Ghost can review source code changes for a variety of security issues, including injection vulnerabilities, business logic vulnerabilities, authorization issues, .

Providers

Automated code reviews are supported for the following source code providers:

GitHub

To enable Ghost code reviews for GitHub, an existing GitHub connection in the Ghost platform is required.  Review Mode Set the Review Mode to control when Ghost will review code changes.
Review ModeDescription
DisabledCode reviews will not run.
AutoCode reviews will run automatically when a pull request is created, or when a draft PR is set to ready_for_review.
ManualCode reviews will only run in response to slash command comments (e.g. /ghost review).
 Minimum Severity Set the Severity Threshold to control the minimum severity of findings that will be reported.
ThresholdDescription
HighOnly high severity issues will be reported.
MediumOnly medium and high severity issues will be reported.
LowAll security issues will be reported.

Comment Reviews

Ghost code reviews are “comment” reviews rather than “approve” or “change request” reviews. This means Ghost code reviews do not count toward required approvals for the pull request. Final review decisions are made by a human reviewer on your team.

Review Types

 Full Review A full review of the code changes in the pull request. A full review will run automatically if Ghost Code Reviews are in auto mode. A full review can also be triggered manually with the /ghost review command if Ghost Code Reviews are in manual mode.  Check Review A re-check of all issues from a full review. A check review will run automatically on pull request synchronize events if Ghost Code Reviews are in auto mode. During a check review, if an issue is no longer present in the code changes, it will be marked as “resolved”. A human reviewer is still required to sign off and resolve the review thread itself. A check review can also be triggered manually with the /ghost check command.  Issue Review An issue review is a review of a single issue from a full review. An issue review can be triggered manually with the /ghost issue <keywords> command. During an issue review, if the issue is no longer present in the code changes, it will be marked as “resolved”. A human reviewer is still required to sign off and resolve the review thread itself.

Status Checks

Ghost code reviews report status checks to reflect the review status of the code changes.
Review ResultReview TypeCheck StatusReason
No security issuesFullsuccessNo action required
One or more issuesFullfailureOne or more security issues found
No security issuesChecksuccessAll issues resolved
One or more issuesCheckfailureOne or more security issues found
No security issueIssueaction_requiredA full review or check review is required to resolve remaining issues
Remaining issueIssuefailureOne or more security issues found

Commands

You can use slash commands to trigger several Ghost code review actions:
CommandDescription
/ghost reviewPerform a full review of the code changes.
/ghost checkRe-check issues from a full review (i.e. if there are code changes since the last review).
/ghost check <keywords>Check a single issue from a full review (i.e. if there are code changes since the last review).
/ghost helpShow help for the /ghost command.
Triggering a full review with the /ghost review will mark all existing issues as “superseded”, then perform a full review of the code changes in the current state.