-
-
Notifications
You must be signed in to change notification settings - Fork 2
Feature Docs and History Corroboration
What it is. After validation, this stage cross-checks each surviving finding against the
project's own documentation and the source repo's VCS history (commits, releases,
advisories) over public web OSINT — using --docs-url/scope links + the repo URL if given, else
searching for them.
This automates the two false-positive modes vendors push back on most in real disclosures: "already fixed" and "documented by design".
- A finding the docs describe as intended behavior is downgraded to
design_accepted(kept, flagged) — not silently dropped, so a human reviewer can still see and override the call. - A finding already patched in a newer commit than the one Argo analyzed is moved to a
fixed_upstreamappendix in the report, rather than being reported as if it were still live. - Everything else stays
corroborated.
-
Opt-out, on by default —
--corroborate/--no-corroborate. Forced off for--smokeand brief-less local reviews (those stay 100% offline). - One of exactly two networked stages — the other is Threat-Informed Audit, which runs before recon instead of after validation.
- No repo access — the networked session receives the relevant code as read-only excerpts in the prompt, never a live mount. It also mines the project's issue tracker for prior "by design"/"wontfix" verdicts, since real vendor replies showed those calls often live in closed issues, not docs.
- Never touches the program's live in-scope hosts.
-
Best-effort — a failure here leaves a finding
unknownrather than aborting the run.
Survivors are batched (default 8 per session, same rationale as validation's batching) into shared corroboration sessions.
This stage was directly motivated by real vendor disclosure replies: reporting a bug that was already patched upstream, or a behavior the vendor's own docs (or an old GitHub issue) call intentional, is the fastest way to lose credibility with a maintainer. Corroborate closes that gap automatically, before a human ever drafts a report.
- Adversarial Validation — the stage immediately before this one.
- Design-Aware Impact Discipline — the audit-time counterpart (accepted-risks + by-design priors), catching the same false-positive classes earlier, before a finding is even written.