC001–SEC014
A03 Injection INJ001–INJ018, PROTO001–PROTO002
A04 Insecure Design DES001–DES007
A05 Security Misconfiguration CFG001–CFG010
A06 Vulnerable Components DEP001–DEP003
A07 Authentication Failures AUTH001–AUTH008
A08 Data Integrity Failures SER001–SER004
A09 Logging Failures LOG001–LOG003
A10 SSRF SSRF001–SSRF002

Output Formats

Terminal

Colored output with severity icons, code snippets, and fix suggestions.

JSON

Machine-readable structured output for CI/CD integration.

SARIF

Static Analysis Results Interchange Format — compatible with GitHub Code Scanning and VS Code.

HTML

Professional standalone report with severity charts, finding details, and remediation advice.

CI/CD Integration

# GitHub Actions
- name: Security Scan
  run: |
    npx ghostpatch scan --output sarif -s medium > results.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Contributing

We welcome contributions! Here's how to get involved:

Reporting Issues

Found a bug or have a feature request? Open an issue with:

  • A clear description of the problem or suggestion
  • Steps to reproduce (for bugs)
  • Expected vs actual behavior
  • Your environment (OS, Node.js version)

Submitting Pull Requests

  1. Fork the repository
  2. Create a feature branch: git checkout -b feature/my-feature
  3. Make your changes and add tests
  4. Run tests: npm test
  5. Build to verify: npm run build
  6. Commit your changes: git commit -m "Add my feature"
  7. Push to your fork: git push origin feature/my-feature
  8. Open a Pull Request against master

Development Setup

git clone https://github.com/NeuralRays/ghostpatch.git
cd ghostpatch
npm install
npm run build
npm test

What We're Looking For

  • New security detection rules and patterns
  • Support for additional programming languages
  • Improved AI prompt engineering for better analysis
  • Bug fixes and false positive reductions
  • Documentation improvements
  • CI/CD integration examples

Code of Conduct

Please be respectful and constructive in all interactions. We are committed to providing a welcoming and inclusive experience for everyone.

Security

If you discover a security vulnerability within GhostPatch, please report it responsibly by emailing neuralsoft@injectedsecurity.pro instead of opening a public issue.

Creator & Maintainer

NeuralRaysGitHub | neuralsoft@injectedsecurity.pro

License

MIT License — see LICENSE for details.

GhostPatch — Scan. Detect. Secure.
Built with TypeScript. Powered by AI.

About

AI-powered security vulnerability scanner that runs locally via npm with zero infrastructure. 131+ OWASP rules, 15 languages, free AI analysis, MCP server for coding agents.

www.npmjs.com/package/ghostpatch

Topics

cli npm security typescript ai mcp scanner static-analysis owasp vulnerability cwe sast secrets-detection huggingface code-security

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

v1.0.1 — Dependency Fix Latest
Feb 9, 2026
+ 1 release

Packages

No packages published

Languages