What is GhostFree 🚫👻?
Every software team could use some help ridding their code base of the ghosts haunting their dependencies.
GhostFree is a local MCP server that scans your repository's dependencies for known vulnerabilities based on issued CVEs using OSV.dev, helps you triage and fix findings with NVD and CISA KEV enrichment, and lets you manage accepted risks — all directly from your AI coding assistant.
Quick Start
No installation, signup, or payment required. Add GhostFree to your MCP settings for whatever code tool you use and run /ghostfree.scan.
VS Code Copilot (Extension — easiest)
Search @mcp ghostfree in the Extensions view (Ctrl+Shift+X) and click Install. Then open the Command Palette (Ctrl+Shift+P), run MCP: List Servers, select GhostFree, choose Start Server, and confirm trust when prompted. No JSON config needed.
VS Code Copilot (Manual config)
Create or update .vscode/mcp.json in your project root:
{
"servers": {
"ghostfree": {
"type": "stdio",
"command": "npx",
"args": ["-y", "ghostfree", "--repo-path", "${workspaceFolder}"],
"env": {}
}
}
}
Claude Code
Create .mcp.json in your project root:
{
"mcpServers": {
"ghostfree": {
"type": "stdio",
"command": "npx",
"args": ["-y", "ghostfree", "--repo-path", "."]
}
}
}
Cursor
Create .cursor/mcp.json:
{
"mcpServers": {
"ghostfree": {
"command": "npx",
"args": ["-y", "ghostfree", "--repo-path", "."]
}
}
}
Claude Desktop
Add to your claude_desktop_config.json (location varies by OS):
{
"mcpServers": {
"ghostfree": {
"command": "npx",
"args": ["-y", "ghostfree", "--repo-path", "/path/to/your/repo"]
}
}
}
How to Use
The /ghostfree.scan Prompt
The recommended way to run a scan is via the built-in prompt. In your AI client, type:
/ghostfree.scan
This drives the following flow:
- Discover — finds all manifest files (requirements.txt, package.json, go.mod, Cargo.toml, pom.xml, *.csproj, etc.)
- Threshold — asks you for a minimum severity level (CRITICAL / HIGH / MEDIUM / LOW) if not already configured
- Scan — queries OSV.dev for CVEs across all discovered packages
- Triage — presents numbered results, 10 at a time. You pick which ones to investigate.
- Enrich — fetches CVSS vectors, CWE classification, and CISA KEV "actively exploited" status for your selections
- Remediate — recommends upgrades, code changes, or risk acceptance with a reason and expiry date
Example Session
User: /ghostfree.scan
GhostFree: Discovering dependencies...
Found 84 packages across 2 ecosystems (npm, PyPI).
What minimum severity should I surface? (CRITICAL / HIGH / MEDIUM / LOW)
User: HIGH
GhostFree: Scanning against OSV.dev...
[1] CVE-2021-44228 CRITICAL (10.0) — org.apache.logging.log4j:log4j-core@2.14.1
Log4Shell: Remote code execution via JNDI lookup
Fix: upgrade to 2.17.1
[2] CVE-2022-25881 HIGH (7.5) — http-cache-semantics@4.1.0
ReDoS in http-cache-semantics
Fix: upgrade to 4.1.1
[3] CVE-2021-28918 CRITICAL (9.8) — netmask@1.0.6
IP address parsing bypass (SSRF / allowlist bypass)
Fix: upgrade to 1.1.0
Showing 1-3 of 3. Which would you like to investigate? (e.g., 1, 2, or 'all')
User: 3
GhostFree: [Calls enrich_cve CVE-2021-28918]
CVE-2021-28918 — netmask CRITICAL (9.8)
CVSS: 9.1 · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-704 (Incorrect Type Conversion)
CISA KEV: Not listed
What it is: netmask@1.0.6 improperly parses octal-notation IP addresses (e.g. 010.0.0.1),
treating them as decimal. This enables SSRF protection bypass and IP allowlist/blocklist
bypass — an attacker can craft an ad
... [View full README on GitHub](https://github.com/shane-js/ghostfree#readme)
