-
-
Notifications
You must be signed in to change notification settings - Fork 2
Two Modes
Argo runs in two modes over the same multi-stage engine — the detection core is identical, only the scope/RoE layer changes.
| General code audit (default) | Bug-bounty triage | |
|---|---|---|
| Input | a folder or repo — no brief | a program brief (--brief) + links + repo |
| Scope | source-only, synthesized from the code (zero-token ingest) | parsed from the brief (assets, RoE, exclusions) |
| For | your own / private / personal code, OSS review, CTFs, research | scoped programs with safe harbor |
| Extras | — | submission drafts, scope filtering, cross-run resubmission tracking |
Omit --brief, point --repo at a local folder (it doesn't need to be a git repo, and is
never pushed anywhere — the repo is mounted read-only). Argo synthesizes a minimal
source-only scope from the folder: zero-token ingest (no LLM call for Stage 1), web research
auto-off.
argo pipeline --repo ./my-codeNote the analysis itself: a cloud backend (Claude / Codex) sends the source to that provider's
API to analyze it — only a local / OSS model (--codex-oss) keeps everything fully on-device.
See Multi-Backend.
Adds the program-specific scaffolding on top of the same engine. Per program, three separate
things land in three different places — see Getting Started for the exact
file layout (brief.md / links.txt / --repo).
Resulting scope.json (illustrative):
{
"program_name": "ACME CMS",
"program_brief_raw": "<contents of brief.md>",
"in_scope": [{ "asset": "acme/acme-cms", "type": "source_repo" }],
"out_of_scope": ["*.staging.acme.com", "third-party plugins"],
"prohibited_techniques": ["no DoS / volumetric", "no social engineering", "max 10 req/s live"],
"reference_links": ["https://acme.com", "https://docs.acme.com", "https://acme.com/security"]
}reference_links gets injected at the top of every custom prompt Stage 2 generates, so the prompts
start out already knowing where to read docs and advisories. prohibited_techniques is propagated
into every rendered prompt, and prompt rendering fails if it's missing — see
Guardrails & Safety.
Bug-bounty mode adds: submission drafts (never auto-submitted — see the same guardrails page), a code-side scope filter that drops out-of-scope findings independently of the LLM's verdict, and a SQLite ledger that detects cross-run/cross-program resubmissions.
If you passed --brief, you're in bug-bounty mode; if you didn't, you're in general-audit mode.
The web UI makes this an explicit toggle on the New Run screen (🔍 General audit / 🎯 Bug bounty)
— see Web UI.