π unclaimed β this page was auto-generated from GitHub. Are you the creator?
Claim this page β
argo
ποΈ LLM-native static vulnerability detection. An LLM reads your source like a human auditor, point it at any local folder or repo and get a reviewable vulnβ¦
git clone https://github.com/gigioneggiando/argo
ποΈ Argo β LLM-native static vulnerability detection
Argus Panoptes, the all-seeing watchman β a hundred eyes on your code.
Argo finds security vulnerabilities in source code by driving an LLM as the analyst β it reads the code the way a human auditor would, rather than matching rules against a graph. Point it at any codebase β a local folder, a private repo, or a public one β and it produces a reviewable vulnerability report. The core idea: start from reusable general prompts and automatically enrich them with target-specific context (stack, endpoints, docs, advisory history) β so every audit runs with tailored prompts instead of generic ones. It runs on whatever you have: Claude Code, the Codex CLI (OpenAI), or a local open-source model.
Where it sits. Argo is an LLM-native SAST β a complement and alternative to rule-based static analyzers (CodeQL, Semgrep): nothing to write (no queries, no rule packs), and it catches logic/authorization bugs that fixed patterns miss β at the cost of being probabilistic rather than exhaustive (see design-decisions). It is static by design β it never executes the target (a hard guardrail), so it is not a DAST, fuzzer, or symbolic executor. Bug-bounty triage is one specialized mode (scope/RoE ingest, submission drafts, cross-run resubmission tracking), not the whole tool β see Two modes.
- π Threat-informed audit β opt-out Stage-0 web OSINT (CVEs, advisories, history) feeds recon.
- π§ Archetype-driven prompts β classifies the software, then writes custom audit prompts for it.
- π‘οΈ Adversarial validation β a second model tries to refute each finding before it survives.
- π Docs + history corroboration β opt-out cross-check of each finding against the project's docs and the repo's VCS history (downgrades by-design, excludes already-fixed).
- π― Design-aware & impact-disciplined β inject the vendor's accepted-by-design behaviors (
--accepted-risks) + an anti-over-claim rule (no reflexive IMDS/SSRF escalation) so intended behavior isn't reported and impact isn't inflated. - π Multi-backend β Claude / Codex / OpenAI / local-OSS, same pipeline (see docs/backends.md).
- π©Ή Opt-in remediation β proposes a patch per finding and verifies it compiles on an isolated copy.
- π¬ Interrogation chat β ask "why didn't you find X?" with full context (worked example).
- π Benchmarks & costs β precision/recall harness + observed cost analytics.
- π« Detection-only, read-only, never live β guardrails enforced in code, not just prompts.
πͺͺ Two modes: general audit and bug bounty
Argo runs in two modes over the same multi-stage engine:
| General code audit (default) | Bug-bounty triage | |
|---|---|---|
| Input | a folder or repo β no brief | a program brief (--brief) + links + repo |
| Scope | source-only, synthesized from the code (zero-token ingest) | parsed from the brief (assets, RoE, exclusions) |
| For | your own / private / personal code, OSS review, CTFs, research | scoped programs with safe harbor |
| Extras | β | submission drafts, scope filtering, cross-run resubmission tracking |
Auditing your own code is the common case: omit --brief, point --repo at a local folder, and
the repo is mounted read-only and never pushed anywhere (a local / OSS model keeps the source
fully on-device; a cloud backend sends it to its API to analyze). Bug-bounty mode adds the
program-specific scaffolding on top.
π Principles and limits (read this first)
Argo is for authorized security review β your own code, bug-bounty programs with safe harbor, CTFs, or research. Three constraints are enforced in the orchestrator, not left to the prompts:
- Never auto-submit. The pipeline stops at drafts; submission is always a human action.
- Never contact live hosts by default, even for
source_and_livetargets β analysis is static, on the source, and live verification steps are emitted as a text plan you run yourself inside the program rules (no DoS, no scanning). The one opt-in exception is the gatedargo livestage (default off, requires--i-have-authorization): for authorized engagements it makes bounded, in-scope-only, read-only, capped, audit-logged requests to confirm findings β every request scope-locked to a registered in-scope asset (out-of-scope/unknown hosts hard-blocked). See guardrails Β§2c. - Read-only repo in every session: the pipeline never patches anything.
Additionally, prohibited techniques declared in scope (e.g. "no DoS") are propagated into every generated prompt, and prompt rendering fails if they are missing (re-inserted verbatim if a model paraphrases them β see guardrails).
π§© The assets (the reusable core)
The security logic lives in the prompts; the orchestrator is only the glue that sequences them.
| File | Role |
|---|---|
00_recon_synthesis_meta_prompt.md | Stage 2. Profiles the repo, reconciles it with scope, and generates the complementary custom prompts. This is where general-to-detailed enrichment happens. |
01_audit_prompt_template.md.j2 | Jinja skeleton every generated prompt conforms to. Fixed parts (role, finding format, rules of engagement, anti-false-positive constraints) never change; {{ }} slots carry target-specific content. |
02_adversarial_validation_prompt.md | Stage 4. For each finding it opens a fresh context and tries to break it. Only findings that survive get promoted. |
scope_schema.json | Structure of scope/rules. Authoritative input to every stage and the final findings filter. |
findings_schema.json | Normalized findings format, for dedup and validation. |
BUILD_SPEC.md | Specification to hand to a coding agent to build the orchestrator around the assets. |
β¨ How enrichment works (Stage 2)
This is the heart of the design. Three things converge β the reusable assets (always the same),
scope.json with your links and rules, and the repo recon (stack, endpoints, CVE history) β and
out come the complementary custom prompts for that single scan.
The split is archetype-driven: Stage 2 first classifies what kind of software the target is (web/API, CMS, plugin/extension, library/SDK, CLI, agent/LLM, mobile, data/ML pipeline, β¦) and chooses the prompt partition that fits β typically 3 complementary prompts, always including one architecture-led whole-system prompt β instead of a fixed web-app split. See docs/prompt-synthesis.md for how the prompt maker works and how to change it safely.
ποΈ Project layout
argo/
cli.py
models.py # pydantic models for scope + findings
runner.py # AgentRunner interface (Claude headless Β· Codex Β· mock)
stages/{ingest,research,recon,audit,sca,validate,corroborate,runtime,live,report}.py
research.pyΒ·fixes.pyΒ·verify.pyΒ·benchmark.pyΒ·chat.pyΒ·costs.pyΒ·archetype.py
prompts/ # the assets, version-controlled in git
ledger.py # SQLite findings + cost ledger
server/ Β· webapp/ # HTTP API + no-build web UI
runs/<RUN_ID>/ # scope.json, repo/, repo_profile.json, prompts/, findings/, REPORT.md
π₯ Inputs: how to set up a program (bug-bounty mode)
For a general code audit you need none of this β just
argo pipeline --repo ./your-code(see Two modes). The inputs below apply to bug-bounty mode, where a program brief defines the scope and rules.
Per program, three separate things land in three different places.
- Program description -> a text file passed with
--brief. Paste the whole program page from the platform (scope, rules, rewards, exclusions, "no DoS"). - Useful links (site, docs, security page, advisory history) -> a text file, one per
line, passed with
--links. These are NOT the code. - Code repository (e.g. the official GitHub) -> not a link, it is the codebase to
analyze, passed with
--repo.
Mnemonic: if it is something the agent must read to understand (site, docs, advisories) ->
links.txt. If it is the thing it must analyze (the code) -> --repo.
Example. Program folder:
brief.md
ACME CMS β Bug Bounty Program
Scope: app.acme.com, api.acme.com, the acme/acme-cms repository
Out of scope: *.staging.acme.com, third-party plugins
Rules: no DoS / volumetric testing, no social engineering, max 10 req/s on live
Rewards: Critical $$$, High $$, ...
links.txt
https://acme.com
https://docs.acme.com
https://acme.com/security
https://acme.com/security/advisories
Run:
argo ingest --brief brief.md --links links.txt --repo https://github.com/acme/acme-cms
Resulting scope.json:
{
"program_name": "ACME CMS",
"program_brief_raw": "<contents of brief.md>",
"in_scope": [{ "asset": "acme/acme-cms", "type": "source_repo" }],
"out_of_scope": ["*.staging.acme.com", "third-party plugins"],
"prohibited_techniques": ["no DoS / volumetric", "no social engineering", "max 10 req/s live"],
"reference_links": ["https://acme.com", "https://docs.acme.com", "https://acme.com/security", "https://acme.com/security/advisories"]
}
Stage 2 takes reference_links and injects them at the top of every custom prompt, so the
prompts start out already knowing where to read docs and advisories.
β‘ Usage
argo ingest --brief BRIEF --links LINKS --repo PATH_OR_URL # Stage 1
argo recon --run RUN_ID # Stage 2
argo run --run RUN_ID # Stage 3
argo validate --run RUN_ID # Stage 4
argo report --run RUN_ID # Stage 5
argo pipeline --brief ... --links ... --repo ... # 1-5, stops before submission
argo pipeline --repo ./my-code # π local/personal review β NO brief, NO URL
Auditing your own / private local code? Omit --brief and point --repo at a local folder
(it does not need to be a git repo, and is never pushed anywhere β the repo is mounted read-only).
Argo synthesizes a minimal source-only scope from the folder (zero-token ingest, web research
auto-off) and audits it. Note the analysis itself: a cloud backend (Claude / Codex) sends the
source to that provider's API to analyze it β only a local / OSS model (--codex-oss) keeps
everything fully on-device.
Pick a backend (default headless = Claude Code):
argo pipeline ... --runner codex # Codex CLI / OpenAI
argo pipeline ... --runner codex --codex-oss --codex-local-provider ollama --codex-model qwen2.5-coder:32b
Low-cost modes:
argo pipeline ... --runner mock # exercises the whole glue with fixtures, zero tokens
argo pipeline ... --dry-run # runs ingest+recon, shows generated prompts, then STOPS
argo pipeline ... --no-research # skip the Stage-0 web OSINT (fully offline)
--dry-run is the prompt-quality feedback loop: it lets you eyeball the custom prompts before
paying to run them.
π₯οΈ Web UI
A no-build web interface (paste the program, point at the repo, watch the argo run live, read the
results, then chat with the analysis) ships in webapp/ and is served by the API. Easiest:
double-click start.cmd (Windows) or run ./start.sh. Or:
python -m argo.cli serve --open # starts + opens http://127.0.0.1:8000
It defaults to the free mock runner; switch to a real run (with a budget) from the Advanced panel. See docs/ui.md and docs/api.md.
π¬ The stages in detail
1 β Ingest. Parses the brief into scope.json, validated against scope_schema.json. If the
program forbids automation, raises a flag that forbids any live interaction for the whole run.
Clones/copies the repo into the run dir, read-only. --accepted-risks FILE records the vendor's
intended / accepted-by-design behaviors (their threat model / known-limitations) into the scope,
to be injected downstream so those behaviors are not re-reported as bugs.
Design context + impact discipline (cross-cutting, always on). Every audit prompt (and the
validate/corroborate prompts) carries an injected block that (a) enforces impact discipline β
report proven impact, not reflexive escalation, e.g. don't assert cloud-metadata/IMDS reachability
for an SSRF without evidence, and treat "an admin can do an admin thing" as by design β and (b) when
--accepted-risks is given, lists those behaviors so the model doesn't raise them. This attacks the
two hardest false-positive modes directly at the source, before a finding is even written.
0 β Research (opt-out, one of two networked stages). From the brief, links, and program name it
does public web OSINT (CVEs, advisories, the project's security history) and writes
research_brief.md + threat_intel.json, injected into recon so the audit is threat-targeted. Never
touches the program's live in-scope hosts; --no-research keeps the run fully offline.
2 β Recon + synthesis. Runs 00_recon_synthesis_meta_prompt.md with read access to the repo.
Produces repo_profile.json, the complementary custom prompts, synthesis_notes.md, and
ground_truth.json β a deep extraction (per focus) of security invariants,
baseline-correct references to diff siblings against, the enumerated variant families, and
target-specific false-positive carve-outs. Baking this into the prompts turns the audit from
open-ended hunting into closed-ended verification (the main precision + depth lever).
3 β Audit. For each prompt, a separate agent session in an isolated working dir, repo
read-only. Each session emits findings JSON (validated against findings_schema.json) and a
VARIANT_HUNT_LOG (one row per variant-family member). A completeness-critic re-pass
(--critic-passes, default 1) then re-audits each focus for what was missed, looping until dry. A
finding that drifts off-schema is repaired and kept (flagged), never silently dropped.
SCA β Software-composition analysis (opt-out, between audit and validate). Reads dependency
manifests and flags pinned versions with known advisories as a dependencies focus. --no-sca or
a repo with no manifests skips it.
4 β Validate. Merges findings, computes dedup_key = sha1(normalize(file + line + cwe)) and
collapses duplicates. For each survivor, runs 02_adversarial_validation_prompt.md in a fresh
context β now ground-truth-aware (the carve-outs + baseline-correct refs are injected).
Downgrade-don't-delete: refuted is reserved for findings provably contradicted by code (or
matching a carve-out); anything merely uncertain is kept as needs_runtime_verification with a
concrete question. Drops out_of_scope; keeps confirmed and needs_runtime_verification.
CORROBORATE β Docs + history cross-check (opt-out, networked; after validate). For each
surviving finding, cross-checks it against the project's own documentation and the source repo's
VCS history (commits, releases, advisories) over public web OSINT β using --docs-url/scope
links + the repo URL if given, else searching for them. A finding the docs describe as intended
is downgraded to design_accepted (kept, flagged); one already patched in a newer commit is
moved to fixed_upstream (kept in a report appendix, never silently deleted); the rest stay
corroborated. Best-effort and never touches the live in-scope hosts; --no-corroborate skips it.
This is the automated form of the two false-positive modes vendors push back on most: "already
fixed" and "documented by design".
RUNTIME β Runtime verification (opt-in, sandboxed; default off). Builds the OSS target from
the cloned source into an ephemeral, egress-blocked, loopback-only container (--network=none)
and probes only that local instance with HTTP PoCs to confirm/refute findings β never the
program's live hosts (same trust model as the Phase-6 isolated build). Read-only probes by default,
anti-DoS caps, no model execution primitive. Needs Docker + a launcher recipe; gracefully skips
otherwise. Full safety design in docs/runtime-verification-study.md.
5 β Report. Produces REPORT.md (summary, findings sorted by validated severity then
confidence, "fix first" ordering, residual unknowns) and one DRAFT submission per confirmed
finding. Appends every finding to the SQLite ledger.
π¦ Artifact capture
Files are the source of truth, the manifest is only an index. Each Claude session writes its
artifacts as separate files into its own scratch dir (repo_profile.json, one .md per prompt,
SECURITY_FINDINGS__<focus>.json, validation verdicts), each conforming to its schema. The final
message returns a small manifest indexing them. The orchestrator treats the files as
authoritative; if the manifest is missing or the session dies, it falls back to globbing the
scratch dir (partial recovery). Claude Code's --output-format json is used only for run metadata
(session id, cost, stop reason), never for the artifacts.
Reason: deep-audit findings and full prompts are too large to fit one stdout JSON without risking truncation (which would silently drop findings); files survive long-session crashes and map cleanly to the heterogeneous artifact types.
π Backends & model strategy
Backends. Same pipeline, swappable engine β pick what you have:
--runner headless (Claude Code) Β· --runner codex (Codex CLI β OpenAI, or --codex-oss --codex-local-provider ollama|lmstudio for local open-source models like Qwen/DeepSeek) Β·
--runner mock (free fixtures). The guardrails are enforced per backend (Claude tool denylists,
Codex OS sandbox); cost is authoritative for Claude and token-estimated for Codex. Full details in
docs/backends.md.
Resilience β multi-account & multi-backend fallback. Backends and accounts chain transparently: when one hits a session/rate limit (429) the same call is retried on the next (a per-run circuit breaker disables the walled one; a non-retryable error propagates). Since limits are per-account, two logged-in Claude accounts double your capacity before falling through to Codex:
# account A -> account B -> Codex, all transparent on a 429
python -m argo.cli pipeline --repo <url> --calibration \
--claude-accounts ~/.claude,~/.claude-b --fallback codex
# set up the 2nd account once: CLAUDE_CONFIG_DIR=~/.claude-b claude login
Codex multi-account works the same way (--codex-accounts ~/.codex,~/.codex-b, via CODEX_HOME).
So a long Opus run that used to wall on the Claude limit mid-validate now self-heals to the next
account/backend instead of degrading.
Per-stage Claude defaults (overridable per-run; Codex uses one model for all stages):
ingest -> sonnet-4-6 (cheap extraction; never Haiku β misreading scope/RoE costs a lot)
recon -> opus-4-8 (highest-leverage step: the whole audit's quality depends on it)
audit P1..Pn-> sonnet-4-6 (parallel; see note)
validate -> opus-4-8 (cuts false positives)
report -> sonnet-4-6
Key concept: validation (Opus) removes false positives, but does not recover false negatives β bugs the audit model never surfaced are gone. So the audit model is the only lever on the missed-bug rate, which is the failure that matters for vulnerability detection.
Model landscape (why the backend is swappable). Argo deliberately keeps the model behind the
AgentRunner interface, because detection quality tracks the model. The frontier is moving fast and
toward security specifically: Anthropic's Claude Mythos 5 was described as having the strongest
cybersecurity capability of any model β strong enough that the general-use Fable 5 ships with a
classifier that routes cybersecurity (and bio/chem) requests to Claude Opus 4.8 instead, and
direct access to Mythos/Fable 5 was later restricted under a US export-control directive
(Anthropic,
red.anthropic.com). The takeaway for Argo: as
security-specialized models become accessible, the swappable backend means Argo gets better by
pointing at a stronger engine β no pipeline changes. Today it runs on the generally-available
backends above.
Calibration phase (first ~5 programs): override audit -> opus-4-8. While the prompts are
unproven, you don't want to confound "weak prompt" with "weak model" when diagnosing misses. Once
a class of targets reliably yields good findings, drop to Sonnet to scale. Per-target rule
thereafter: high expected bounty/severity -> audit on Opus; broad low-value sweeps -> Sonnet.
π§ͺ Development and testing
Recommended order: build the MockClaudeRunner + tests first, then the real headless runner. That
way, when you wire in the real model, the glue is already verified and any remaining problem comes
from the Claude Code interaction, not your logic.
Mock fixtures should exercise the failure paths, not the happy path: an out-of-scope finding (scope filter), the same finding from two focuses (dedup), a refuted finding (drop), a missing manifest (glob fallback), a session that died mid-write (partial recovery), an oversized findings JSON (no truncation assumptions). Also keep one "recorded real run" fixture that replays the artifacts of a genuine Opus run, so the mock stays realistic and catches output-shape drift.
Tests to ship: schema conformance at every stage boundary, a golden-file test for REPORT.md, and
regression tests on dedup + validation filtering.
π Live targets
You mostly work on source, but some programs include live assets. There, static review produces
hypotheses, not proof of exploitability. The pipeline never touches a live host: for each
finding it emits a live_verification_plan (safe, in-scope, non-DoS steps) that you verify
manually against the instance, inside the program rules.
π‘ Operational tips
- Keep prompts under git and record which version each run used: you can A/B test them and see which produce accepted findings.
- The SQLite ledger avoids re-reporting the same bug across runs/programs and tracks your hit rate.
- Log the cost of every LLM call (useful on the Max plan).
- The most useful metric to watch is the ratio of validation-confirmed findings to triager-accepted findings: if they diverge, tune the validation prompt.
- Always check whether a given program permits automated/AI tooling before running it.
π Further documentation
This README is the conceptual overview. Deeper, implementation-level docs live in docs/:
| Doc | What's in it |
|---|---|
| docs/architecture.md | Module map, data flow, the AgentRunner abstraction, RunContext, ledger schema, dedup algorithm |
| docs/prompt-synthesis.md | The archetype-driven prompt maker (Stage 2), the specificity self-check, reuse from the legacy generator, safe meta-prompt changes |
| docs/cli-reference.md | Every command and flag, with examples (--smoke, --budget, caps, --calibration, β¦) |
| docs/guardrails.md | The non-negotiable guardrails and exactly where each is enforced in code |
| docs/design-decisions.md | Why Argo is LLM-direct with no CPG/AST engine, what it uses instead, when we'd revisit, and threats to validity (paper-facing) |
| docs/backends.md | Multi-backend: run on Claude Code, the Codex CLI (OpenAI), or local/open-source models β the abstraction, per-backend guardrail mapping, cost, cross-model study |
| docs/headless-runner.md | Real Claude Code integration: flags used, the JSON envelope, caps, error handling, partial recovery, the --smoke run |
| docs/api.md | The HTTP API (server/) β backend for the web UI: endpoints, run lifecycle, live status/SSE, artifact whitelist |
| docs/ui.md | The web UI (webapp/) β python -m argo.cli serve, the no-build stack, the views |
| docs/chat-example.md | π¬ The interrogation chat β a real worked transcript (grounded explanation, false-positive self-correction, honest false negatives) |
| docs/roadmap.md | Planned UI + advanced features: per-feature analysis, phased build order, todo list (Phase 0 done) |
| docs/configuration.md | PipelineConfig reference, per-stage models, budgets/caps |
| docs/testing.md | How to run the suite, what it covers, mock vs. headless |
π License
Apache License 2.0 β see LICENSE. Argo is detection-only and intended for authorized security testing (bug-bounty programs with safe harbor, your own code, CTFs, or research). You are responsible for staying within the scope and rules of engagement of any program you point it at.
// compatibility
| Platforms | cli, api, web, mobile |
|---|---|
| Operating systems | β |
| AI compatibility | claude |
| License | Apache-2.0 |
| Pricing | open-source |
| Language | Python |
// faq
What is argo?
ποΈ LLM-native static vulnerability detection. An LLM reads your source like a human auditor, point it at any local folder or repo and get a reviewable vuln report. Auto-enriched prompts, adversarial validation, opt-in fix-verify. Runs on Claude Code / Codex / local OSS. Bug-bounty triage is one mode. Detection-only, read-only.. It is open-source on GitHub.
Is argo free to use?
argo is open-source under the Apache-2.0 license, so it is free to use.
What category does argo belong to?
argo is listed under security in the Claudeers registry of Claude-compatible tools.
// embed badge
[](https://claudeers.com/argo)
// retro hit counter
[](https://claudeers.com/argo)
// reviews
// guestbook
// related in Security & Compliance
A complete AI agency at your fingertips - From frontend wizards to Reddit community ninjas, from whimsy injectors to reality checkers. Each agent is a speciaβ¦
Ο RuView turns commodity WiFi signals into real-time spatial intelligence, vital sign monitoring, and presence detection β all without a single pixel of video.
Prowler is the worldβs most widely used open-source cloud security platform that automates security and compliance across any cloud environment.
πΆ A curated list of Web Security materials and resources.