CalvinBackup/fuzzforge_ai
1
0
Fork 0
mirror of https://github.com/FuzzingLabs/fuzzforge_ai.git synced 2026-05-21 12:16:48 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
943bc9a114e94c5069b094b64bb10e4f083d2e16
fuzzforge_ai/docs/docs/reference/cli-reference.md
T
tduhamel42 943bc9a114 Release v0.7.3 - Android workflows, LiteLLM integration, ARM64 support (#32) 
* ci: add worker validation and Docker build checks

Add automated validation to prevent worker-related issues:

**Worker Validation Script:**
- New script: .github/scripts/validate-workers.sh
- Validates all workers in docker-compose.yml exist
- Checks required files: Dockerfile, requirements.txt, worker.py
- Verifies files are tracked by git (not gitignored)
- Detects gitignore issues that could hide workers

**CI Workflow Updates:**
- Added validate-workers job (runs on every PR)
- Added build-workers job (runs if workers/ modified)
- Uses Docker Buildx for caching
- Validates Docker images build successfully
- Updated test-summary to check validation results

**PR Template:**
- New pull request template with comprehensive checklist
- Specific section for worker-related changes
- Reminds contributors to validate worker files
- Includes documentation and changelog reminders

These checks would have caught the secrets worker gitignore issue.

Implements Phase 1 improvements from CI/CD quality assessment.

* fix: add dev branch to test workflow triggers

The test workflow was configured for 'develop' but the actual branch is named 'dev'.
This caused tests not to run on PRs to dev branch.

Now tests will run on:
- PRs to: main, master, dev, develop
- Pushes to: main, master, dev, develop, feature/**

* fix: properly detect worker file changes in CI

The previous condition used invalid GitHub context field.
Now uses git diff to properly detect changes to workers/ or docker-compose.yml.

Behavior:
- Job always runs the check step
- Detects if workers/ or docker-compose.yml modified
- Only builds Docker images if workers actually changed
- Shows clear skip message when no worker changes detected

* feat: Add Python SAST workflow with three security analysis tools

Implements Issue #5 - Python SAST workflow that combines:
- Dependency scanning (pip-audit) for CVE detection
- Security linting (Bandit) for vulnerability patterns
- Type checking (Mypy) for type safety issues

## Changes

**New Modules:**
- `DependencyScanner`: Scans Python dependencies for known CVEs using pip-audit
- `BanditAnalyzer`: Analyzes Python code for security issues using Bandit
- `MypyAnalyzer`: Checks Python code for type safety issues using Mypy

**New Workflow:**
- `python_sast`: Temporal workflow that orchestrates all three SAST tools
  - Runs tools in parallel for fast feedback (3-5 min vs hours for fuzzing)
  - Generates unified SARIF report with findings from all tools
  - Supports configurable severity/confidence thresholds

**Updates:**
- Added SAST dependencies to Python worker (bandit, pip-audit, mypy)
- Updated module __init__.py files to export new analyzers
- Added type_errors.py test file to vulnerable_app for Mypy validation

## Testing

Workflow tested successfully on vulnerable_app:
-  Bandit: Detected 9 security issues (command injection, unsafe functions)
-  Mypy: Detected 5 type errors
-  DependencyScanner: Ran successfully (no CVEs in test dependencies)
-  SARIF export: Generated valid SARIF with 14 total findings

* fix: Remove unused imports to pass linter

* fix: resolve live monitoring bug, remove deprecated parameters, and auto-start Python worker

- Fix live monitoring style error by calling _live_monitor() helper directly
- Remove default_parameters duplication from 10 workflow metadata files
- Remove deprecated volume_mode parameter from 26 files across CLI, SDK, backend, and docs
- Configure Python worker to start automatically with docker compose up
- Clean up constants, validation, completion, and example files

Fixes #
- Live monitoring now works correctly with --live flag
- Workflow metadata follows JSON Schema standard
- Cleaner codebase without deprecated volume_mode
- Python worker (most commonly used) starts by default

* fix: resolve linter errors and optimize CI worker builds

- Remove unused Literal import from backend findings model
- Remove unnecessary f-string prefixes in CLI findings command
- Optimize GitHub Actions to build only modified workers
  - Detect specific worker changes (python, secrets, rust, android, ossfuzz)
  - Build only changed workers instead of all 5
  - Build all workers if docker-compose.yml changes
  - Significantly reduces CI build time

* feat: Add Android static analysis workflow with Jadx, OpenGrep, and MobSF

Comprehensive Android security testing workflow converted from Prefect to Temporal architecture:

Modules (3):
- JadxDecompiler: APK to Java source code decompilation
- OpenGrepAndroid: Static analysis with Android-specific security rules
- MobSFScanner: Comprehensive mobile security framework integration

Custom Rules (13):
- clipboard-sensitive-data, hardcoded-secrets, insecure-data-storage
- insecure-deeplink, insecure-logging, intent-redirection
- sensitive_data_sharedPreferences, sqlite-injection
- vulnerable-activity, vulnerable-content-provider, vulnerable-service
- webview-javascript-enabled, webview-load-arbitrary-url

Workflow:
- 6-phase Temporal workflow: download → Jadx → OpenGrep → MobSF → SARIF → upload
- 4 activities: decompile_with_jadx, scan_with_opengrep, scan_with_mobsf, generate_android_sarif
- SARIF output combining findings from all security tools

Docker Worker:
- ARM64 Mac compatibility via amd64 platform emulation
- Pre-installed: Android SDK, Jadx 1.4.7, OpenGrep 1.45.0, MobSF 3.9.7
- MobSF runs as background service with API key auto-generation
- Added aiohttp for async HTTP communication

Test APKs:
- BeetleBug.apk and shopnest.apk for workflow validation

* fix(android): correct activity names and MobSF API key generation

- Fix activity names in workflow.py (get_target, upload_results, cleanup_cache)
- Fix MobSF API key generation in Dockerfile startup script (cut delimiter)
- Update activity parameter signatures to match actual implementations
- Workflow now executes successfully with Jadx and OpenGrep

* feat: add platform-aware worker architecture with ARM64 support

Implement platform-specific Dockerfile selection and graceful tool degradation to support both x86_64 and ARM64 (Apple Silicon) platforms.

**Backend Changes:**
- Add system info API endpoint (/system/info) exposing host filesystem paths
- Add FUZZFORGE_HOST_ROOT environment variable to backend service
- Add graceful degradation in MobSF activity for ARM64 platforms

**CLI Changes:**
- Implement multi-strategy path resolution (backend API, .fuzzforge marker, env var)
- Add platform detection (linux/amd64 vs linux/arm64)
- Add worker metadata.yaml reading for platform capabilities
- Auto-select appropriate Dockerfile based on detected platform
- Pass platform-specific env vars to docker-compose

**Worker Changes:**
- Create workers/android/metadata.yaml defining platform capabilities
- Rename Dockerfile -> Dockerfile.amd64 (full toolchain with MobSF)
- Create Dockerfile.arm64 (excludes MobSF due to Rosetta 2 incompatibility)
- Update docker-compose.yml to use ${ANDROID_DOCKERFILE} variable

**Workflow Changes:**
- Handle MobSF "skipped" status gracefully in workflow
- Log clear warnings when tools are unavailable on platform

**Key Features:**
- Automatic platform detection and Dockerfile selection
- Graceful degradation when tools unavailable (MobSF on ARM64)
- Works from any directory (backend API provides paths)
- Manual override via environment variables
- Clear user feedback about platform and selected Dockerfile

**Benefits:**
- Android workflow now works on Apple Silicon Macs
- No code changes needed for other workflows
- Convention established for future platform-specific workers

Closes: MobSF Rosetta 2 incompatibility issue
Implements: Platform-aware worker architecture (Option B)

* fix: make MobSFScanner import conditional for ARM64 compatibility

- Add try-except block to conditionally import MobSFScanner in modules/android/__init__.py
- Allows Android worker to start on ARM64 without MobSF dependencies (aiohttp)
- MobSF activity gracefully skips on ARM64 with clear warning message
- Remove workflow path detection logic (not needed - workflows receive directories)

Platform-aware architecture fully functional on ARM64:
- CLI detects ARM64 and selects Dockerfile.arm64 automatically
- Worker builds and runs without MobSF on ARM64
- Jadx successfully decompiles APKs (4145 files from BeetleBug.apk)
- OpenGrep finds security vulnerabilities (8 issues found)
- MobSF gracefully skips with warning on ARM64
- Graceful degradation working as designed

Tested with:
  ff workflow run android_static_analysis test_projects/android_test/ \
    --wait --no-interactive apk_path=BeetleBug.apk decompile_apk=true

Results: 8 security findings (1 ERROR, 7 WARNINGS)

* docs: update CHANGELOG with Android workflow and ARM64 support

Added [Unreleased] section documenting:
- Android Static Analysis Workflow (Jadx, OpenGrep, MobSF)
- Platform-Aware Worker Architecture with ARM64 support
- Python SAST Workflow
- CI/CD improvements and worker validation
- CLI enhancements
- Bug fixes and technical changes

Fixed date typo: 2025-01-16 → 2025-10-16

* fix: resolve linter errors in Android modules

- Remove unused imports from mobsf_scanner.py (asyncio, hashlib, json, Optional)
- Remove unused variables from opengrep_android.py (start_col, end_col)
- Remove duplicate Path import from workflow.py

* ci: support multi-platform Dockerfiles in worker validation

Updated worker validation script to accept both:
- Single Dockerfile pattern (existing workers)
- Multi-platform Dockerfile pattern (Dockerfile.amd64, Dockerfile.arm64, etc.)

This enables platform-aware worker architectures like the Android worker
which uses different Dockerfiles for x86_64 and ARM64 platforms.

* Feature/litellm proxy (#27)

* feat: seed governance config and responses routing

* Add env-configurable timeout for proxy providers

* Integrate LiteLLM OTEL collector and update docs

* Make .env.litellm optional for LiteLLM proxy

* Add LiteLLM proxy integration with model-agnostic virtual keys

Changes:
- Bootstrap generates 3 virtual keys with individual budgets (CLI: $100, Task-Agent: $25, Cognee: $50)
- Task-agent loads config at runtime via entrypoint script to wait for bootstrap completion
- All keys are model-agnostic by default (no LITELLM_DEFAULT_MODELS restrictions)
- Bootstrap handles database/env mismatch after docker prune by deleting stale aliases
- CLI and Cognee configured to use LiteLLM proxy with virtual keys
- Added comprehensive documentation in volumes/env/README.md

Technical details:
- task-agent entrypoint waits for keys in .env file before starting uvicorn
- Bootstrap creates/updates TASK_AGENT_API_KEY, COGNEE_API_KEY, and OPENAI_API_KEY
- Removed hardcoded API keys from docker-compose.yml
- All services route through http://localhost:10999 proxy

* Fix CLI not loading virtual keys from global .env

Project .env files with empty OPENAI_API_KEY values were overriding
the global virtual keys. Updated _load_env_file_if_exists to only
override with non-empty values.

* Fix agent executor not passing API key to LiteLLM

The agent was initializing LiteLlm without api_key or api_base,
causing authentication errors when using the LiteLLM proxy. Now
reads from OPENAI_API_KEY/LLM_API_KEY and LLM_ENDPOINT environment
variables and passes them to LiteLlm constructor.

* Auto-populate project .env with virtual key from global config

When running 'ff init', the command now checks for a global
volumes/env/.env file and automatically uses the OPENAI_API_KEY
virtual key if found. This ensures projects work with LiteLLM
proxy out of the box without manual key configuration.

* docs: Update README with LiteLLM configuration instructions

Add note about LITELLM_GEMINI_API_KEY configuration and clarify that OPENAI_API_KEY default value should not be changed as it's used for the LLM proxy.

* Refactor workflow parameters to use JSON Schema defaults

Consolidates parameter defaults into JSON Schema format, removing the separate default_parameters field. Adds extract_defaults_from_json_schema() helper to extract defaults from the standard schema structure. Updates LiteLLM proxy config to use LITELLM_OPENAI_API_KEY environment variable.

* Remove .env.example from task_agent

* Fix MDX syntax error in llm-proxy.md

* fix: apply default parameters from metadata.yaml automatically

Fixed TemporalManager.run_workflow() to correctly apply default parameter
values from workflow metadata.yaml files when parameters are not provided
by the caller.

Previous behavior:
- When workflow_params was empty {}, the condition
  `if workflow_params and 'parameters' in metadata` would fail
- Parameters would not be extracted from schema, resulting in workflows
  receiving only target_id with no other parameters

New behavior:
- Removed the `workflow_params and` requirement from the condition
- Now explicitly checks for defaults in parameter spec
- Applies defaults from metadata.yaml automatically when param not provided
- Workflows receive all parameters with proper fallback:
  provided value > metadata default > None

This makes metadata.yaml the single source of truth for parameter defaults,
removing the need for workflows to implement defensive default handling.

Affected workflows:
- llm_secret_detection (was failing with KeyError)
- All other workflows now benefit from automatic default application

Co-authored-by: tduhamel42 <tduhamel@fuzzinglabs.com>

* fix: add default values to llm_analysis workflow parameters

Resolves validation error where agent_url was None when not explicitly provided. The TemporalManager applies defaults from metadata.yaml, not from module input schemas, so all parameters need defaults in the workflow metadata.

Changes:
- Add default agent_url, llm_model (gpt-5-mini), llm_provider (openai)
- Expand file_patterns to 45 comprehensive patterns covering code, configs, secrets, and Docker files
- Increase default limits: max_files (10), max_file_size (100KB), timeout (90s)

* refactor: replace .env.example with .env.template in documentation

- Remove volumes/env/.env.example file
- Update all documentation references to use .env.template instead
- Update bootstrap script error message
- Update .gitignore comment

* feat(cli): add worker management commands with improved progress feedback

Add comprehensive CLI commands for managing Temporal workers:
- ff worker list - List workers with status and uptime
- ff worker start <name> - Start specific worker with optional rebuild
- ff worker stop - Safely stop all workers without affecting core services

Improvements:
- Live progress display during worker startup with Rich Status spinner
- Real-time elapsed time counter and container state updates
- Health check status tracking (starting → unhealthy → healthy)
- Helpful contextual hints at 10s, 30s, 60s intervals
- Better timeout messages showing last known state

Worker management enhancements:
- Use 'docker compose' (space) instead of 'docker-compose' (hyphen)
- Stop workers individually with 'docker stop' to avoid stopping core services
- Platform detection and Dockerfile selection (ARM64/AMD64)

Documentation:
- Updated docker-setup.md with CLI commands as primary method
- Created comprehensive cli-reference.md with all commands and examples
- Added worker management best practices

* fix: MobSF scanner now properly parses files dict structure

MobSF returns 'files' as a dict (not list):
{"filename": "line_numbers"}

The parser was treating it as a list, causing zero findings
to be extracted. Now properly iterates over the dict and
creates one finding per affected file with correct line numbers
and metadata (CWE, OWASP, MASVS, CVSS).

Fixed in both code_analysis and behaviour sections.

* chore: bump version to 0.7.3

* docs: fix broken documentation links in cli-reference

* chore: add worker startup documentation and cleanup .gitignore

- Add workflow-to-worker mapping tables across documentation
- Update troubleshooting guide with worker requirements section
- Enhance getting started guide with worker examples
- Add quick reference to docker setup guide
- Add WEEK_SUMMARY*.md pattern to .gitignore

* docs: update CHANGELOG with missing versions and recent changes

- Add Unreleased section for post-v0.7.3 documentation updates
- Add v0.7.2 entry with bug fixes and worker improvements
- Document that v0.7.1 was re-tagged as v0.7.2
- Fix v0.6.0 date to "Undocumented" (no tag exists)
- Add version comparison links for easier navigation

* chore: bump all package versions to 0.7.3 for consistency

* Update GitHub link to fuzzforge_ai

---------

Co-authored-by: Songbird99 <150154823+Songbird99@users.noreply.github.com>
Co-authored-by: Songbird <Songbirdx99@gmail.com>
2025-11-06 11:07:50 +01:00

13 KiB
Raw Blame History

FuzzForge CLI Reference

Complete reference for the FuzzForge CLI (ff command). Use this as your quick lookup for all commands, options, and examples.

Global Options

Option Description
--help, -h Show help message
--version, -v Show version information

Core Commands

ff init

Initialize a new FuzzForge project in the current directory.

Usage:

ff init [OPTIONS]

Options:

  • --name, -n — Project name (defaults to current directory name)
  • --api-url, -u — FuzzForge API URL (defaults to http://localhost:8000)
  • --force, -f — Force initialization even if project already exists

Examples:

ff init                           # Initialize with defaults
ff init --name my-project         # Set custom project name
ff init --api-url http://prod:8000  # Use custom API URL

ff status

Show project and latest execution status.

Usage:

ff status

Example Output:

📊 Project Status
   Project: my-security-project
   API URL: http://localhost:8000

Latest Execution:
   Run ID: security_scan-a1b2c3
   Workflow: security_assessment
   Status: COMPLETED
   Started: 2 hours ago

ff config

Manage project configuration.

Usage:

ff config                    # Show all config
ff config <key>              # Get specific value
ff config <key> <value>      # Set value

Examples:

ff config                         # Display all settings
ff config api_url                 # Get API URL
ff config api_url http://prod:8000  # Set API URL

ff clean

Clean old execution data and findings.

Usage:

ff clean [OPTIONS]

Options:

  • --days, -d — Remove data older than this many days (default: 90)
  • --dry-run — Show what would be deleted without deleting

Examples:

ff clean                    # Clean data older than 90 days
ff clean --days 30          # Clean data older than 30 days
ff clean --dry-run          # Preview what would be deleted

Workflow Commands

ff workflows

Browse and list available workflows.

Usage:

ff workflows [COMMAND]

Subcommands:

  • list — List all available workflows
  • info <workflow> — Show detailed workflow information
  • params <workflow> — Show workflow parameters

Examples:

ff workflows list                    # List all workflows
ff workflows info python_sast        # Show workflow details
ff workflows params python_sast      # Show parameters

ff workflow

Execute and manage individual workflows.

Usage:

ff workflow <COMMAND>

Subcommands:

ff workflow run

Execute a security testing workflow.

Usage:

ff workflow run <workflow> <target> [params...] [OPTIONS]

Arguments:

  • <workflow> — Workflow name
  • <target> — Target path to analyze
  • [params...] — Parameters as key=value pairs

Options:

  • --param-file, -f — JSON file containing workflow parameters
  • --timeout, -t — Execution timeout in seconds
  • --interactive / --no-interactive, -i / -n — Interactive parameter input (default: interactive)
  • --wait, -w — Wait for execution to complete
  • --live, -l — Start live monitoring after execution
  • --auto-start / --no-auto-start — Automatically start required worker
  • --auto-stop / --no-auto-stop — Automatically stop worker after completion
  • --fail-on — Fail build if findings match SARIF level (error, warning, note, info, all, none)
  • --export-sarif — Export SARIF results to file after completion

Examples:

# Basic workflow execution
ff workflow run python_sast ./project

# With parameters
ff workflow run python_sast ./project check_secrets=true

# CI/CD integration - fail on errors
ff workflow run python_sast ./project --wait --no-interactive \
  --fail-on error --export-sarif results.sarif

# With parameter file
ff workflow run python_sast ./project --param-file config.json

# Live monitoring for fuzzing
ff workflow run atheris_fuzzing ./project --live

ff workflow status

Check status of latest or specific workflow execution.

Usage:

ff workflow status [run_id]

Examples:

ff workflow status                     # Show latest execution status
ff workflow status python_sast-abc123  # Show specific execution

ff workflow history

Show execution history.

Usage:

ff workflow history [OPTIONS]

Options:

  • --limit, -l — Number of executions to show (default: 10)

Example:

ff workflow history --limit 20

ff workflow retry

Retry a failed workflow execution.

Usage:

ff workflow retry <run_id>

Example:

ff workflow retry python_sast-abc123

Finding Commands

ff findings

Browse all findings across executions.

Usage:

ff findings [COMMAND]

Subcommands:

ff findings list

List findings from a specific run.

Usage:

ff findings list [run_id] [OPTIONS]

Options:

  • --format — Output format: table, json, sarif (default: table)
  • --save — Save findings to file

Examples:

ff findings list                        # Show latest findings
ff findings list python_sast-abc123     # Show specific run
ff findings list --format json          # JSON output
ff findings list --format sarif --save  # Export SARIF

ff findings export

Export findings to various formats.

Usage:

ff findings export <run_id> [OPTIONS]

Options:

  • --format — Output format: json, sarif, csv
  • --output, -o — Output file path

Example:

ff findings export python_sast-abc123 --format sarif --output results.sarif

ff findings history

Show finding history across multiple runs.

Usage:

ff findings history [OPTIONS]

Options:

  • --limit, -l — Number of runs to include (default: 10)

ff finding

View and analyze individual findings.

Usage:

ff finding [id]                         # Show latest or specific finding
ff finding show <run_id> --rule <rule>  # Show specific finding detail

Examples:

ff finding                                # Show latest finding
ff finding python_sast-abc123             # Show specific run findings
ff finding show python_sast-abc123 --rule f2cf5e3e  # Show specific finding

Worker Management Commands

ff worker

Manage Temporal workers for workflow execution.

Usage:

ff worker <COMMAND>

Subcommands:

ff worker list

List FuzzForge workers and their status.

Usage:

ff worker list [OPTIONS]

Options:

  • --all, -a — Show all workers (including stopped)

Examples:

ff worker list          # Show running workers
ff worker list --all    # Show all workers

Example Output:

FuzzForge Workers
┏━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┓
┃ Worker  ┃ Status    ┃ Uptime         ┃
┡━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━━━━┩
│ android │ ● Running │ 5 minutes ago  │
│ python  │ ● Running │ 10 minutes ago │
└─────────┴───────────┴────────────────┘

✅ 2 worker(s) running

ff worker start

Start a specific worker.

Usage:

ff worker start <name> [OPTIONS]

Arguments:

  • <name> — Worker name (e.g., python, android, rust, secrets)

Options:

  • --build — Rebuild worker image before starting

Examples:

ff worker start python           # Start Python worker
ff worker start android --build  # Rebuild and start Android worker

Available Workers:

  • python — Python security analysis and fuzzing
  • android — Android APK analysis
  • rust — Rust fuzzing and analysis
  • secrets — Secret detection workflows
  • ossfuzz — OSS-Fuzz integration

ff worker stop

Stop all running FuzzForge workers.

Usage:

ff worker stop [OPTIONS]

Options:

  • --all — Stop all workers (default behavior, flag for clarity)

Example:

ff worker stop

Note: This command stops only worker containers, leaving core services (backend, temporal, minio) running.

Monitoring Commands

ff monitor

Real-time monitoring for running workflows.

Usage:

ff monitor [COMMAND]

Subcommands:

  • live <run_id> — Live monitoring for a specific execution
  • stats <run_id> — Show statistics for fuzzing workflows

Examples:

ff monitor live atheris-abc123    # Monitor fuzzing campaign
ff monitor stats atheris-abc123   # Show fuzzing statistics

AI Integration Commands

ff ai

AI-powered analysis and assistance.

Usage:

ff ai [COMMAND]

Subcommands:

  • analyze <run_id> — Analyze findings with AI
  • explain <finding_id> — Get AI explanation of a finding
  • remediate <finding_id> — Get remediation suggestions

Examples:

ff ai analyze python_sast-abc123           # Analyze all findings
ff ai explain python_sast-abc123:finding1  # Explain specific finding
ff ai remediate python_sast-abc123:finding1  # Get fix suggestions

Knowledge Ingestion Commands

ff ingest

Ingest knowledge into the AI knowledge base.

Usage:

ff ingest [COMMAND]

Subcommands:

  • file <path> — Ingest a file
  • directory <path> — Ingest directory contents
  • workflow <workflow_name> — Ingest workflow documentation

Examples:

ff ingest file ./docs/security.md           # Ingest single file
ff ingest directory ./docs                  # Ingest directory
ff ingest workflow python_sast              # Ingest workflow docs

Common Workflow Examples

CI/CD Integration

# Run security scan in CI, fail on errors
ff workflow run python_sast . \
  --wait \
  --no-interactive \
  --fail-on error \
  --export-sarif results.sarif

Local Development

# Quick security check
ff workflow run python_sast ./my-code

# Check specific file types
ff workflow run python_sast . file_extensions='[".py",".js"]'

# Interactive parameter configuration
ff workflow run python_sast . --interactive

Fuzzing Workflows

# Start fuzzing with live monitoring
ff workflow run atheris_fuzzing ./project --live

# Long-running fuzzing campaign
ff workflow run ossfuzz_campaign ./project \
  --auto-start \
  duration=3600 \
  --live

Worker Management

# Check which workers are running
ff worker list

# Start needed worker manually
ff worker start python --build

# Stop all workers when done
ff worker stop

Configuration Files

Project Config (.fuzzforge/config.json)

{
  "project_name": "my-security-project",
  "api_url": "http://localhost:8000",
  "default_workflow": "python_sast",
  "auto_start_workers": true,
  "auto_stop_workers": false
}

Parameter File Example

{
  "check_secrets": true,
  "file_extensions": [".py", ".js", ".go"],
  "severity_threshold": "medium",
  "exclude_patterns": ["**/test/**", "**/vendor/**"]
}

Exit Codes

Code Meaning
0 Success
1 General error
2 Findings matched --fail-on criteria
3 Worker startup failed
4 Workflow execution failed

Environment Variables

Variable Description Default
FUZZFORGE_API_URL Backend API URL http://localhost:8000
FUZZFORGE_ROOT FuzzForge installation directory Auto-detected
FUZZFORGE_DEBUG Enable debug logging false

Tips and Best Practices

  1. Use --no-interactive in CI/CD — Prevents prompts that would hang automated pipelines
  2. Use --fail-on for quality gates — Fail builds based on finding severity
  3. Export SARIF for tool integration — Most security tools support SARIF format
  4. Let workflows auto-start workers — More efficient than manually managing workers
  5. Use --wait with --export-sarif — Ensures results are available before export
  6. Check ff worker list regularly — Helps manage system resources
  7. Use parameter files for complex configs — Easier to version control and reuse

Related Documentation

Need Help?

ff --help                # General help
ff workflow run --help   # Command-specific help
ff worker --help         # Worker management help
Reference in New Issue View Git Blame Copy Permalink