Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Output Formats

ghostdep supports three output formats: text (default), JSON, and SARIF.

Text (default)

ghostdep

[phantom] axios at src/api.js:3 (confidence: high)
[unused] lodash at package.json (confidence: high)

Found 1 phantom and 1 unused dependencies (12 files scanned in 3ms)

Human-readable. Each line shows the finding type, package name, location, and confidence. Summary at the end.

JSON

ghostdep -f json

{
  "findings": [
    {
      "finding_type": "Phantom",
      "package": "axios",
      "file": "src/api.js",
      "line": 3,
      "manifest": "package.json",
      "language": "JavaScript",
      "confidence": "High"
    }
  ],
  "metadata": {
    "project_root": "/path/to/project",
    "scanned_files": 12,
    "duration_ms": 3,
    "ghostdep_version": "0.1.0",
    "languages": ["JavaScript"]
  }
}

Every finding includes: finding_type, package, file, line, manifest, language, confidence. The metadata object has scan stats.

SARIF

ghostdep -f sarif

Produces a valid SARIF v2.1.0 document. SARIF is the standard format for static analysis tools and integrates with GitHub Code Scanning.

Rules:

  • GHOST001 — Phantom dependency (level: error)
  • GHOST002 — Unused dependency (level: warning)

Each result includes locations, confidence in properties, and the manifest path.

See CI Integration for how to upload SARIF to GitHub.