CalvinBackup/fuzzforge_ai
1
0
Fork 0
mirror of https://github.com/FuzzingLabs/fuzzforge_ai.git synced 2026-02-13 05:52:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
55 Commits 18 Branches 2 Tags
a84e4c03f16dc63df9cdc751b8e1e7cb0fa287ea
Commit Graph

55 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
tduhamel42
a84e4c03f1 Merge branch 'master' into dev for v0.7.0 release 
Resolved conflicts:
- Kept monitor.py (dev version - required for live monitoring)
- Kept workflow_exec.py (dev version - includes worker management, --live, --fail-on, --export-sarif)
- Kept main.py (dev version - includes new command structure)

All conflicts resolved in favor of dev branch features for 0.7.0 release.
 2025-10-16 12:32:25 +02:00
tduhamel42
3637f0d932 chore: Bump version to 0.7.0 
Version updates:
- README.md badge: 0.6.0 → 0.7.0
- cli/pyproject.toml: 0.6.0 → 0.7.0
- backend/pyproject.toml: 0.6.0 → 0.7.0
- sdk/pyproject.toml: 0.6.0 → 0.7.0
- ai/pyproject.toml: 0.6.0 → 0.7.0

Add CHANGELOG.md with comprehensive release notes for 0.7.0:
- Secret detection workflows (gitleaks, trufflehog, llm_secret_detection)
- AI module and agent integration
- Temporal migration completion
- CI/CD integration
- Documentation updates
- Bug fixes and improvements

Update llm_analysis default model to gpt-5-mini
 2025-10-16 12:23:56 +02:00
tduhamel42
19cb0a4d02 docs: Update README and fix worker startup instructions 
README updates:
- Update docker compose command (now main docker-compose.yml)
- Remove obsolete insecure registries section (MinIO replaces local registry)
- Add .env configuration section for AI agent API keys

Worker management fixes:
- Add worker_service field to API response (backend)
- Fix CLI help message to use correct service name with 'docker compose up -d'
- Use modern 'docker compose' syntax instead of deprecated 'docker-compose'

This ensures users get correct instructions when workers aren't running.
 2025-10-16 12:12:49 +02:00
tduhamel42
7def4964a6 feat: Reactivate AI agent command 
Restore the AI agent command functionality after maintenance period.
Users can now run 'fuzzforge ai agent' to launch the full AI agent CLI
with A2A orchestration.
 2025-10-16 11:48:57 +02:00
tduhamel42
fde6c86278 test: Add secret detection benchmark dataset and ground truth 
Add comprehensive benchmark dataset with 32 documented secrets for testing
secret detection workflows (gitleaks, trufflehog, llm_secret_detection).

- Add test_projects/secret_detection_benchmark/ with 19 test files
- Add ground truth JSON with precise line-by-line secret mappings
- Update .gitignore with exceptions for benchmark files (not real secrets)

Dataset breakdown:
- 12 Easy secrets (standard patterns)
- 10 Medium secrets (obfuscated)
- 10 Hard secrets (well hidden)
 2025-10-16 11:46:28 +02:00
tduhamel42
ca4cd1ee22 docs: Remove obsolete volume_mode references from documentation 
The volume_mode parameter is no longer used since workflows now upload files to MinIO storage instead of mounting volumes directly. This commit removes all references to volume_mode from:

- Backend API documentation (README.md)
- Tutorial getting started guide
- MCP integration guide
- CLI AI reference documentation
- SDK documentation and examples
- Test project documentation

All curl examples and code samples have been updated to reflect the current MinIO-based file upload approach.
 2025-10-16 11:36:53 +02:00
tduhamel42
0dd13a84c2 feat: Add secret detection workflows and comprehensive benchmarking (#15) 
Add three production-ready secret detection workflows with full benchmarking infrastructure:

**New Workflows:**
- gitleaks_detection: Pattern-based secret scanning (13/32 benchmark secrets)
- trufflehog_detection: Entropy-based detection with verification (1/32 benchmark secrets)
- llm_secret_detection: AI-powered semantic analysis (32/32 benchmark secrets - 100% recall)

**Benchmarking Infrastructure:**
- Ground truth dataset with 32 documented secrets (12 Easy, 10 Medium, 10 Hard)
- Automated comparison tools for precision/recall testing
- SARIF output format for all workflows
- Performance metrics and tool comparison reports

**Fixes:**
- Set gitleaks default to no_git=True for uploaded directories
- Update documentation with correct secret counts and workflow names
- Temporarily deactivate AI agent command
- Clean up deprecated test files and GitGuardian workflow

**Testing:**
All workflows verified on secret_detection_benchmark and vulnerable_app test projects.
Workers healthy and system fully functional.
 2025-10-16 11:21:24 +02:00
Songbird
a035a6e269 fix: Add missing cognify_text method to CogneeProjectIntegration 
Resolves AttributeError when agent_executor calls cognify_text().
The method adds text to a dataset and cognifies it into a knowledge graph.
 2025-10-15 13:22:37 +02:00
tduhamel42
ff00146f20 feat: Add LLM analysis workflow and ruff linter fixes 
LLM Analysis Workflow:
- Add llm_analyzer module for AI-powered code security analysis
- Add llm_analysis workflow with SARIF output support
- Mount AI module in Python worker for A2A wrapper access
- Add a2a-sdk dependency to Python worker requirements
- Fix workflow parameter ordering in Temporal manager

Ruff Linter Fixes:
- Fix bare except clauses (E722) across AI and CLI modules
- Add noqa comments for intentional late imports (E402)
- Replace undefined get_ai_status_async with TODO placeholder
- Remove unused imports and variables
- Remove container diagnostics display from exception handler

MCP Configuration:
- Reactivate FUZZFORGE_MCP_URL with default value
- Set default MCP URL to http://localhost:8010/mcp in init
 2025-10-14 16:43:14 +02:00
tduhamel42
71fbe879df Merge feature/ai_module into dev 
Add AI module with A2A wrapper and task agent
 2025-10-14 15:03:15 +02:00
tduhamel42
7a260bd3ee feat: Complete Temporal migration cleanup and fixes 
- Remove obsolete docker_logs.py module and container diagnostics from SDK
- Fix security_assessment workflow metadata (vertical: rust -> python)
- Remove all Prefect references from documentation
- Add SDK exception handling test suite
- Clean up old test artifacts
 2025-10-14 15:02:52 +02:00
Songbird
4e57f13096 Update task_agent README to use task_agent instead of agent_with_adk_format 2025-10-14 14:33:36 +02:00
Songbird
0ef2ed7aaf Add volumes/env/.env to gitignore 2025-10-14 14:29:06 +02:00
Songbird
55120d2924 Fix a2a_wrapper imports and add clean usage example 
- Remove top-level imports from fuzzforge_ai/__init__.py to avoid dependency issues
- Fix config_bridge.py exception handling (remove undefined exc variable)
- Add examples/test_a2a_simple.py demonstrating clean a2a_wrapper usage
- Update package to use explicit imports: from fuzzforge_ai.a2a_wrapper import send_agent_task

All functionality preserved, imports are now explicit and modular.
 2025-10-14 14:27:25 +02:00
Songbird
11f294abdb Add AI module with A2A wrapper and task agent 
- Disable FuzzForge MCP connection (no Prefect backend)
- Add a2a_wrapper module for programmatic A2A agent tasks
- Add task_agent (LiteLLM A2A agent) on port 10900
- Create volumes/env/ for centralized Docker config
- Update docker-compose.yml with task-agent service
- Remove workflow_automation_skill from agent card
 2025-10-14 13:05:35 +02:00
tduhamel42
ec812461d6 CI/CD Integration with Ephemeral Deployment Model (#14) 
* feat: Complete migration from Prefect to Temporal

BREAKING CHANGE: Replaces Prefect workflow orchestration with Temporal

## Major Changes
- Replace Prefect with Temporal for workflow orchestration
- Implement vertical worker architecture (rust, android)
- Replace Docker registry with MinIO for unified storage
- Refactor activities to be co-located with workflows
- Update all API endpoints for Temporal compatibility

## Infrastructure
- New: docker-compose.temporal.yaml (Temporal + MinIO + workers)
- New: workers/ directory with rust and android vertical workers
- New: backend/src/temporal/ (manager, discovery)
- New: backend/src/storage/ (S3-cached storage with MinIO)
- New: backend/toolbox/common/ (shared storage activities)
- Deleted: docker-compose.yaml (old Prefect setup)
- Deleted: backend/src/core/prefect_manager.py
- Deleted: backend/src/services/prefect_stats_monitor.py
- Deleted: Docker registry and insecure-registries requirement

## Workflows
- Migrated: security_assessment workflow to Temporal
- New: rust_test workflow (example/test workflow)
- Deleted: secret_detection_scan (Prefect-based, to be reimplemented)
- Activities now co-located with workflows for independent testing

## API Changes
- Updated: backend/src/api/workflows.py (Temporal submission)
- Updated: backend/src/api/runs.py (Temporal status/results)
- Updated: backend/src/main.py (727 lines, TemporalManager integration)
- Updated: All 16 MCP tools to use TemporalManager

## Testing
-  All services healthy (Temporal, PostgreSQL, MinIO, workers, backend)
-  All API endpoints functional
-  End-to-end workflow test passed (72 findings from vulnerable_app)
-  MinIO storage integration working (target upload/download, results)
-  Worker activity discovery working (6 activities registered)
-  Tarball extraction working
-  SARIF report generation working

## Documentation
- ARCHITECTURE.md: Complete Temporal architecture documentation
- QUICKSTART_TEMPORAL.md: Getting started guide
- MIGRATION_DECISION.md: Why we chose Temporal over Prefect
- IMPLEMENTATION_STATUS.md: Migration progress tracking
- workers/README.md: Worker development guide

## Dependencies
- Added: temporalio>=1.6.0
- Added: boto3>=1.34.0 (MinIO S3 client)
- Removed: prefect>=3.4.18

* feat: Add Python fuzzing vertical with Atheris integration

This commit implements a complete Python fuzzing workflow using Atheris:

## Python Worker (workers/python/)
- Dockerfile with Python 3.11, Atheris, and build tools
- Generic worker.py for dynamic workflow discovery
- requirements.txt with temporalio, boto3, atheris dependencies
- Added to docker-compose.temporal.yaml with dedicated cache volume

## AtherisFuzzer Module (backend/toolbox/modules/fuzzer/)
- Reusable module extending BaseModule
- Auto-discovers fuzz targets (fuzz_*.py, *_fuzz.py, fuzz_target.py)
- Recursive search to find targets in nested directories
- Dynamically loads TestOneInput() function
- Configurable max_iterations and timeout
- Real-time stats callback support for live monitoring
- Returns findings as ModuleFinding objects

## Atheris Fuzzing Workflow (backend/toolbox/workflows/atheris_fuzzing/)
- Temporal workflow for orchestrating fuzzing
- Downloads user code from MinIO
- Executes AtherisFuzzer module
- Uploads results to MinIO
- Cleans up cache after execution
- metadata.yaml with vertical: python for routing

## Test Project (test_projects/python_fuzz_waterfall/)
- Demonstrates stateful waterfall vulnerability
- main.py with check_secret() that leaks progress
- fuzz_target.py with Atheris TestOneInput() harness
- Complete README with usage instructions

## Backend Fixes
- Fixed parameter merging in REST API endpoints (workflows.py)
- Changed workflow parameter passing from positional args to kwargs (manager.py)
- Default parameters now properly merged with user parameters

## Testing
 Worker discovered AtherisFuzzingWorkflow
 Workflow executed end-to-end successfully
 Fuzz target auto-discovered in nested directories
 Atheris ran 100,000 iterations
 Results uploaded and cache cleaned

* chore: Complete Temporal migration with updated CLI/SDK/docs

This commit includes all remaining Temporal migration changes:

## CLI Updates (cli/)
- Updated workflow execution commands for Temporal
- Enhanced error handling and exceptions
- Updated dependencies in uv.lock

## SDK Updates (sdk/)
- Client methods updated for Temporal workflows
- Updated models for new workflow execution
- Updated dependencies in uv.lock

## Documentation Updates (docs/)
- Architecture documentation for Temporal
- Workflow concept documentation
- Resource management documentation (new)
- Debugging guide (new)
- Updated tutorials and how-to guides
- Troubleshooting updates

## README Updates
- Main README with Temporal instructions
- Backend README
- CLI README
- SDK README

## Other
- Updated IMPLEMENTATION_STATUS.md
- Removed old vulnerable_app.tar.gz

These changes complete the Temporal migration and ensure the
CLI/SDK work correctly with the new backend.

* fix: Use positional args instead of kwargs for Temporal workflows

The Temporal Python SDK's start_workflow() method doesn't accept
a 'kwargs' parameter. Workflows must receive parameters as positional
arguments via the 'args' parameter.

Changed from:
  args=workflow_args  # Positional arguments

This fixes the error:
  TypeError: Client.start_workflow() got an unexpected keyword argument 'kwargs'

Workflows now correctly receive parameters in order:
- security_assessment: [target_id, scanner_config, analyzer_config, reporter_config]
- atheris_fuzzing: [target_id, target_file, max_iterations, timeout_seconds]
- rust_test: [target_id, test_message]

* fix: Filter metadata-only parameters from workflow arguments

SecurityAssessmentWorkflow was receiving 7 arguments instead of 2-5.
The issue was that target_path and volume_mode from default_parameters
were being passed to the workflow, when they should only be used by
the system for configuration.

Now filters out metadata-only parameters (target_path, volume_mode)
before passing arguments to workflow execution.

* refactor: Remove Prefect leftovers and volume mounting legacy

Complete cleanup of Prefect migration artifacts:

Backend:
- Delete registry.py and workflow_discovery.py (Prefect-specific files)
- Remove Docker validation from setup.py (no longer needed)
- Remove ResourceLimits and VolumeMount models
- Remove target_path and volume_mode from WorkflowSubmission
- Remove supported_volume_modes from API and discovery
- Clean up metadata.yaml files (remove volume/path fields)
- Simplify parameter filtering in manager.py

SDK:
- Remove volume_mode parameter from client methods
- Remove ResourceLimits and VolumeMount models
- Remove Prefect error patterns from docker_logs.py
- Clean up WorkflowSubmission and WorkflowMetadata models

CLI:
- Remove Volume Modes display from workflow info

All removed features are Prefect-specific or Docker volume mounting
artifacts. Temporal workflows use MinIO storage exclusively.

* feat: Add comprehensive test suite and benchmark infrastructure

- Add 68 unit tests for fuzzer, scanner, and analyzer modules
- Implement pytest-based test infrastructure with fixtures
- Add 6 performance benchmarks with category-specific thresholds
- Configure GitHub Actions for automated testing and benchmarking
- Add test and benchmark documentation

Test coverage:
- AtherisFuzzer: 8 tests
- CargoFuzzer: 14 tests
- FileScanner: 22 tests
- SecurityAnalyzer: 24 tests

All tests passing (68/68)
All benchmarks passing (6/6)

* fix: Resolve all ruff linting violations across codebase

Fixed 27 ruff violations in 12 files:
- Removed unused imports (Depends, Dict, Any, Optional, etc.)
- Fixed undefined workflow_info variable in workflows.py
- Removed dead code with undefined variables in atheris_fuzzer.py
- Changed f-string to regular string where no placeholders used

All files now pass ruff checks for CI/CD compliance.

* fix: Configure CI for unit tests only

- Renamed docker-compose.temporal.yaml → docker-compose.yml for CI compatibility
- Commented out integration-tests job (no integration tests yet)
- Updated test-summary to only depend on lint and unit-tests

CI will now run successfully with 68 unit tests. Integration tests can be added later.

* feat: Add CI/CD integration with ephemeral deployment model

Implements comprehensive CI/CD support for FuzzForge with on-demand worker management:

**Worker Management (v0.7.0)**
- Add WorkerManager for automatic worker lifecycle control
- Auto-start workers from stopped state when workflows execute
- Auto-stop workers after workflow completion
- Health checks and startup timeout handling (90s default)

**CI/CD Features**
- `--fail-on` flag: Fail builds based on SARIF severity levels (error/warning/note/info)
- `--export-sarif` flag: Export findings in SARIF 2.1.0 format
- `--auto-start`/`--auto-stop` flags: Control worker lifecycle
- Exit code propagation: Returns 1 on blocking findings, 0 on success

**Exit Code Fix**
- Add `except typer.Exit: raise` handlers at 3 critical locations
- Move worker cleanup to finally block for guaranteed execution
- Exit codes now propagate correctly even when build fails

**CI Scripts & Examples**
- ci-start.sh: Start FuzzForge services with health checks
- ci-stop.sh: Clean shutdown with volume preservation option
- GitHub Actions workflow example (security-scan.yml)
- GitLab CI pipeline example (.gitlab-ci.example.yml)
- docker-compose.ci.yml: CI-optimized compose file with profiles

**OSS-Fuzz Integration**
- New ossfuzz_campaign workflow for running OSS-Fuzz projects
- OSS-Fuzz worker with Docker-in-Docker support
- Configurable campaign duration and project selection

**Documentation**
- Comprehensive CI/CD integration guide (docs/how-to/cicd-integration.md)
- Updated architecture docs with worker lifecycle details
- Updated workspace isolation documentation
- CLI README with worker management examples

**SDK Enhancements**
- Add get_workflow_worker_info() endpoint
- Worker vertical metadata in workflow responses

**Testing**
- All workflows tested: security_assessment, atheris_fuzzing, secret_detection, cargo_fuzzing
- All monitoring commands tested: stats, crashes, status, finding
- Full CI pipeline simulation verified
- Exit codes verified for success/failure scenarios

Ephemeral CI/CD model: ~3-4GB RAM, ~60-90s startup, runs entirely in CI containers.

* fix: Resolve ruff linting violations in CI/CD code

- Remove unused variables (run_id, defaults, result)
- Remove unused imports
- Fix f-string without placeholders

All CI/CD integration files now pass ruff checks.
 2025-10-14 10:13:45 +02:00
abel
32a2ea0518 docs: updated discord invite link 2025-10-06 11:59:28 +02:00
tduhamel42
8c9c81a651 Merge pull request #12 from FuzzingLabs/ci/create-base-python-ci 
ci: created base python ci
 2025-10-03 11:22:48 +02:00
tduhamel42
4ffaab3cc4 Merge pull request #13 from FuzzingLabs/fix/config-command-routing 
fix: register config as command group instead of custom function
 2025-10-03 11:17:33 +02:00
Tanguy Duhamel
ccd9149a73 fix: register config as command group instead of custom function 
The config command was implemented as a custom function that manually
routed to subcommands, which caused 'ff config show' to fail. It
treated 'show' as a configuration key argument instead of a subcommand.

Now properly registered as a Typer command group, enabling all config
subcommands (show, set, get, reset, edit) to work correctly.
 2025-10-03 11:13:34 +02:00
abel
8cb195efca ci: run in any situation on docs folder changes 2025-10-02 17:22:15 +02:00
abel
52fa22877f fix: run only when changes to docs folder 2025-10-02 17:21:14 +02:00
abel
58725e3a62 ci: created base python ci 2025-10-02 17:17:52 +02:00
tduhamel42
f3f925c3b8 Merge pull request #10 from FuzzingLabs/refactor/remove-monitor-command 
refactor: removed monitor command and --live parameter
 2025-10-02 16:17:33 +02:00
tduhamel42
4bdfabc527 Merge branch 'master' into refactor/remove-monitor-command 2025-10-02 16:12:01 +02:00
tduhamel42
5a768858dc Merge pull request #11 from FuzzingLabs/fix/remove-erroneous-cli-example 
fix: removed erroneous example
 2025-10-02 16:08:23 +02:00
abel
45e79a7685 fix: removed erroneous example 2025-10-02 16:01:54 +02:00
abel
78444dbd4d refactor: removed monitor command and --live parameter 2025-10-02 15:49:18 +02:00
Tanguy Duhamel
056cde35b2 Merge branch 'master' of github.com:FuzzingLabs/fuzzforge_ai 2025-10-01 10:16:43 +02:00
Tanguy Duhamel
961e765108 Update readme with insecure registries 2025-10-01 10:16:33 +02:00
Patrick Ventuzelo
75062e5ef7 Merge pull request #7 from MegaRedHand/fix/wrong-repo-in-readme 
docs(readme): fix repo name in `git clone` command
 2025-10-01 00:25:51 +02:00
Tomás Grüner
8e9fe8b9b8 docs(readme): fix repo name in git clone command 2025-09-30 19:04:59 -03:00
abel
1efcfe92c5 fix: update documentation links to new domain 2025-09-30 16:06:09 +02:00
Tanguy Duhamel
5ff672c797 Add missing modules and workflow 2025-09-30 15:36:23 +02:00
Tanguy Duhamel
eb5ec5f00d Merge branch 'master' of github.com:FuzzingLabs/fuzzforge_ai 2025-09-30 15:19:16 +02:00
Tanguy Duhamel
833963e5dd Fix deployment issues 2025-09-30 15:18:53 +02:00
abel
6a11b47efd ci: change trigger branch from 'main' to 'master' 2025-09-30 14:27:58 +02:00
abel
1641195462 ci: change deployment branch from 'main' to 'master' 2025-09-30 14:27:41 +02:00
abel
c5ca1691aa fix: update path for upload build artifact 2025-09-30 14:17:53 +02:00
abel
6578b3f424 ci: add workflow_dispatch to action 2025-09-30 14:11:38 +02:00
Patrick Ventuzelo
9c92a6c356 Update README.md 
add roadmap link
 2025-09-30 13:55:20 +02:00
Patrick Ventuzelo
e3be352ac6 Update README.md 
remove logo website
 2025-09-30 13:52:24 +02:00
tduhamel42
f18750eb6e Update README.md 2025-09-30 13:51:23 +02:00
Patrick Ventuzelo
a9bc5a58ca Update README.md 
fix github star button
 2025-09-30 13:50:05 +02:00
tduhamel42
68f0685cc5 Update README.md 2025-09-30 13:45:47 +02:00
Patrick Ventuzelo
9966753b6e Update README.md 2025-09-30 13:39:33 +02:00
Patrick Ventuzelo
2760b43a6b Update README.md 
add new banner github
 2025-09-30 13:38:23 +02:00
Patrick Ventuzelo
7f5e9b487e add banner github 
add banner github
 2025-09-30 13:37:59 +02:00
Tanguy Duhamel
724064dfaa Fix parameters bug + installation issues 2025-09-30 12:10:47 +02:00
tduhamel42
6de122ba2a Merge pull request #1 from FuzzingLabs/pventuzelo-patch-1 
Update README.md
 2025-09-30 09:36:40 +02:00