How It Works
VORO's detection pipeline has three layers, each in a separate repository. They communicate through JSON — no shared code, no cross-repo imports.
source code
│
▼
┌─────────────────────────────────────────┐
│ Layer 1: voro-scan (static analysis) │
│ 745 patterns + 14 external scanners │
└──────────────────┬──────────────────────┘
│ audit JSON
▼
┌─────────────────────────────────────────┐
│ Layer 2: voro-brain (Bayesian scoring) │
│ 6 dimensions, Beta distributions │
└──────────────────┬──────────────────────┘
│ threat report JSON
▼
┌─────────────────────────────────────────┐
│ Layer 3: voro-web (presentation) │
│ Web UI, GitHub App, PR integration │
└─────────────────────────────────────────┘
Layer 1: Static Analysis (voro-scan)
The scanner is the CLI tool agent-builder. It runs two types of checks in parallel:
Built-in pattern matching — 745 active patterns (175 quarantined for insufficient precision) covering 16 languages. Patterns are organized into 50 vulnerability categories mapped to 9 industry taxonomies (SWC, OWASP Smart Contract, DASP, CWE, and others).
External scanner integration — 14 external tools run as subprocesses when available:
- Slither — Solidity-specific analysis (adapter precision: 0.746)
- Opengrep — SAST rules across multiple languages
- Bandit — Python security linting
- pip-audit, npm-audit — dependency vulnerability checks
- osv-scanner, trivy, snyk — supply chain and container scanning
- Additional scanners for specific ecosystems
Each scanner's output is normalized into a common ScanFinding format with fields for file, line, pattern ID, severity, category, and source. The combined findings are written to ~/.agent-builder/audit/audit-{id}.json.
Agentic Security Patterns
VORO includes patterns for threats specific to autonomous AI agents:
- MCP server trust boundaries — detecting when agent tools connect to untrusted MCP servers without validation
- Prompt injection vectors — identifying inputs that could alter agent behavior
- Unconstrained tool permissions — flagging agents with overly broad tool access
- Agent autonomy risks — patterns for unsupervised financial transactions, unrestricted code execution
This is tracked as the "agent autonomy" dimension in voro-brain scoring. The Polygraph pipeline for agentic analysis is live but pending real-world validation.
Layer 2: Bayesian Scoring (voro-brain)
voro-brain takes the raw audit JSON and produces a scored threat report. It does not detect new vulnerabilities — it evaluates and ranks the findings from Layer 1.
Six Risk Dimensions
Every finding is scored across six dimensions:
| Dimension | What It Measures |
|---|---|
fund_safety | Direct financial risk — reentrancy, flash loans, price manipulation |
access_control | Authorization flaws — missing access checks, privilege escalation |
external_risk | External dependencies — untrusted oracles, cross-contract calls |
code_integrity | Code quality — integer overflow, unchecked returns, logic errors |
dependency_health | Supply chain — known CVEs, outdated packages, malicious dependencies |
agent_autonomy | Agent-specific — MCP trust, prompt injection, unconstrained tools |
Corpus-Calibrated Priors
VORO does not use arbitrary severity weights. The scoring engine uses Beta distributions calibrated against a labeled corpus of 1,113 contracts (1,039 clean + 74 vulnerable).
Each scanner has a measured confidence value:
- Slither: 0.7455
- Regex patterns: 0.439
- Opengrep: 0.093
These priors determine how much each scanner's output shifts the final score. A finding from a high-precision scanner (Slither at 0.746) moves the score more than one from a lower-precision source.
Output: Safety Grades
The threat report assigns grades on an A-F scale:
| Grade | Score Range | Meaning |
|---|---|---|
| A (Trusted) | < 9.47 | No significant findings |
| B (Moderate) | 9.47 – 24.47 | Minor issues, low exploitability |
| C (Caution) | 24.47 – 39.48 | Notable risks requiring review |
| D (Risky) | 39.48 – 44.48 | Significant vulnerabilities present |
| F (Critical) | > 44.48 | Critical issues, likely exploitable |
Grade thresholds are derived from corpus distributions, not set by hand.
Exploitability Assessment
voro-brain integrates with voro-guard (a code index service) to perform call graph analysis. If a vulnerability exists in a function that is never called from an entry point, its exploitability score is reduced. This call graph reachability analysis is live.
Layer 3: Web Interface (voro-web)
voro-web is the presentation layer — a Docker 5-service stack running at scan.voro.security:
- Next.js frontend — displays threat reports with per-dimension breakdowns
- Express API — handles scan submissions and report retrieval
- BullMQ workers — processes scan jobs asynchronously
- Redis — job queue and caching
- PostgreSQL — metadata storage
GitHub App Integration
VORO's GitHub App watches repositories for pull requests and:
- Clones the PR branch
- Runs voro-scan + voro-brain
- Posts results as PR comments with finding summaries and safety grades
- Creates GitHub Check Runs with pass/fail status
Taxonomy Badges
Finding cards in the web UI display taxonomy badges showing which industry standards a vulnerability maps to (SWC, OWASP, DASP, CWE, Immunefi). Nine taxonomies are currently mapped across 50 VORO categories.
Design Principles
JSON over CLI. No shared Python imports between repos. voro-scan outputs JSON to stdout or a file. voro-brain reads that JSON and outputs a threat report. voro-web calls both via subprocess. This means each layer can be replaced, forked, or used independently.
Local-first. The full pipeline runs on your machine. The web interface is optional — you can use voro-scan and voro-brain as CLI tools without any network access.
Measurement over claims. Every precision and recall number in VORO's documentation comes from a labeled corpus with a reproducible evaluation pipeline. The benchmark methodology will be published as a whitepaper.