Open Source
VORO's scanner (voro-scan / agent-builder) is the core open-source component. It runs the full static analysis pipeline locally with no restrictions on scan volume, project size, or language coverage.
What's Included (Free)
| Capability | Details |
|---|---|
| Pattern scanning | 745 active patterns across 16 languages |
| External scanner integration | 14 scanners (Slither, Opengrep, Bandit, pip-audit, npm-audit, osv-scanner, trivy, snyk, and more) |
| Multi-language support | Solidity, Python, JavaScript, TypeScript, Go, Rust, Move, Vyper, Ruby, PHP, Java, C/C++, and more |
| Agentic security patterns | MCP trust, prompt injection, unconstrained tool permissions |
| Structured JSON output | Machine-readable audit reports for CI/CD integration |
| Taxonomy mapping | 9 industry taxonomies (SWC, OWASP SC, DASP, CWE, Immunefi, and others) |
| Unlimited local scans | No rate limits, no API keys, no telemetry |
Languages
voro-scan supports 16 languages with varying depth of coverage:
Deep coverage (dedicated patterns + external scanners): Solidity, Python, JavaScript/TypeScript, Go, Rust
Pattern coverage: Move, Vyper, Ruby, PHP, Java, C/C++, and additional languages
The scanner automatically detects languages in your project and runs the relevant checks. No configuration required.
How to Use
# Install
pip install agent-builder
# Scan any project
agent-builder audit /path/to/project
# Output is written to ~/.agent-builder/audit/audit-{id}.json
See the Quick Start for detailed examples.
Contributing
VORO's pattern library grows through community contributions. Each pattern is a structured rule with:
- A unique ID and vulnerability category
- File type and language scope
- Regex or AST-based matching logic
- Precision/recall measurements against the labeled corpus
Patterns that fall below the precision threshold (35% across 5 evaluation datasets) are automatically quarantined. This keeps the active pattern set high-quality while allowing experimental patterns to be tested.
Submitting Patterns
- Fork the voro-scan repository
- Add your pattern to the appropriate category directory
- Include test cases (at minimum: one true positive, one true negative)
- Open a pull request — CI will run the pattern against the evaluation corpus
Reporting False Positives
If VORO flags something that isn't a real vulnerability, open an issue on the voro-scan repository with:
- The finding's pattern ID
- The flagged code snippet
- Why it's a false positive
False positive reports directly improve VORO's precision measurements and may result in pattern quarantine or refinement.
License
voro-scan is released under the MIT license. Use it in commercial projects, modify it, redistribute it.