187b171360
Updated all documentation to reflect actual v0.7.0 workflow implementation: Workflow name changes: - Removed all references to non-existent workflows (static_analysis_scan, secret_detection_scan, infrastructure_scan, penetration_testing_scan) - Updated examples to use actual workflows (security_assessment, gitleaks_detection, trufflehog_detection, llm_secret_detection) - Deleted docs/docs/reference/workflows/static-analysis.md (described non-existent workflow) Content corrections: - Fixed workflow tool descriptions (removed incorrect Semgrep/Bandit references, documented actual SecurityAnalyzer and FileScanner modules) - Updated all workflow lists to show production-ready vs development status - Fixed all example configurations to match actual workflow parameters Module creation guide fixes: - Fixed 4 path references: backend/src/toolbox → backend/toolbox - Updated import statements in example code Files updated: - docs/index.md - workflow list, CLI example, broken tutorial links - docs/docs/tutorial/getting-started.md - workflow list, example output, tool descriptions - docs/docs/how-to/create-module.md - module paths and imports - docs/docs/how-to/mcp-integration.md - workflow examples and list - docs/docs/ai/prompts.md - workflow example - docs/docs/reference/cli-ai.md - 3 workflow references
🚧 FuzzForge is under active development
AI-powered workflow automation and AI Agents for AppSec, Fuzzing & Offensive Security
Overview • Features • Installation • Quickstart • AI Demo • Contributing • Roadmap
🚀 Overview
FuzzForge helps security researchers and engineers automate application security and offensive security workflows with the power of AI and fuzzing frameworks.
- Orchestrate static & dynamic analysis
- Automate vulnerability research
- Scale AppSec testing with AI agents
- Build, share & reuse workflows across teams
FuzzForge is open source, built to empower security teams, researchers, and the community.
🚧 FuzzForge is under active development. Expect breaking changes.
Note: Fuzzing workflows (
atheris_fuzzing,cargo_fuzzing,ossfuzz_campaign) are in early development. OSS-Fuzz integration is under heavy active development. For stable workflows, use:security_assessment,gitleaks_detection,trufflehog_detection, orllm_secret_detection.
Demo - Manual Workflow Setup
Setting up and running security workflows through the interface
👉 More installation options in the Documentation.
✨ Key Features
- 🤖 AI Agents for Security – Specialized agents for AppSec, reversing, and fuzzing
- 🛠 Workflow Automation – Define & execute AppSec workflows as code
- 📈 Vulnerability Research at Scale – Rediscover 1-days & find 0-days with automation
- 🔗 Fuzzer Integration – Atheris (Python), cargo-fuzz (Rust), OSS-Fuzz campaigns
- 🌐 Community Marketplace – Share workflows, corpora, PoCs, and modules
- 🔒 Enterprise Ready – Team/Corp cloud tiers for scaling offensive security
⭐ Support the Project
If you find FuzzForge useful, please star the repo to support development 🚀
🔍 Secret Detection Benchmarks
FuzzForge includes three secret detection workflows benchmarked on a controlled dataset of 32 documented secrets (12 Easy, 10 Medium, 10 Hard):
| Tool | Recall | Secrets Found | Speed |
|---|---|---|---|
| LLM (gpt-5-mini) | 84.4% | 41 | 618s |
| LLM (gpt-4o-mini) | 56.2% | 30 | 297s |
| Gitleaks | 37.5% | 12 | 5s |
| TruffleHog | 0.0% | 1 | 5s |
📊 Full benchmark results and analysis
The LLM-based detector excels at finding obfuscated and hidden secrets through semantic analysis, while pattern-based tools (Gitleaks) offer speed for standard secret formats.
📦 Installation
Requirements
Python 3.11+ Python 3.11 or higher is required.
uv Package Manager
curl -LsSf https://astral.sh/uv/install.sh | sh
Docker For containerized workflows, see the Docker Installation Guide.
Configure AI Agent API Keys (Optional)
For AI-powered workflows, configure your LLM API keys:
cp volumes/env/.env.example volumes/env/.env
# Edit volumes/env/.env and add your API keys (OpenAI, Anthropic, Google, etc.)
This is required for:
llm_secret_detectionworkflow- AI agent features (
ff ai agent)
Basic security workflows (gitleaks, trufflehog, security_assessment) work without this configuration.
CLI Installation
After installing the requirements, install the FuzzForge CLI:
# Clone the repository
git clone https://github.com/fuzzinglabs/fuzzforge_ai.git
cd fuzzforge_ai
# Install CLI with uv (from the root directory)
uv tool install --python python3.12 .
⚡ Quickstart
Run your first workflow with Temporal orchestration and automatic file upload:
# 1. Clone the repo
git clone https://github.com/fuzzinglabs/fuzzforge_ai.git
cd fuzzforge_ai
# 2. Copy the default LLM env config
cp volumes/env/.env.example volumes/env/.env
# 3. Start FuzzForge with Temporal
docker compose up -d
The first launch can take 2-3 minutes for services to initialize ☕
# 3. Run your first workflow (files are automatically uploaded)
cd test_projects/vulnerable_app/
fuzzforge init # Initialize FuzzForge project
ff workflow run security_assessment . # Start workflow - CLI uploads files automatically!
# The CLI will:
# - Detect the local directory
# - Create a compressed tarball
# - Upload to backend (via MinIO)
# - Start the workflow on vertical worker
What's running:
- Temporal: Workflow orchestration (UI at http://localhost:8233)
- MinIO: File storage for targets (Console at http://localhost:9001)
- Vertical Workers: Pre-built workers with security toolchains
- Backend API: FuzzForge REST API (http://localhost:8000)
AI-Powered Workflow Execution
AI agents automatically analyzing code and providing security insights
📚 Resources
🤝 Contributing
We welcome contributions from the community!
There are many ways to help:
- Report bugs by opening an issue
- Suggest new features or improvements
- Submit pull requests with fixes or enhancements
- Share workflows, corpora, or modules with the community
See our Contributing Guide for details.
🗺️ Roadmap
Planned features and improvements:
- 📦 Public workflow & module marketplace
- 🤖 New specialized AI agents (Rust, Go, Android, Automotive)
- 🔗 Expanded fuzzer integrations (LibFuzzer, Jazzer, more network fuzzers)
- ☁️ Multi-tenant SaaS platform with team collaboration
- 📊 Advanced reporting & analytics
👉 Follow updates in the GitHub issues and Discord
📜 License
FuzzForge is released under the Business Source License (BSL) 1.1, with an automatic fallback to Apache 2.0 after 4 years.
See LICENSE and LICENSE-APACHE for details.