fuzzforge_ai/test_projects/README.md

# FuzzForge Vulnerable Test Project

This directory contains a comprehensive vulnerable test application designed to validate FuzzForge's security workflows. The project contains multiple categories of security vulnerabilities to test `security_assessment`, `gitleaks_detection`, `trufflehog_detection`, and `llm_secret_detection` workflows.

## Test Project Overview

### Vulnerable Application (`vulnerable_app/`)
**Purpose**: Comprehensive vulnerable application for testing security workflows

**Supported Workflows**:
- `security_assessment` - General security scanning and analysis
- `gitleaks_detection` - Pattern-based secret detection
- `trufflehog_detection` - Entropy-based secret detection with verification
- `llm_secret_detection` - AI-powered semantic secret detection

**Vulnerabilities Included**:
- SQL injection vulnerabilities
- Command injection
- Hardcoded secrets and credentials
- Path traversal vulnerabilities
- Weak cryptographic functions
- Server-side template injection (SSTI)
- Pickle deserialization attacks
- CSRF missing protection
- Information disclosure
- API keys and tokens
- Database connection strings
- Private keys and certificates

**Files**:
- Multiple source code files with various vulnerability types
- Configuration files with embedded secrets
- Dependencies with known vulnerabilities

**Expected Detections**: 30+ findings across both security assessment and secret detection workflows

---

## Usage Instructions

### Testing with FuzzForge Workflows

The vulnerable application can be tested with multiple security workflows:

```bash
# Test security assessment workflow
curl -X POST http://localhost:8000/workflows/security_assessment/submit \
  -H "Content-Type: application/json" \
  -d '{
    "target_path": "/path/to/test_projects/vulnerable_app"
  }'

# Test Gitleaks secret detection workflow
curl -X POST http://localhost:8000/workflows/gitleaks_detection/submit \
  -H "Content-Type: application/json" \
  -d '{
    "target_path": "/path/to/test_projects/vulnerable_app"
  }'

# Test TruffleHog secret detection workflow
curl -X POST http://localhost:8000/workflows/trufflehog_detection/submit \
  -H "Content-Type: application/json" \
  -d '{
    "target_path": "/path/to/test_projects/vulnerable_app"
  }'
```

### Expected Results

Each workflow should produce SARIF-formatted results with:
- High-severity findings for critical vulnerabilities
- Medium-severity findings for moderate risks
- Detailed descriptions and remediation guidance
- Code flow information where applicable

### Validation Criteria

A successful test should detect:
- **Security Assessment**: At least 20 various security vulnerabilities
- **Gitleaks Detection**: At least 10 different types of secrets
- **TruffleHog Detection**: At least 5 high-entropy secrets
- **LLM Secret Detection**: At least 15 secrets with semantic understanding

---

## Security Notice

⚠️ **WARNING**: This project contains intentional security vulnerabilities and should NEVER be deployed in production environments or exposed to public networks. It is designed solely for security testing and validation purposes.

## File Structure
```
test_projects/
├── README.md
└── vulnerable_app/
    ├── [Multiple vulnerable source files]
    ├── [Configuration files with secrets]
    └── [Dependencies with known issues]
```