Installation

Ghost is a native desktop application — you download it, install it, and run it like any other app on your computer. There’s no server to set up, no Docker container to run, and no command line required.

Download

Ghost is distributed internally at Hepsiburada through the GitLab Generic Packages Registry. You’ll find the latest version in the project’s package registry. Choose the right download for your computer:

macOS (Apple Silicon)

Download Ghost-x.x.x-aarch64.dmg — this is for newer Macs with Apple’s own chips (M1, M2, M3, M4 — any Mac purchased from late 2020 onward).

Installation steps:

1. Double-click the downloaded .dmg file to mount it (a virtual disk image opens as a window)
2. Drag the Ghost icon into the Applications folder shortcut shown in the window
3. Important first-launch step: Because Ghost is distributed internally (not from the Mac App Store), macOS Gatekeeper will block it on first launch. To bypass this, navigate to your Applications folder, right-click on Ghost, and select Open from the context menu. Click “Open” in the confirmation dialog. You only need to do this once — subsequent launches work normally by double-clicking.

Not sure which Mac you have?

Click the Apple menu () → “About This Mac.” If the Chip line says “Apple M1” (or M2, M3, M4), you have Apple Silicon. If it says “Intel,” use the Intel download instead.

macOS (Intel)

Download Ghost-x.x.x-x64.dmg — this is for older Macs with Intel processors (generally pre-2021 models).

Installation steps:

1. Double-click the downloaded .dmg file to mount it
2. Drag the Ghost icon into the Applications folder
3. Important first-launch step: Right-click Ghost in Applications → Open → click “Open” in the confirmation dialog (this bypasses Gatekeeper — only needed once)

Windows

Download Ghost-x.x.x-setup.exe — a standard Windows installer built with NSIS.

Installation steps:

1. Double-click the installer to run it (you may see a SmartScreen warning — click “More info” → “Run anyway” since this is an internal tool, not signed with a commercial certificate)
2. Ghost installs to your user’s AppData directory (no administrator rights needed)
3. A Start menu shortcut is created automatically
4. Launch Ghost from the Start menu or the desktop shortcut

Note

Windows is supported as a development platform for building Ghost. The primary target users at Hepsiburada all run macOS.

Auto-Updates

Once Ghost is installed, you don’t need to download new versions manually. Ghost has a built-in auto-update system that works like this:

1. Automatic check — Every time Ghost starts, it waits 5 seconds (so the UI loads first), then checks the update server for new versions in the background
2. Notification — If a new version is available, a small notification toast slides in at the bottom of the screen telling you the new version number
3. Install when ready — Open Settings → About to see the current and available version. Click Download & Install to start the update. A progress bar shows the download status.
4. Automatic restart — Once the download completes, Ghost restarts itself with the new version. Your sessions and settings are preserved.

Security: Updates are cryptographically signed using EdDSA (Ed25519), a modern digital signature algorithm. Before installing any update, Ghost verifies the signature matches Hepsiburada’s public key. If someone tampered with the update file (modified the binary, injected malware), the signature check fails and Ghost rejects the update automatically. You never need to think about this — it happens silently in the background.

System Requirements

Requirement	Minimum	Notes
macOS	10.15 (Catalina) or later	Both Apple Silicon and Intel are supported natively (not through Rosetta emulation)
Windows	Windows 10 or later	Windows 11 also fully supported
RAM	200MB for Ghost itself	Large capture sessions (tens of thousands of flows) will use more memory. The flow list uses virtual scrolling, so even 100K flows don’t require loading them all into memory at once.
Disk Space	~100MB for the application	The SQLite database grows as you capture traffic. A typical testing session generates 10-50MB of data. Sessions can be deleted to reclaim space.
Network Ports	Port 4545 (proxy) and 5565 (API) on localhost	Ghost uses these two ports for internal communication. They only listen on localhost (127.0.0.1), so they’re not accessible from other computers on your network. If another application is using one of these ports, Ghost will report an error on startup.

What Gets Installed

Ghost creates the following files and directories on your machine. Everything lives in your home directory — no system-wide files are modified (except when you choose to install the CA certificate into the system trust store during first-run setup).

Path	What’s There	Details
/Applications/Ghost.app (macOS) or %LOCALAPPDATA%\Ghost (Windows)	The Ghost application itself	The executable, the embedded frontend, and the Tauri shell
~/.ghost/	Ghost’s data directory	Everything Ghost stores lives here. Deleting this folder resets Ghost to factory state.
~/.ghost/config.toml	Configuration file	Human-readable settings in TOML format. You can edit this file directly, but it’s easier to use Ghost’s Settings UI. See Config File Reference.
~/.ghost/ghost.db	SQLite database	All captured traffic, sessions, agent conversations, addon scripts, rules, and settings. This is a single file that grows as you use Ghost.
~/.ghost/ca.crt and ca.key	CA certificate and private key	The Certificate Authority that Ghost uses to decrypt HTTPS traffic. The .crt file is the public certificate (safe to share/install). The .key file is the private key (never share this). Both are generated automatically on first launch using ECDSA P-256 cryptography. See Certificate Management.
~/.ghost/workspaces/	Agent workspace files	When the AI agent generates files (test scripts, bug reports, exported data), they’re saved here organized by session.

Optional: Security Scanners

If you plan to use Ghost’s Security mode (for vulnerability testing and security analysis), Ghost can integrate with up to 10 external security scanning tools. These are industry-standard open-source tools that the AI agent can invoke automatically during security analysis.

One-Click Install (7 tools)

These tools can be installed directly from Ghost’s UI:

No terminal needed

Open Settings → Security Tools and you’ll see each tool with a status indicator (installed/not installed) and a one-click install button. Ghost installs them via Homebrew (macOS) or Chocolatey (Windows) and streams progress in real-time.

If you prefer installing them manually:

# macOS (using Homebrew package manager)
brew install nuclei          # Template-based vulnerability scanner — 9,000+ checks for XSS, SQLi, misconfigs, CVEs
brew install dalfox          # XSS specialist — deep parameter analysis, DOM XSS, blind XSS detection
brew install ffuf            # Path and parameter fuzzer — endpoint discovery, IDOR testing at scale
brew install sqlmap          # SQL injection detection — tests captured flows for injection vulnerabilities
brew install trufflehog      # Secret scanner — 800+ verified detector types for API keys, tokens, credentials
brew install katana          # JS endpoint discovery — finds untested API paths from app's own JavaScript
brew install semgrep         # Static analysis — DOM XSS sinks, eval, innerHTML, postMessage in captured JS

Note: sqlmap and semgrep require Python 3 to be installed on your system.

Manual Install (3 additional tools)

These tools are also supported by the AI agent but don’t have one-click install — you need to install them yourself:

brew install nmap            # Port scanning and service detection
brew install sslscan         # TLS/SSL configuration analysis (or testssl.sh as an alternative)
brew install hydra           # Password brute-force testing (only usable in active-full scan mode)

You don’t need all of them. Ghost auto-detects which scanners are installed on your system (by checking your PATH environment variable) and only makes the available ones accessible to the AI agent. If you never use Security mode, you don’t need any of these.

Optional: Frida

Frida is a dynamic instrumentation toolkit for mobile security testing. In plain terms, Frida lets you modify how a mobile app behaves while it’s running — without changing the app’s actual code. Ghost integrates with Frida to enable powerful mobile testing capabilities:

• SSL pinning bypass — Many apps include “SSL pinning” as a security measure, which prevents proxy tools like Ghost from intercepting their HTTPS traffic. Frida can disable this protection so you can see the app’s traffic.
• Root/jailbreak detection bypass — Some apps refuse to run on rooted Android or jailbroken iOS devices. Frida can trick the app into thinking the device is stock.
• Runtime inspection — Read and modify variables, intercept function calls, and trace app behavior in real-time.

To install Frida:

pip install frida-tools

Additional setup for physical devices: Frida requires the “Frida server” component running on the target mobile device. On rooted Android emulators, this is straightforward. On physical devices, the device must be rooted (Android) or jailbroken (iOS) to run the Frida server. Ghost’s UI guides you through this setup.

If you’re only doing network traffic analysis (no runtime app modification), you don’t need Frida at all.