Confidence Scoring
Not all imports are equally reliable. ghostdep assigns a confidence level to each finding based on how the import was detected.
Levels
| Confidence | What it means | Examples |
|---|---|---|
| high | Static import at top level | import x, use x, require("x"), from x import y |
| medium | Conditional or dynamic with string literal | try: import x, import("lodash") |
| low | Dynamic with variable/expression | require(expr), importlib.import_module(var), import(getModule()) |
Language-specific behavior
- Go — all imports are high confidence (Go has no dynamic imports)
- Rust — all imports are high confidence (no dynamic imports)
- Java — all imports are high confidence (
Class.forName()not detected in v1) - JavaScript/TypeScript — mixed: ESM imports and
require("string")are high,import("string")is medium,require(variable)is low - Python — mixed:
import xandfrom x import yare high, imports insidetry/exceptare medium,__import__()andimportlib.import_module()are low
Filtering
Show only high-confidence findings:
ghostdep --min-confidence high
Show medium and above:
ghostdep --min-confidence medium
Default is low (show everything).
In config
min_confidence: medium
In output
Text format shows confidence inline:
[phantom] axios at src/api.js:3 (confidence: high)
JSON and SARIF include it as a field/property on each finding.