Capabilities
Dependency scanning
The scan-deps skill combines Wraith's CVE database lookups with AI exploitability analysis to separate the CVEs that matter from the ones that don't.
Four-phase workflow
Phase 1: Discovery
The skill scans your repository for all lockfiles: go.mod, package-lock.json, yarn.lock, Gemfile.lock, Cargo.lock, poetry.lock, pom.xml, composer.lock, and others. Each lockfile represents a dependency graph to analyze.
Phase 2: Scanning with Wraith
Wraith runs against each discovered lockfile, querying the OSV database (500,000+ known CVEs). The output is a list of packages with known vulnerabilities, including CVE identifiers, severity scores, affected version ranges, and available fixes.
Phase 3: AI exploitability analysis
For each vulnerability found, an AI analyzer examines your actual codebase:
- Is the vulnerable function called? Many CVEs affect specific functions within a package. If your code never calls that function, the CVE isn't exploitable.
- Can user input reach the vulnerable code path? A vulnerable parsing function that only processes trusted internal data carries lower risk than one handling user uploads.
- Is this a production dependency or a dev/test dependency? Vulnerabilities in test tooling rarely affect production security.
- Are mitigations already in place? Middleware, input validation, or configuration changes might already neutralize the vulnerability.
Phase 4: Summary
The skill generates a report with coverage statistics, confirmed exploitable findings, and filtered false positives, along with the reasoning behind each determination.
Supported ecosystems
Wraith supports every major package ecosystem through the OSV database:
| Ecosystem | Lockfiles |
|---|---|
| Go | go.mod |
| Node.js | package-lock.json, yarn.lock |
| Python | requirements.txt, poetry.lock, Pipfile.lock |
| Ruby | Gemfile.lock |
| Rust | Cargo.lock |
| Java | pom.xml, gradle.lockfile |
| PHP | composer.lock |
| .NET | NuGet lockfiles |
| Dart | pubspec.lock |
Wraith automatically detects the ecosystem from the lockfile format.
Example
claude "scan my dependencies for known vulnerabilities"
Ghost Security Agent will:
- Discover all lockfiles in your repository
- Run Wraith against each one
- Analyze exploitability for each CVE found
- Write confirmed findings to
~/.ghost/repos/<repo_id>/scans/<sha>/deps/findings/ - Generate a summary report
A typical finding includes the CVE, the affected package, and an exploitability assessment:
Finding: CVE-2024-XXXXX in lodash@4.17.20
Severity: HIGH (CVSS 9.1) → MEDIUM (contextual)
Package: lodash 4.17.20 (npm)
Fix available: Upgrade to 4.17.21
Exploitability assessment: The vulnerability affects lodash.template()
which is called in src/email/renderer.js:42. However, the template
string is hardcoded. User input does not reach the vulnerable
function. Contextual severity reduced from HIGH to MEDIUM.
Remediation: Upgrade lodash to 4.17.21. While the current usage
is not directly exploitable, the fix is a patch version bump
with no breaking changes.
Offline mode
Wraith supports fully offline scanning. Download the vulnerability database once, then scan without network access:
wraith download-db
wraith scan --offline go.mod
Useful for air-gapped environments or CI pipelines where you want deterministic, network-independent results.
License scanning
Wraith can also scan dependency licenses and check them against an allowlist:
wraith scan --license-allowlist MIT,Apache-2.0 go.mod
Packages with licenses not on the allowlist are flagged as violations. This runs alongside vulnerability scanning in a single pass.
For full tool documentation including CLI reference and output formats, see Wraith.