npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ghostpatch

v1.0.1

Published

AI-powered security vulnerability scanner that runs locally via npm with zero infrastructure. Uses free HuggingFace models by default.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

jaysheenjaysheen

Keywords

securityscannervulnerabilitysastaisonarqubeowaspmcpstatic-analysis

Readme

GhostPatch

npm version License: MIT Node.js TypeScript Tests OWASP Top 10 Security Rules Languages MCP AI Powered

AI-powered security vulnerability scanner that runs locally via npm with zero infrastructure setup.

Uses HuggingFace free models by default (zero cost), with optional Anthropic Claude and OpenAI GPT for deeper analysis. Includes CLI, library API, and MCP server for AI coding agent integration.

Features

  • 200+ security rules covering OWASP Top 10, CWE, and more
  • 15 languages: TypeScript, JavaScript, Python, Java, Go, Rust, C, C++, C#, PHP, Ruby, Swift, Kotlin, Shell, SQL
  • 10 specialized detectors: injection, auth, crypto, secrets, SSRF, path traversal, prototype pollution, deserialization, dependency, misconfiguration
  • AI-powered zero-day detection using HuggingFace (free), Anthropic, or OpenAI
  • 4 output formats: Terminal (colored), JSON, SARIF (GitHub/VS Code), HTML report
  • MCP server with 8 tools for AI coding agent integration
  • Watch mode for continuous scanning during development
  • Zero config — works out of the box, configurable via .ghostpatch.json

Quick Start

# Install globally
npm install -g ghostpatch

# Scan current directory
ghostpatch scan

# Scan specific path
ghostpatch scan ./src

# Short alias
gp scan

# Scan for secrets only
ghostpatch secrets

# Check dependencies
ghostpatch deps

# Generate HTML report
ghostpatch report

# Enable AI analysis
ghostpatch scan --ai
ghostpatch scan --ai --provider anthropic

CLI Commands

ghostpatch scan [path]           # Full security scan
  -o, --output <format>          # json | sarif | html | terminal (default: terminal)
  -s, --severity <level>         # critical | high | medium | low | info
  --ai                           # Enable AI-enhanced analysis
  --provider <name>              # huggingface | anthropic | openai
  --fix                          # Show fix suggestions
  -q, --quiet                    # Minimal output

ghostpatch secrets [path]        # Scan for hardcoded secrets only
ghostpatch deps [path]           # Dependency vulnerability check
ghostpatch watch [path]          # Watch mode — scan on file changes
ghostpatch report [path]         # Generate HTML report
ghostpatch serve                 # Start MCP server (stdio)
ghostpatch install               # Configure MCP for Claude Code

AI Providers

| Provider | Cost | Setup | Model | |----------|------|-------|-------| | HuggingFace (default) | Free | Optional HF_TOKEN env var | Qwen2.5-Coder-32B | | Anthropic | Paid | ANTHROPIC_API_KEY env var | Claude Sonnet 4.5 | | OpenAI | Paid | OPENAI_API_KEY env var | GPT-4o |

# Use free HuggingFace (default)
ghostpatch scan --ai

# Use Anthropic Claude
export ANTHROPIC_API_KEY=sk-ant-...
ghostpatch scan --ai --provider anthropic

# Use OpenAI
export OPENAI_API_KEY=sk-...
ghostpatch scan --ai --provider openai

Library API

import { scan, generateReport, Severity } from 'ghostpatch';

// Full scan
const result = await scan('./my-project', {
  severity: Severity.MEDIUM,
  ai: true,
  provider: 'huggingface',
});

// Generate report
const html = generateReport(result, 'html');
const json = generateReport(result, 'json');
const sarif = generateReport(result, 'sarif');

// Access findings
console.log(`Found ${result.summary.total} issues`);
for (const finding of result.findings) {
  console.log(`${finding.severity}: ${finding.title} at ${finding.filePath}:${finding.line}`);
}

MCP Server (AI Coding Agent Integration)

GhostPatch includes an MCP server with 8 tools for seamless integration with AI coding agents like Claude Code.

# Auto-configure for Claude Code
ghostpatch install

# Or manually start
ghostpatch serve

MCP Tools

| Tool | Description | |------|-------------| | ghostpatch_scan | Full security scan of project | | ghostpatch_scan_file | Scan a single file | | ghostpatch_findings | Get findings with filters | | ghostpatch_finding | Detailed info on specific finding | | ghostpatch_secrets | Scan for hardcoded secrets | | ghostpatch_dependencies | Check dependencies for CVEs | | ghostpatch_ai_analyze | AI-powered deep analysis | | ghostpatch_status | Scanner status and stats |

Configuration

Create .ghostpatch.json in your project root:

{
  "exclude": ["node_modules/**", "dist/**", "*.min.js"],
  "severity": "medium",
  "ai": {
    "provider": "huggingface",
    "model": "auto"
  },
  "rules": {
    "disabled": ["LOG003"],
    "custom": []
  },
  "maxFileSize": 1048576,
  "languages": "auto"
}

Security Categories

| OWASP | Category | Rules | |-------|----------|-------| | A01 | Broken Access Control | BAC001–BAC010 | | A02 | Cryptographic Failures | CRYPTO001–CRYPTO012, SEC001–SEC014 | | A03 | Injection | INJ001–INJ018, PROTO001–PROTO002 | | A04 | Insecure Design | DES001–DES007 | | A05 | Security Misconfiguration | CFG001–CFG010 | | A06 | Vulnerable Components | DEP001–DEP003 | | A07 | Authentication Failures | AUTH001–AUTH008 | | A08 | Data Integrity Failures | SER001–SER004 | | A09 | Logging Failures | LOG001–LOG003 | | A10 | SSRF | SSRF001–SSRF002 |

Output Formats

Terminal

Colored output with severity icons, code snippets, and fix suggestions.

JSON

Machine-readable structured output for CI/CD integration.

SARIF

Static Analysis Results Interchange Format — compatible with GitHub Code Scanning and VS Code.

HTML

Professional standalone report with severity charts, finding details, and remediation advice.

CI/CD Integration

# GitHub Actions
- name: Security Scan
  run: |
    npx ghostpatch scan --output sarif -s medium > results.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Contributing

We welcome contributions! Here's how to get involved:

Reporting Issues

Found a bug or have a feature request? Open an issue with:

  • A clear description of the problem or suggestion
  • Steps to reproduce (for bugs)
  • Expected vs actual behavior
  • Your environment (OS, Node.js version)

Submitting Pull Requests

  1. Fork the repository
  2. Create a feature branch: git checkout -b feature/my-feature
  3. Make your changes and add tests
  4. Run tests: npm test
  5. Build to verify: npm run build
  6. Commit your changes: git commit -m "Add my feature"
  7. Push to your fork: git push origin feature/my-feature
  8. Open a Pull Request against master

Development Setup

git clone https://github.com/NeuralRays/ghostpatch.git
cd ghostpatch
npm install
npm run build
npm test

What We're Looking For

  • New security detection rules and patterns
  • Support for additional programming languages
  • Improved AI prompt engineering for better analysis
  • Bug fixes and false positive reductions
  • Documentation improvements
  • CI/CD integration examples

Code of Conduct

Please be respectful and constructive in all interactions. We are committed to providing a welcoming and inclusive experience for everyone.

Security

If you discover a security vulnerability within GhostPatch, please report it responsibly by emailing [email protected] instead of opening a public issue.

Creator & Maintainer

NeuralRaysGitHub | [email protected]

License

MIT License — see LICENSE for details.