Skip to content

Two Modes

Luigi Colluto edited this page Jul 14, 2026 · 1 revision

Two Modes: General Audit and Bug Bounty

Argo runs in two modes over the same multi-stage engine — the detection core is identical, only the scope/RoE layer changes.

General code audit (default) Bug-bounty triage
Input a folder or repo — no brief a program brief (--brief) + links + repo
Scope source-only, synthesized from the code (zero-token ingest) parsed from the brief (assets, RoE, exclusions)
For your own / private / personal code, OSS review, CTFs, research scoped programs with safe harbor
Extras submission drafts, scope filtering, cross-run resubmission tracking

General audit — auditing your own code

Omit --brief, point --repo at a local folder (it doesn't need to be a git repo, and is never pushed anywhere — the repo is mounted read-only). Argo synthesizes a minimal source-only scope from the folder: zero-token ingest (no LLM call for Stage 1), web research auto-off.

argo pipeline --repo ./my-code

Note the analysis itself: a cloud backend (Claude / Codex) sends the source to that provider's API to analyze it — only a local / OSS model (--codex-oss) keeps everything fully on-device. See Multi-Backend.

Bug-bounty mode — scoped programs

Adds the program-specific scaffolding on top of the same engine. Per program, three separate things land in three different places — see Getting Started for the exact file layout (brief.md / links.txt / --repo).

Resulting scope.json (illustrative):

{
  "program_name": "ACME CMS",
  "program_brief_raw": "<contents of brief.md>",
  "in_scope": [{ "asset": "acme/acme-cms", "type": "source_repo" }],
  "out_of_scope": ["*.staging.acme.com", "third-party plugins"],
  "prohibited_techniques": ["no DoS / volumetric", "no social engineering", "max 10 req/s live"],
  "reference_links": ["https://acme.com", "https://docs.acme.com", "https://acme.com/security"]
}

reference_links gets injected at the top of every custom prompt Stage 2 generates, so the prompts start out already knowing where to read docs and advisories. prohibited_techniques is propagated into every rendered prompt, and prompt rendering fails if it's missing — see Guardrails & Safety.

Bug-bounty mode adds: submission drafts (never auto-submitted — see the same guardrails page), a code-side scope filter that drops out-of-scope findings independently of the LLM's verdict, and a SQLite ledger that detects cross-run/cross-program resubmissions.

Which one am I running?

If you passed --brief, you're in bug-bounty mode; if you didn't, you're in general-audit mode. The web UI makes this an explicit toggle on the New Run screen (🔍 General audit / 🎯 Bug bounty) — see Web UI.

Clone this wiki locally