Ghost Validate

What it does

The Ghost Validate skill assesses security findings to determine if they are true positives or false positives. It analyzes provided finding data, examines relevant source code, and optionally performs live validation using a proxy tool (Reaper) to confirm exploitability. The skill then classifies the finding as True Positive, True Positive (Confirmed), False Positive, or Inconclusive, providing supporting evidence and recommendations.

When to use it

• When you have received a security vulnerability report from a scanner and want to verify its accuracy.
• To reduce noise in your vulnerability management process by filtering out false positives.
• To understand the root cause of a reported vulnerability and inform remediation efforts.

Key capabilities

• Finding Analysis: Extracts key information from provided findings, including vulnerability class, claim, affected endpoint, code location, and existing validation evidence.
• Source Code Review: Analyzes source code to verify the specific claim made in the finding, looking for indirect protections or unreachable code paths.
• Live Validation (Optional): Uses a proxy tool (Reaper) to interact with a live application instance and attempt exploitation of the reported vulnerability.
• Classification & Reporting: Classifies findings as True Positive, True Positive (Confirmed), False Positive, or Inconclusive, providing detailed evidence summaries, code analysis, and recommendations.

Example prompts

• "Validate this security finding: [paste finding text here]"
• "Can you assess the validity of a vulnerability report located at /path/to/finding.txt?"
• “I have a potential SQL injection issue reported; can you validate it?”

Tips & gotchas

• The skill requires access to the application's source code for accurate analysis.
• Live validation is optional and requires a live, accessible instance of the application.
• For inconclusive findings, be prepared to provide additional information or context to help the skill reach a determination.