CalvinBackup/fuzzforge_ai
1
0
Fork 0
mirror of https://github.com/FuzzingLabs/fuzzforge_ai.git synced 2026-02-13 01:12:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6fe039e0eef3292c869fd862d8f5542d3f91df4c
fuzzforge_ai/test_projects
History
tduhamel42 6abf4ef71d feat: Add Python SAST workflow with three security analysis tools 
Implements Issue #5 - Python SAST workflow that combines:
- Dependency scanning (pip-audit) for CVE detection
- Security linting (Bandit) for vulnerability patterns
- Type checking (Mypy) for type safety issues

## Changes

**New Modules:**
- `DependencyScanner`: Scans Python dependencies for known CVEs using pip-audit
- `BanditAnalyzer`: Analyzes Python code for security issues using Bandit
- `MypyAnalyzer`: Checks Python code for type safety issues using Mypy

**New Workflow:**
- `python_sast`: Temporal workflow that orchestrates all three SAST tools
  - Runs tools in parallel for fast feedback (3-5 min vs hours for fuzzing)
  - Generates unified SARIF report with findings from all tools
  - Supports configurable severity/confidence thresholds

**Updates:**
- Added SAST dependencies to Python worker (bandit, pip-audit, mypy)
- Updated module __init__.py files to export new analyzers
- Added type_errors.py test file to vulnerable_app for Mypy validation

## Testing

Workflow tested successfully on vulnerable_app:
-  Bandit: Detected 9 security issues (command injection, unsafe functions)
-  Mypy: Detected 5 type errors
-  DependencyScanner: Ran successfully (no CVEs in test dependencies)
-  SARIF export: Generated valid SARIF with 14 total findings
2025-10-22 15:28:19 +02:00
..
python_fuzz_waterfall
CI/CD Integration with Ephemeral Deployment Model (#14)
2025-10-14 10:13:45 +02:00
rust_fuzz_test
feat: Add secret detection workflows and comprehensive benchmarking (#15)
2025-10-16 11:21:24 +02:00
secret_detection_benchmark
test: Add secret detection benchmark dataset and ground truth
2025-10-16 11:46:28 +02:00
vulnerable_app
feat: Add Python SAST workflow with three security analysis tools
2025-10-22 15:28:19 +02:00
README.md
docs: Remove obsolete volume_mode references from documentation
2025-10-16 11:36:53 +02:00

README.md

FuzzForge Vulnerable Test Project

This directory contains a comprehensive vulnerable test application designed to validate FuzzForge's security workflows. The project contains multiple categories of security vulnerabilities to test security_assessment, gitleaks_detection, trufflehog_detection, and llm_secret_detection workflows.

Test Project Overview

Vulnerable Application (vulnerable_app/)

Purpose: Comprehensive vulnerable application for testing security workflows

Supported Workflows:

  • security_assessment - General security scanning and analysis
  • gitleaks_detection - Pattern-based secret detection
  • trufflehog_detection - Entropy-based secret detection with verification
  • llm_secret_detection - AI-powered semantic secret detection

Vulnerabilities Included:

  • SQL injection vulnerabilities
  • Command injection
  • Hardcoded secrets and credentials
  • Path traversal vulnerabilities
  • Weak cryptographic functions
  • Server-side template injection (SSTI)
  • Pickle deserialization attacks
  • CSRF missing protection
  • Information disclosure
  • API keys and tokens
  • Database connection strings
  • Private keys and certificates

Files:

  • Multiple source code files with various vulnerability types
  • Configuration files with embedded secrets
  • Dependencies with known vulnerabilities

Expected Detections: 30+ findings across both security assessment and secret detection workflows

Usage Instructions

Testing with FuzzForge Workflows

The vulnerable application can be tested with multiple security workflows:

# Test security assessment workflow
curl -X POST http://localhost:8000/workflows/security_assessment/submit \
  -H "Content-Type: application/json" \
  -d '{
    "target_path": "/path/to/test_projects/vulnerable_app"
  }'

# Test Gitleaks secret detection workflow
curl -X POST http://localhost:8000/workflows/gitleaks_detection/submit \
  -H "Content-Type: application/json" \
  -d '{
    "target_path": "/path/to/test_projects/vulnerable_app"
  }'

# Test TruffleHog secret detection workflow
curl -X POST http://localhost:8000/workflows/trufflehog_detection/submit \
  -H "Content-Type: application/json" \
  -d '{
    "target_path": "/path/to/test_projects/vulnerable_app"
  }'

Expected Results

Each workflow should produce SARIF-formatted results with:

  • High-severity findings for critical vulnerabilities
  • Medium-severity findings for moderate risks
  • Detailed descriptions and remediation guidance
  • Code flow information where applicable

Validation Criteria

A successful test should detect:

  • Security Assessment: At least 20 various security vulnerabilities
  • Gitleaks Detection: At least 10 different types of secrets
  • TruffleHog Detection: At least 5 high-entropy secrets
  • LLM Secret Detection: At least 15 secrets with semantic understanding

Security Notice

⚠️ WARNING: This project contains intentional security vulnerabilities and should NEVER be deployed in production environments or exposed to public networks. It is designed solely for security testing and validation purposes.

File Structure

test_projects/
├── README.md
└── vulnerable_app/
    ├── [Multiple vulnerable source files]
    ├── [Configuration files with secrets]
    └── [Dependencies with known issues]
Reference in New Issue View Git Blame Copy Permalink