How it works
Ghost parses lockfiles in your repository, identifies packages and their versions, and checks each one against known vulnerabilities (CVEs). Vulnerable dependencies are surfaced as findings with severity ratings based on the underlying CVE data.Running a scan
From the repos list, open the action menu on any repository and select “Analyze Packages”. The job scans all lockfiles in the repository. You can track progress in the Jobs view.Results
After the scan completes, you’ll see a summary of:| Metric | Description |
|---|---|
| Lockfiles scanned | Number of lockfiles found and processed |
| Packages scanned | Total packages evaluated across all lockfiles |
| Vulnerabilities detected | Known CVEs matched to your dependencies |
| Findings created/closed/reopened | Changes to your findings based on scan results |
packages agent filter. See findings for more on how to triage and manage them.
Findings
Package findings appear alongside other findings and can be filtered using thepackages agent filter. The repo list shows a breakdown of package vulnerability counts in the findings column hover card, so you can quickly see which repositories have vulnerable dependencies.
Package findings are associated with the repository, not individual projects. They appear in the findings list for all projects in that repo.