👻 GhostCheck

Blazing-fast, zero-dependency security scanner for the AI-assisted development era.

Identify high-risk vulnerabilities and "ghost" threats introduced by AI agents even before they reach your CI/CD pipeline.

English | 繁體中文

---

🚀 Vision

AI agents are rewriting the world, but they also introduce new attack surfaces. GhostCheck bridges the gap between traditional SAST and AI-native security, ensuring your code remains secure while you move at AI speed.

Why AgentCortex?

GhostCheck is built with the AgentCortex philosophy, ensuring that AI-assisted security is built on a foundation of verifiable engineering directives.

✨ v1.0.3 Extensible Plugins & Red Team Hardening

• 🔌 Plugin Architecture: Fully decoupled scanners and reporters. Extensible support for custom logic.
• 🛡️ Red Team Hardened: Built-in protection against chaos tests, bypass attempts, local RCE vectors, and directory traversal.
• 📊 Universal Reporters: Native support for console, json, html, owasp-llm, and sarif outputs.

✨ v1.0.0 Universal Framework-Aware Scanner

• 🚀 Framework Presets: Automated scan strategies for Next.js, Flutter, Django, FastAPI, and Terraform.
• 🛡️ Robust Baseline: Content-hash based fingerprinting (file:rule:hash). Findings stay suppressed even if line numbers shift.
• ⚡ Preset-Aware Performance: Optimized I/O by skipping irrelevant modules based on project type (e.g., ignoring Docker checks in pure Flutter apps).
• 🎯 OWASP LLM Top 10 Report: Industry-first --format owasp-llm support, mapping findings to standardized AI security categories.
• 🤖 MCP & AI Supply Chain Audit: Auditing for Model Context Protocol (MCP) configuration to prevent tool poisoning and excessive agency.
• 🔑 AST-Powered Secret Detection: Context-aware parsing for 50+ providers using language-specific AST scanners (Python, JS/TS, Go, Java, Dart).

🛠️ Installation & Setup

Install via pip

Recommended for most users:

pip install ghostcheck

Install from source

git clone https://github.com/KbWen/security-tools.git
cd security-tools
pip install -e .

2. Initialize Project Rules

Generate tailored .ghostcheckignore and ghostcheck.toml with Automatic Framework Detection:

ghostcheck init

3. Immediate Scan

# Scan the entire project for all risks
ghostcheck scan .

# Scan ONLY the files you are about to commit (Blazing Fast)
ghostcheck scan --staged

📋 Core Capabilities

Feature	Command	Target
Full Security Scan	ghostcheck scan	Entire Workspace / Git Diffs
Dependency Check	ghostcheck check-deps	requirements.txt, package.json
Secret Detection	ghostcheck check-secrets	Logs, Source, Docs
Rule Audit	ghostcheck check-rules	.agent/, .cursor/

⚙️ Configuration & CI/CD

GhostCheck respects professional workflows:

• Custom Exclusions: Use .ghostcheckignore to silently bypass safe paths.
• Severity Filters: Run scans with targeted focus using --severity [CRITICAL|HIGH|MEDIUM|LOW].
• Multilingual Support: Define custom safe keywords in ghostcheck.toml (custom_safe_keywords = ["нельзя"]) to prevent false positives in non-English documentation.
• Automation Ready: Export results natively using --format json, --format html, --format sarif or --format owasp-llm for seamless compliance reporting.

---

Developed with ❤️ for the AI community by KbWen.