CalvinBackup/fuzzforge_ai
1
0
Fork 0
mirror of https://github.com/FuzzingLabs/fuzzforge_ai.git synced 2026-02-12 20:32:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
58 Commits 18 Branches 2 Tags
3f133374d5114af9f2b2665daf4d79a9bc273a24
Commit Graph

58 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
tduhamel42
3f133374d5 docs: Add development status warning for fuzzing workflows 
- Added note that fuzzing workflows are in early development
- Fixed Fuzzer Integration feature to list actual workflows only
- Clarified OSS-Fuzz integration is under heavy development
- Listed stable workflows for production use
 2025-10-16 14:00:32 +02:00
tduhamel42
32b45f24cb ci: Disable automatic benchmark runs 
Benchmarks are not ready for CI/CD yet. Disabled automatic triggers:
- Removed schedule (nightly) trigger
- Removed pull_request trigger

Kept workflow_dispatch for manual testing when benchmarks are ready.

This prevents benchmark failures from blocking PR merges and releases.
 2025-10-16 13:50:10 +02:00
tduhamel42
11b3e6db6a fix: Resolve CI failures for v0.7.0 release 
Fix lint errors:
- Remove unused Optional import from gitleaks workflow
- Remove unused logging import from trufflehog activities

Fix documentation broken links:
- Update workspace-isolation links to use /docs/ prefix in resource-management.md
- Update workspace-isolation links to use /docs/ prefix in create-workflow.md

Fix benchmark dependency:
- Add fuzzforge-sdk installation to benchmark workflow
- SDK is required for bench_comparison.py import

All CI checks should now pass.
 2025-10-16 12:55:20 +02:00
tduhamel42
28ad4468de Merge branch 'master' into dev for v0.7.0 release 
Resolved conflicts:
- Kept monitor.py (dev version - required for live monitoring)
- Kept workflow_exec.py (dev version - includes worker management, --live, --fail-on, --export-sarif)
- Kept main.py (dev version - includes new command structure)

All conflicts resolved in favor of dev branch features for 0.7.0 release.
 2025-10-16 12:32:25 +02:00
tduhamel42
746699e7c0 chore: Bump version to 0.7.0 
Version updates:
- README.md badge: 0.6.0 → 0.7.0
- cli/pyproject.toml: 0.6.0 → 0.7.0
- backend/pyproject.toml: 0.6.0 → 0.7.0
- sdk/pyproject.toml: 0.6.0 → 0.7.0
- ai/pyproject.toml: 0.6.0 → 0.7.0

Add CHANGELOG.md with comprehensive release notes for 0.7.0:
- Secret detection workflows (gitleaks, trufflehog, llm_secret_detection)
- AI module and agent integration
- Temporal migration completion
- CI/CD integration
- Documentation updates
- Bug fixes and improvements

Update llm_analysis default model to gpt-5-mini
 2025-10-16 12:23:56 +02:00
tduhamel42
8063f03d87 docs: Update README and fix worker startup instructions 
README updates:
- Update docker compose command (now main docker-compose.yml)
- Remove obsolete insecure registries section (MinIO replaces local registry)
- Add .env configuration section for AI agent API keys

Worker management fixes:
- Add worker_service field to API response (backend)
- Fix CLI help message to use correct service name with 'docker compose up -d'
- Use modern 'docker compose' syntax instead of deprecated 'docker-compose'

This ensures users get correct instructions when workers aren't running.
 2025-10-16 12:12:49 +02:00
tduhamel42
6db40f6689 feat: Reactivate AI agent command 
Restore the AI agent command functionality after maintenance period.
Users can now run 'fuzzforge ai agent' to launch the full AI agent CLI
with A2A orchestration.
 2025-10-16 11:48:57 +02:00
tduhamel42
3be4d34531 test: Add secret detection benchmark dataset and ground truth 
Add comprehensive benchmark dataset with 32 documented secrets for testing
secret detection workflows (gitleaks, trufflehog, llm_secret_detection).

- Add test_projects/secret_detection_benchmark/ with 19 test files
- Add ground truth JSON with precise line-by-line secret mappings
- Update .gitignore with exceptions for benchmark files (not real secrets)

Dataset breakdown:
- 12 Easy secrets (standard patterns)
- 10 Medium secrets (obfuscated)
- 10 Hard secrets (well hidden)
 2025-10-16 11:46:28 +02:00
tduhamel42
87e3262832 docs: Remove obsolete volume_mode references from documentation 
The volume_mode parameter is no longer used since workflows now upload files to MinIO storage instead of mounting volumes directly. This commit removes all references to volume_mode from:

- Backend API documentation (README.md)
- Tutorial getting started guide
- MCP integration guide
- CLI AI reference documentation
- SDK documentation and examples
- Test project documentation

All curl examples and code samples have been updated to reflect the current MinIO-based file upload approach.
 2025-10-16 11:36:53 +02:00
tduhamel42
2da986ebb0 feat: Add secret detection workflows and comprehensive benchmarking (#15) 
Add three production-ready secret detection workflows with full benchmarking infrastructure:

**New Workflows:**
- gitleaks_detection: Pattern-based secret scanning (13/32 benchmark secrets)
- trufflehog_detection: Entropy-based detection with verification (1/32 benchmark secrets)
- llm_secret_detection: AI-powered semantic analysis (32/32 benchmark secrets - 100% recall)

**Benchmarking Infrastructure:**
- Ground truth dataset with 32 documented secrets (12 Easy, 10 Medium, 10 Hard)
- Automated comparison tools for precision/recall testing
- SARIF output format for all workflows
- Performance metrics and tool comparison reports

**Fixes:**
- Set gitleaks default to no_git=True for uploaded directories
- Update documentation with correct secret counts and workflow names
- Temporarily deactivate AI agent command
- Clean up deprecated test files and GitGuardian workflow

**Testing:**
All workflows verified on secret_detection_benchmark and vulnerable_app test projects.
Workers healthy and system fully functional.
 2025-10-16 11:21:24 +02:00
Songbird
c3ce03e216 fix: Add missing cognify_text method to CogneeProjectIntegration 
Resolves AttributeError when agent_executor calls cognify_text().
The method adds text to a dataset and cognifies it into a knowledge graph.
 2025-10-15 13:22:37 +02:00
tduhamel42
4d30b08476 feat: Add LLM analysis workflow and ruff linter fixes 
LLM Analysis Workflow:
- Add llm_analyzer module for AI-powered code security analysis
- Add llm_analysis workflow with SARIF output support
- Mount AI module in Python worker for A2A wrapper access
- Add a2a-sdk dependency to Python worker requirements
- Fix workflow parameter ordering in Temporal manager

Ruff Linter Fixes:
- Fix bare except clauses (E722) across AI and CLI modules
- Add noqa comments for intentional late imports (E402)
- Replace undefined get_ai_status_async with TODO placeholder
- Remove unused imports and variables
- Remove container diagnostics display from exception handler

MCP Configuration:
- Reactivate FUZZFORGE_MCP_URL with default value
- Set default MCP URL to http://localhost:8010/mcp in init
 2025-10-14 16:43:14 +02:00
tduhamel42
dabbcf3718 Merge feature/ai_module into dev 
Add AI module with A2A wrapper and task agent
 2025-10-14 15:03:15 +02:00
tduhamel42
40d48a8045 feat: Complete Temporal migration cleanup and fixes 
- Remove obsolete docker_logs.py module and container diagnostics from SDK
- Fix security_assessment workflow metadata (vertical: rust -> python)
- Remove all Prefect references from documentation
- Add SDK exception handling test suite
- Clean up old test artifacts
 2025-10-14 15:02:52 +02:00
Songbird
018ec40432 Update task_agent README to use task_agent instead of agent_with_adk_format 2025-10-14 14:33:36 +02:00
Songbird
4b2456670b Add volumes/env/.env to gitignore 2025-10-14 14:29:06 +02:00
Songbird
5da16f358b Fix a2a_wrapper imports and add clean usage example 
- Remove top-level imports from fuzzforge_ai/__init__.py to avoid dependency issues
- Fix config_bridge.py exception handling (remove undefined exc variable)
- Add examples/test_a2a_simple.py demonstrating clean a2a_wrapper usage
- Update package to use explicit imports: from fuzzforge_ai.a2a_wrapper import send_agent_task

All functionality preserved, imports are now explicit and modular.
 2025-10-14 14:27:25 +02:00
Songbird
baace0eac4 Add AI module with A2A wrapper and task agent 
- Disable FuzzForge MCP connection (no Prefect backend)
- Add a2a_wrapper module for programmatic A2A agent tasks
- Add task_agent (LiteLLM A2A agent) on port 10900
- Create volumes/env/ for centralized Docker config
- Update docker-compose.yml with task-agent service
- Remove workflow_automation_skill from agent card
 2025-10-14 13:05:35 +02:00
tduhamel42
60ca088ecf CI/CD Integration with Ephemeral Deployment Model (#14) 
* feat: Complete migration from Prefect to Temporal

BREAKING CHANGE: Replaces Prefect workflow orchestration with Temporal

## Major Changes
- Replace Prefect with Temporal for workflow orchestration
- Implement vertical worker architecture (rust, android)
- Replace Docker registry with MinIO for unified storage
- Refactor activities to be co-located with workflows
- Update all API endpoints for Temporal compatibility

## Infrastructure
- New: docker-compose.temporal.yaml (Temporal + MinIO + workers)
- New: workers/ directory with rust and android vertical workers
- New: backend/src/temporal/ (manager, discovery)
- New: backend/src/storage/ (S3-cached storage with MinIO)
- New: backend/toolbox/common/ (shared storage activities)
- Deleted: docker-compose.yaml (old Prefect setup)
- Deleted: backend/src/core/prefect_manager.py
- Deleted: backend/src/services/prefect_stats_monitor.py
- Deleted: Docker registry and insecure-registries requirement

## Workflows
- Migrated: security_assessment workflow to Temporal
- New: rust_test workflow (example/test workflow)
- Deleted: secret_detection_scan (Prefect-based, to be reimplemented)
- Activities now co-located with workflows for independent testing

## API Changes
- Updated: backend/src/api/workflows.py (Temporal submission)
- Updated: backend/src/api/runs.py (Temporal status/results)
- Updated: backend/src/main.py (727 lines, TemporalManager integration)
- Updated: All 16 MCP tools to use TemporalManager

## Testing
-  All services healthy (Temporal, PostgreSQL, MinIO, workers, backend)
-  All API endpoints functional
-  End-to-end workflow test passed (72 findings from vulnerable_app)
-  MinIO storage integration working (target upload/download, results)
-  Worker activity discovery working (6 activities registered)
-  Tarball extraction working
-  SARIF report generation working

## Documentation
- ARCHITECTURE.md: Complete Temporal architecture documentation
- QUICKSTART_TEMPORAL.md: Getting started guide
- MIGRATION_DECISION.md: Why we chose Temporal over Prefect
- IMPLEMENTATION_STATUS.md: Migration progress tracking
- workers/README.md: Worker development guide

## Dependencies
- Added: temporalio>=1.6.0
- Added: boto3>=1.34.0 (MinIO S3 client)
- Removed: prefect>=3.4.18

* feat: Add Python fuzzing vertical with Atheris integration

This commit implements a complete Python fuzzing workflow using Atheris:

## Python Worker (workers/python/)
- Dockerfile with Python 3.11, Atheris, and build tools
- Generic worker.py for dynamic workflow discovery
- requirements.txt with temporalio, boto3, atheris dependencies
- Added to docker-compose.temporal.yaml with dedicated cache volume

## AtherisFuzzer Module (backend/toolbox/modules/fuzzer/)
- Reusable module extending BaseModule
- Auto-discovers fuzz targets (fuzz_*.py, *_fuzz.py, fuzz_target.py)
- Recursive search to find targets in nested directories
- Dynamically loads TestOneInput() function
- Configurable max_iterations and timeout
- Real-time stats callback support for live monitoring
- Returns findings as ModuleFinding objects

## Atheris Fuzzing Workflow (backend/toolbox/workflows/atheris_fuzzing/)
- Temporal workflow for orchestrating fuzzing
- Downloads user code from MinIO
- Executes AtherisFuzzer module
- Uploads results to MinIO
- Cleans up cache after execution
- metadata.yaml with vertical: python for routing

## Test Project (test_projects/python_fuzz_waterfall/)
- Demonstrates stateful waterfall vulnerability
- main.py with check_secret() that leaks progress
- fuzz_target.py with Atheris TestOneInput() harness
- Complete README with usage instructions

## Backend Fixes
- Fixed parameter merging in REST API endpoints (workflows.py)
- Changed workflow parameter passing from positional args to kwargs (manager.py)
- Default parameters now properly merged with user parameters

## Testing
 Worker discovered AtherisFuzzingWorkflow
 Workflow executed end-to-end successfully
 Fuzz target auto-discovered in nested directories
 Atheris ran 100,000 iterations
 Results uploaded and cache cleaned

* chore: Complete Temporal migration with updated CLI/SDK/docs

This commit includes all remaining Temporal migration changes:

## CLI Updates (cli/)
- Updated workflow execution commands for Temporal
- Enhanced error handling and exceptions
- Updated dependencies in uv.lock

## SDK Updates (sdk/)
- Client methods updated for Temporal workflows
- Updated models for new workflow execution
- Updated dependencies in uv.lock

## Documentation Updates (docs/)
- Architecture documentation for Temporal
- Workflow concept documentation
- Resource management documentation (new)
- Debugging guide (new)
- Updated tutorials and how-to guides
- Troubleshooting updates

## README Updates
- Main README with Temporal instructions
- Backend README
- CLI README
- SDK README

## Other
- Updated IMPLEMENTATION_STATUS.md
- Removed old vulnerable_app.tar.gz

These changes complete the Temporal migration and ensure the
CLI/SDK work correctly with the new backend.

* fix: Use positional args instead of kwargs for Temporal workflows

The Temporal Python SDK's start_workflow() method doesn't accept
a 'kwargs' parameter. Workflows must receive parameters as positional
arguments via the 'args' parameter.

Changed from:
  args=workflow_args  # Positional arguments

This fixes the error:
  TypeError: Client.start_workflow() got an unexpected keyword argument 'kwargs'

Workflows now correctly receive parameters in order:
- security_assessment: [target_id, scanner_config, analyzer_config, reporter_config]
- atheris_fuzzing: [target_id, target_file, max_iterations, timeout_seconds]
- rust_test: [target_id, test_message]

* fix: Filter metadata-only parameters from workflow arguments

SecurityAssessmentWorkflow was receiving 7 arguments instead of 2-5.
The issue was that target_path and volume_mode from default_parameters
were being passed to the workflow, when they should only be used by
the system for configuration.

Now filters out metadata-only parameters (target_path, volume_mode)
before passing arguments to workflow execution.

* refactor: Remove Prefect leftovers and volume mounting legacy

Complete cleanup of Prefect migration artifacts:

Backend:
- Delete registry.py and workflow_discovery.py (Prefect-specific files)
- Remove Docker validation from setup.py (no longer needed)
- Remove ResourceLimits and VolumeMount models
- Remove target_path and volume_mode from WorkflowSubmission
- Remove supported_volume_modes from API and discovery
- Clean up metadata.yaml files (remove volume/path fields)
- Simplify parameter filtering in manager.py

SDK:
- Remove volume_mode parameter from client methods
- Remove ResourceLimits and VolumeMount models
- Remove Prefect error patterns from docker_logs.py
- Clean up WorkflowSubmission and WorkflowMetadata models

CLI:
- Remove Volume Modes display from workflow info

All removed features are Prefect-specific or Docker volume mounting
artifacts. Temporal workflows use MinIO storage exclusively.

* feat: Add comprehensive test suite and benchmark infrastructure

- Add 68 unit tests for fuzzer, scanner, and analyzer modules
- Implement pytest-based test infrastructure with fixtures
- Add 6 performance benchmarks with category-specific thresholds
- Configure GitHub Actions for automated testing and benchmarking
- Add test and benchmark documentation

Test coverage:
- AtherisFuzzer: 8 tests
- CargoFuzzer: 14 tests
- FileScanner: 22 tests
- SecurityAnalyzer: 24 tests

All tests passing (68/68)
All benchmarks passing (6/6)

* fix: Resolve all ruff linting violations across codebase

Fixed 27 ruff violations in 12 files:
- Removed unused imports (Depends, Dict, Any, Optional, etc.)
- Fixed undefined workflow_info variable in workflows.py
- Removed dead code with undefined variables in atheris_fuzzer.py
- Changed f-string to regular string where no placeholders used

All files now pass ruff checks for CI/CD compliance.

* fix: Configure CI for unit tests only

- Renamed docker-compose.temporal.yaml → docker-compose.yml for CI compatibility
- Commented out integration-tests job (no integration tests yet)
- Updated test-summary to only depend on lint and unit-tests

CI will now run successfully with 68 unit tests. Integration tests can be added later.

* feat: Add CI/CD integration with ephemeral deployment model

Implements comprehensive CI/CD support for FuzzForge with on-demand worker management:

**Worker Management (v0.7.0)**
- Add WorkerManager for automatic worker lifecycle control
- Auto-start workers from stopped state when workflows execute
- Auto-stop workers after workflow completion
- Health checks and startup timeout handling (90s default)

**CI/CD Features**
- `--fail-on` flag: Fail builds based on SARIF severity levels (error/warning/note/info)
- `--export-sarif` flag: Export findings in SARIF 2.1.0 format
- `--auto-start`/`--auto-stop` flags: Control worker lifecycle
- Exit code propagation: Returns 1 on blocking findings, 0 on success

**Exit Code Fix**
- Add `except typer.Exit: raise` handlers at 3 critical locations
- Move worker cleanup to finally block for guaranteed execution
- Exit codes now propagate correctly even when build fails

**CI Scripts & Examples**
- ci-start.sh: Start FuzzForge services with health checks
- ci-stop.sh: Clean shutdown with volume preservation option
- GitHub Actions workflow example (security-scan.yml)
- GitLab CI pipeline example (.gitlab-ci.example.yml)
- docker-compose.ci.yml: CI-optimized compose file with profiles

**OSS-Fuzz Integration**
- New ossfuzz_campaign workflow for running OSS-Fuzz projects
- OSS-Fuzz worker with Docker-in-Docker support
- Configurable campaign duration and project selection

**Documentation**
- Comprehensive CI/CD integration guide (docs/how-to/cicd-integration.md)
- Updated architecture docs with worker lifecycle details
- Updated workspace isolation documentation
- CLI README with worker management examples

**SDK Enhancements**
- Add get_workflow_worker_info() endpoint
- Worker vertical metadata in workflow responses

**Testing**
- All workflows tested: security_assessment, atheris_fuzzing, secret_detection, cargo_fuzzing
- All monitoring commands tested: stats, crashes, status, finding
- Full CI pipeline simulation verified
- Exit codes verified for success/failure scenarios

Ephemeral CI/CD model: ~3-4GB RAM, ~60-90s startup, runs entirely in CI containers.

* fix: Resolve ruff linting violations in CI/CD code

- Remove unused variables (run_id, defaults, result)
- Remove unused imports
- Fix f-string without placeholders

All CI/CD integration files now pass ruff checks.
 2025-10-14 10:13:45 +02:00
abel
4ad44332ee docs: updated discord invite link 2025-10-06 11:59:28 +02:00
tduhamel42
09821c1c43 Merge pull request #12 from FuzzingLabs/ci/create-base-python-ci 
ci: created base python ci
 2025-10-03 11:22:48 +02:00
tduhamel42
6f24c88907 Merge pull request #13 from FuzzingLabs/fix/config-command-routing 
fix: register config as command group instead of custom function
 2025-10-03 11:17:33 +02:00
Tanguy Duhamel
1ba80c466b fix: register config as command group instead of custom function 
The config command was implemented as a custom function that manually
routed to subcommands, which caused 'ff config show' to fail. It
treated 'show' as a configuration key argument instead of a subcommand.

Now properly registered as a Typer command group, enabling all config
subcommands (show, set, get, reset, edit) to work correctly.
 2025-10-03 11:13:34 +02:00
abel
c9f8926bc3 ci: run in any situation on docs folder changes 2025-10-02 17:22:15 +02:00
abel
d2e0b61b67 fix: run only when changes to docs folder 2025-10-02 17:21:14 +02:00
abel
92b338f9ed ci: created base python ci 2025-10-02 17:17:52 +02:00
tduhamel42
c2de6eae7d Merge pull request #10 from FuzzingLabs/refactor/remove-monitor-command 
refactor: removed monitor command and --live parameter
 2025-10-02 16:17:33 +02:00
tduhamel42
60b69667e7 Merge branch 'master' into refactor/remove-monitor-command 2025-10-02 16:12:01 +02:00
tduhamel42
28b0712f2f Merge pull request #11 from FuzzingLabs/fix/remove-erroneous-cli-example 
fix: removed erroneous example
 2025-10-02 16:08:23 +02:00
abel
a53d6c9ae5 fix: removed erroneous example 2025-10-02 16:01:54 +02:00
abel
928a5f5f77 refactor: removed monitor command and --live parameter 2025-10-02 15:49:18 +02:00
Tanguy Duhamel
987c49569c Merge branch 'master' of github.com:FuzzingLabs/fuzzforge_ai 2025-10-01 10:16:43 +02:00
Tanguy Duhamel
dd0a80252d Update readme with insecure registries 2025-10-01 10:16:33 +02:00
Patrick Ventuzelo
a25c5e191c Merge pull request #7 from MegaRedHand/fix/wrong-repo-in-readme 
docs(readme): fix repo name in `git clone` command
 2025-10-01 00:25:51 +02:00
Tomás Grüner
ad4c837866 docs(readme): fix repo name in git clone command 2025-09-30 19:04:59 -03:00
abel
5dd470f6e0 fix: update documentation links to new domain 2025-09-30 16:06:09 +02:00
Tanguy Duhamel
b1e13ec5d1 Add missing modules and workflow 2025-09-30 15:36:23 +02:00
Tanguy Duhamel
7382ea6e20 Merge branch 'master' of github.com:FuzzingLabs/fuzzforge_ai 2025-09-30 15:19:16 +02:00
Tanguy Duhamel
6c1cbf92bb Fix deployment issues 2025-09-30 15:18:53 +02:00
abel
cdb53c6967 ci: change trigger branch from 'main' to 'master' 2025-09-30 14:27:58 +02:00
abel
c36b1e9559 ci: change deployment branch from 'main' to 'master' 2025-09-30 14:27:41 +02:00
abel
0a91d32451 fix: update path for upload build artifact 2025-09-30 14:17:53 +02:00
abel
4e889d52aa ci: add workflow_dispatch to action 2025-09-30 14:11:38 +02:00
Patrick Ventuzelo
f3c9964856 Update README.md 
add roadmap link
 2025-09-30 13:55:20 +02:00
Patrick Ventuzelo
ec11c11f0e Update README.md 
remove logo website
 2025-09-30 13:52:24 +02:00
tduhamel42
1dde5f54b7 Update README.md 2025-09-30 13:51:23 +02:00
Patrick Ventuzelo
d00ac7574c Update README.md 
fix github star button
 2025-09-30 13:50:05 +02:00
tduhamel42
4ea38570fd Update README.md 2025-09-30 13:45:47 +02:00
Patrick Ventuzelo
4b5326395e Update README.md 2025-09-30 13:39:33 +02:00
Patrick Ventuzelo
44dfafd8c3 Update README.md 
add new banner github
 2025-09-30 13:38:23 +02:00