openghost

v0.1.0

Published

14 days ago

**AI-powered penetration testing CLI that autonomously discovers and validates vulnerabilities across web applications, APIs, and network infrastructure.**

0High
0Medium
0Low

vaibhavsing

👻 OpenGhost

AI-powered penetration testing CLI that autonomously discovers and validates vulnerabilities across web applications, APIs, and network infrastructure.

OpenGhost is an interactive, cost-efficient pentesting tool built in TypeScript + Bun using the Vercel AI SDK with Anthropic Claude. It follows the OWASP Web Security Testing Guide (WSTG) methodology and produces professional reports with full evidence.

~$5–10 per run · ~10–20 minute scans · Apache 2.0 licensed

Architecture: Brain + Hands

┌─────────────────────────────────────────────┐
│  🖥️  Host Machine (Brain)                   │
│                                             │
│  ┌───────────────────────────────────────┐  │
│  │  openghost CLI                        │  │
│  │  ├── Ghost Orchestrator (AI agent)    │  │
│  │  ├── Recon / Scanner / Exploit agents │  │
│  │  ├── Tool Manager (Zod schemas)       │  │
│  │  └── Findings Store (JSON on disk)    │  │
│  └──────────────────┬────────────────────┘  │
│                     │  execute(cmd)          │
│                     ▼                        │
│  ┌───────────────────────────────────────┐  │
│  │  Lab Executor                         │  │
│  │  (Docker · SSH · Local)               │  │
│  └──────────────────┬────────────────────┘  │
└─────────────────────┼───────────────────────┘
                      │
                      ▼
┌─────────────────────────────────────────────┐
│  🐳  Lab Environment (Hands)                │
│                                             │
│  Kali Linux + nmap, sqlmap, nuclei, ffuf,   │
│  gobuster, nikto, subfinder, httpx, dnsx,   │
│  Playwright + Chromium, OWASP ZAP           │
└─────────────────────────────────────────────┘

The CLI (brain) runs on your host machine — it handles AI reasoning, orchestration, and reporting. The lab (hands) is a Docker container with all offensive security tools pre-installed. The CLI never installs offensive tools on your host.

Quick Start

Prerequisites

Bun 1.1+ (runtime)
Docker 24+ (for the lab container)
An Anthropic API key (BYOK — Bring Your Own Key)

1. Clone & Install

git clone https://github.com/openghost/openghost.git
cd openghost
bun install

2. Set Your API Key

export ANTHROPIC_API_KEY=sk-ant-...

3. Start the Lab

# Pull and start the Kali lab container
openghost lab start

4. Run a Scan

# Full scan against a target
openghost scan --target https://example.com

# With a config file for authenticated scanning
openghost scan --config openghost.json

# Interactive REPL mode
openghost chat --target https://example.com

5. View Results

# Findings are streamed to the terminal in real time
# Final report saved to ./openghost-results/report.md

# Regenerate report from existing findings
openghost report --input ./openghost-results/

Monorepo Structure

openghost/
├── common/               # Shared types, engine, tools, lab, findings, security
├── agents/               # Agent definitions, prompts, tool assignments
├── cli/                  # CLI entry point, commands, config loader
│
├── lab/                  # Lab environment (Dockerfile, docker-compose, scripts)
├── prompts/              # System prompt templates for each agent
├── configs/              # Example openghost.json configurations
├── prd/                  # Product requirement documents
├── docs/                 # Documentation (coming soon)
│
├── package.json          # Workspace root
├── tsconfig.base.json    # Shared TypeScript config
└── README.md             # ← You are here

| Workspace | Purpose | Key Dependencies | | --------- | ----------------------------------------------------------- | -------------------------------- | | common/ | Orchestration, agent runner, lab executors, tools, findings | ai, @ai-sdk/anthropic, zod | | agents/ | Agent definitions, system prompts, tool assignments | @openghost/common | | cli/ | Argument parsing, config loading, terminal UI | commander, chalk, ora |

How It Works

Recon Phase — Parallel agents enumerate subdomains, scan ports, fingerprint technologies, and map endpoints.
Scan Phase (adaptive) — Based on recon findings, the orchestrator spawns only relevant scanners: injection testing, XSS probing, auth testing, SSRF detection, and more.
Exploit Phase (conditional) — If high/critical vulnerabilities are found, an exploit agent validates them with proof-of-concept attacks.
Report Phase — A reporter agent compiles all findings into a professional markdown report with evidence, reproduction steps, and remediation guidance.

The pipeline is adaptive — the orchestrator analyzes findings after each phase and dynamically decides what to test next. No wasted cycles on irrelevant attack surfaces.

Example Configurations

See the configs/ directory for ready-to-use examples:

webapp.json — Full web application scan with authentication
api.json — API-only scan (REST/GraphQL)
network.json — Network infrastructure scan

Documentation

Product Requirements (PRD) — Complete design documents covering architecture, agents, tools, lab system, and more.

Contributing

See CONTRIBUTING.md for development setup, prerequisites, and PR guidelines.

License

Apache License 2.0