Skip to content

Getting Started

Luigi Colluto edited this page Jul 14, 2026 · 1 revision

Getting Started

Install

git clone https://github.com/gigioneggiando/argo.git
cd argo
pip install -r requirements.txt
# optional, for the `argo` entry point instead of `python -m argo.cli`:
pip install -e .

Everywhere in these docs, argopython -m argo.cli — both work on any OS.

The two zero-cost ways to try it first

Before spending a cent, exercise the whole pipeline for free:

# 1. Full glue test, deterministic fixtures, zero tokens:
python -m argo.cli pipeline --runner mock --brief tests/fixtures/brief.txt --repo tests/fixtures/repo

# 2. Real ingest + recon, then STOP before any audit — inspect the generated prompts:
python -m argo.cli pipeline --dry-run --brief brief.md --repo https://github.com/acme/cms

--dry-run is the prompt-quality feedback loop: you eyeball the custom prompts Argo generated for your target before paying to actually run them.

Your first real run

Auditing your own code (the common case) — no brief needed, just point at a folder:

python -m argo.cli pipeline --repo ./your-code

The repo is mounted read-only and never pushed anywhere; a local/OSS model keeps the source fully on-device, a cloud backend (Claude/Codex) sends it to that provider's API to analyze it. See Two Modes for the full comparison with bug-bounty mode.

A cheap, real, end-to-end sanity check (~$1, one focus, tight caps):

python -m argo.cli pipeline --smoke

Run --smoke after changing anything in the runner, flags, or envelope parsing — it is the fastest way to prove the real CLI seam still works.

Setting up a bug-bounty program

Three separate things land in three different places:

  • Program description → a text file passed with --brief (paste the whole program page: scope, rules, rewards, exclusions, "no DoS").
  • Useful links (site, docs, security page, advisory history) → a text file, one per line, passed with --links. These are NOT the code.
  • Code repository → not a link — the codebase to analyze, passed with --repo.
argo ingest --brief brief.md --links links.txt --repo https://github.com/acme/acme-cms
argo recon    --run RUN_ID
argo run      --run RUN_ID
argo validate --run RUN_ID
argo report   --run RUN_ID
# or, all five stages at once (stops before any submission):
argo pipeline --brief brief.md --links links.txt --repo https://github.com/acme/acme-cms

Full flag reference: CLI Reference.

Picking a backend

argo pipeline ...                                                  # default: Claude Code (headless)
argo pipeline ... --runner codex                                   # Codex CLI / OpenAI
argo pipeline ... --runner codex --codex-oss --codex-local-provider ollama --codex-model qwen2.5-coder:32b
argo pipeline ... --runner mock                                    # free fixtures

See Multi-Backend for the full backend/account/fallback story.

The web UI

If you'd rather not use the CLI at all:

python -m argo.cli serve --open    # starts the API + UI, opens http://127.0.0.1:8000

Or just double-click start.cmd (Windows) / run ./start.sh. See Web UI.

Useful low-cost flags

argo pipeline ... --runner mock   # exercises the whole glue with fixtures, zero tokens
argo pipeline ... --dry-run       # runs ingest+recon, shows generated prompts, then STOPS
argo pipeline ... --no-research   # skip the Stage-0 web OSINT (fully offline)

Next

  • Architecture — what actually happens, stage by stage.
  • Guardrails & Safety — the constraints enforced in code, so you know exactly what Argo will and will not do to the repo or the target.

Clone this wiki locally