3be4d34531
Add comprehensive benchmark dataset with 32 documented secrets for testing secret detection workflows (gitleaks, trufflehog, llm_secret_detection). - Add test_projects/secret_detection_benchmark/ with 19 test files - Add ground truth JSON with precise line-by-line secret mappings - Update .gitignore with exceptions for benchmark files (not real secrets) Dataset breakdown: - 12 Easy secrets (standard patterns) - 10 Medium secrets (obfuscated) - 10 Hard secrets (well hidden)
FuzzForge Vulnerable Test Project
This directory contains a comprehensive vulnerable test application designed to validate FuzzForge's security workflows. The project contains multiple categories of security vulnerabilities to test security_assessment, gitleaks_detection, trufflehog_detection, and llm_secret_detection workflows.
Test Project Overview
Vulnerable Application (vulnerable_app/)
Purpose: Comprehensive vulnerable application for testing security workflows
Supported Workflows:
security_assessment- General security scanning and analysisgitleaks_detection- Pattern-based secret detectiontrufflehog_detection- Entropy-based secret detection with verificationllm_secret_detection- AI-powered semantic secret detection
Vulnerabilities Included:
- SQL injection vulnerabilities
- Command injection
- Hardcoded secrets and credentials
- Path traversal vulnerabilities
- Weak cryptographic functions
- Server-side template injection (SSTI)
- Pickle deserialization attacks
- CSRF missing protection
- Information disclosure
- API keys and tokens
- Database connection strings
- Private keys and certificates
Files:
- Multiple source code files with various vulnerability types
- Configuration files with embedded secrets
- Dependencies with known vulnerabilities
Expected Detections: 30+ findings across both security assessment and secret detection workflows
Usage Instructions
Testing with FuzzForge Workflows
The vulnerable application can be tested with multiple security workflows:
# Test security assessment workflow
curl -X POST http://localhost:8000/workflows/security_assessment/submit \
-H "Content-Type: application/json" \
-d '{
"target_path": "/path/to/test_projects/vulnerable_app"
}'
# Test Gitleaks secret detection workflow
curl -X POST http://localhost:8000/workflows/gitleaks_detection/submit \
-H "Content-Type: application/json" \
-d '{
"target_path": "/path/to/test_projects/vulnerable_app"
}'
# Test TruffleHog secret detection workflow
curl -X POST http://localhost:8000/workflows/trufflehog_detection/submit \
-H "Content-Type: application/json" \
-d '{
"target_path": "/path/to/test_projects/vulnerable_app"
}'
Expected Results
Each workflow should produce SARIF-formatted results with:
- High-severity findings for critical vulnerabilities
- Medium-severity findings for moderate risks
- Detailed descriptions and remediation guidance
- Code flow information where applicable
Validation Criteria
A successful test should detect:
- Security Assessment: At least 20 various security vulnerabilities
- Gitleaks Detection: At least 10 different types of secrets
- TruffleHog Detection: At least 5 high-entropy secrets
- LLM Secret Detection: At least 15 secrets with semantic understanding
Security Notice
⚠️ WARNING: This project contains intentional security vulnerabilities and should NEVER be deployed in production environments or exposed to public networks. It is designed solely for security testing and validation purposes.
File Structure
test_projects/
├── README.md
└── vulnerable_app/
├── [Multiple vulnerable source files]
├── [Configuration files with secrets]
└── [Dependencies with known issues]