Quick Start
Get your first security scan running in under 5 minutes.
Prerequisites
- Python 3.10+
- pip
- A codebase to scan (Solidity, Python, JavaScript, Go, Rust, Move, Vyper, or any of 16 supported languages)
Install
pip install agent-builder
This installs the agent-builder CLI, which is VORO's scanner component (voro-scan).
Run Your First Scan
Point the scanner at any repository or directory:
agent-builder audit /path/to/your/project
The scanner will:
- Detect the languages in your project
- Run relevant pattern matchers (745 built-in patterns)
- Invoke available external scanners (Slither for Solidity, Bandit for Python, etc.)
- Output a structured JSON audit report
Example: Scan a Solidity Project
# Clone a sample project
git clone https://github.com/OpenZeppelin/openzeppelin-contracts.git
cd openzeppelin-contracts
# Run the audit
agent-builder audit .
Example: Scan a Python Project
agent-builder audit /path/to/python/project
The scanner automatically detects Python files and runs both built-in patterns and external scanners like Bandit and pip-audit (if installed).
Output
The audit produces a JSON report at ~/.agent-builder/audit/audit-{id}.json containing:
{
"findings": [
{
"file": "contracts/Token.sol",
"line": 42,
"pattern_id": "reentrancy-eth",
"severity": "high",
"category": "fund_safety",
"description": "External call followed by state change",
"source": "slither"
}
],
"metadata": {
"languages_detected": ["solidity"],
"scanners_used": ["regex", "slither"],
"patterns_checked": 745,
"scan_duration_seconds": 12.3
}
}
Add Bayesian Scoring (Optional)
To get risk grades and exploitability scores, pipe the audit through voro-brain:
pip install voro-brain
voro-brain score ~/.agent-builder/audit/audit-{id}.json
This produces a threat report with:
- A-F safety grade per file and per project
- 6-dimension risk breakdown: fund safety, access control, external risk, code integrity, dependency health, agent autonomy
- Exploitability assessment with call graph reachability analysis
External Scanners
voro-scan integrates with 14 external tools. Install the ones relevant to your stack:
| Scanner | Language | Install |
|---|---|---|
| Slither | Solidity | pip install slither-analyzer |
| Opengrep | Multi-language | See opengrep.dev |
| Bandit | Python | pip install bandit |
| pip-audit | Python | pip install pip-audit |
| npm-audit | JavaScript | Built into npm |
| osv-scanner | Multi-language | See osv.dev |
| trivy | Multi-language | See trivy.dev |
If an external scanner is not installed, voro-scan skips it and continues with built-in patterns. No configuration required.
Next Steps
- How It Works — understand the three-layer detection pipeline
- Open Source — what's included in the free tier
- API Reference — programmatic access (coming soon)