d005521c78
MobSF returns 'files' as a dict (not list):
{"filename": "line_numbers"}
The parser was treating it as a list, causing zero findings
to be extracted. Now properly iterates over the dict and
creates one finding per affected file with correct line numbers
and metadata (CWE, OWASP, MASVS, CVSS).
Fixed in both code_analysis and behaviour sections.
🚧 FuzzForge is under active development
AI-powered workflow automation and AI Agents for AppSec, Fuzzing & Offensive Security
Overview • Features • Installation • Quickstart • AI Demo • Contributing • Roadmap
🚀 Overview
FuzzForge helps security researchers and engineers automate application security and offensive security workflows with the power of AI and fuzzing frameworks.
- Orchestrate static & dynamic analysis
- Automate vulnerability research
- Scale AppSec testing with AI agents
- Build, share & reuse workflows across teams
FuzzForge is open source, built to empower security teams, researchers, and the community.
🚧 FuzzForge is under active development. Expect breaking changes.
Note: Fuzzing workflows (
atheris_fuzzing,cargo_fuzzing,ossfuzz_campaign) are in early development. OSS-Fuzz integration is under heavy active development. For stable workflows, use:security_assessment,gitleaks_detection,trufflehog_detection, orllm_secret_detection.
Demo - Manual Workflow Setup
Setting up and running security workflows through the interface
👉 More installation options in the Documentation.
✨ Key Features
- 🤖 AI Agents for Security – Specialized agents for AppSec, reversing, and fuzzing
- 🛠 Workflow Automation – Define & execute AppSec workflows as code
- 📈 Vulnerability Research at Scale – Rediscover 1-days & find 0-days with automation
- 🔗 Fuzzer Integration – Atheris (Python), cargo-fuzz (Rust), OSS-Fuzz campaigns
- 🌐 Community Marketplace – Share workflows, corpora, PoCs, and modules
- 🔒 Enterprise Ready – Team/Corp cloud tiers for scaling offensive security
⭐ Support the Project
If you find FuzzForge useful, please star the repo to support development 🚀
🔍 Secret Detection Benchmarks
FuzzForge includes three secret detection workflows benchmarked on a controlled dataset of 32 documented secrets (12 Easy, 10 Medium, 10 Hard):
| Tool | Recall | Secrets Found | Speed |
|---|---|---|---|
| LLM (gpt-5-mini) | 84.4% | 41 | 618s |
| LLM (gpt-4o-mini) | 56.2% | 30 | 297s |
| Gitleaks | 37.5% | 12 | 5s |
| TruffleHog | 0.0% | 1 | 5s |
📊 Full benchmark results and analysis
The LLM-based detector excels at finding obfuscated and hidden secrets through semantic analysis, while pattern-based tools (Gitleaks) offer speed for standard secret formats.
📦 Installation
Requirements
Python 3.11+ Python 3.11 or higher is required.
uv Package Manager
curl -LsSf https://astral.sh/uv/install.sh | sh
Docker For containerized workflows, see the Docker Installation Guide.
Configure AI Agent API Keys (Optional)
For AI-powered workflows, configure your LLM API keys:
cp volumes/env/.env.template volumes/env/.env
# Edit volumes/env/.env and add your API keys (OpenAI, Anthropic, Google, etc.)
# Add your key to LITELLM_GEMINI_API_KEY
Dont change the OPENAI_API_KEY default value, as it is used for the LLM proxy.
This is required for:
llm_secret_detectionworkflow- AI agent features (
ff ai agent)
Basic security workflows (gitleaks, trufflehog, security_assessment) work without this configuration.
CLI Installation
After installing the requirements, install the FuzzForge CLI:
# Clone the repository
git clone https://github.com/fuzzinglabs/fuzzforge_ai.git
cd fuzzforge_ai
# Install CLI with uv (from the root directory)
uv tool install --python python3.12 .
⚡ Quickstart
Run your first workflow with Temporal orchestration and automatic file upload:
# 1. Clone the repo
git clone https://github.com/fuzzinglabs/fuzzforge_ai.git
cd fuzzforge_ai
# 2. Copy the default LLM env config
cp volumes/env/.env.template volumes/env/.env
# 3. Start FuzzForge with Temporal
docker compose up -d
# 4. Start the Python worker (needed for security_assessment workflow)
docker compose up -d worker-python
The first launch can take 2-3 minutes for services to initialize ☕
Workers don't auto-start by default (saves RAM). Start the worker you need before running workflows.
# 5. Run your first workflow (files are automatically uploaded)
cd test_projects/vulnerable_app/
fuzzforge init # Initialize FuzzForge project
ff workflow run security_assessment . # Start workflow - CLI uploads files automatically!
# The CLI will:
# - Detect the local directory
# - Create a compressed tarball
# - Upload to backend (via MinIO)
# - Start the workflow on vertical worker
What's running:
- Temporal: Workflow orchestration (UI at http://localhost:8080)
- MinIO: File storage for targets (Console at http://localhost:9001)
- Vertical Workers: Pre-built workers with security toolchains
- Backend API: FuzzForge REST API (http://localhost:8000)
AI-Powered Workflow Execution
AI agents automatically analyzing code and providing security insights
📚 Resources
🤝 Contributing
We welcome contributions from the community!
There are many ways to help:
- Report bugs by opening an issue
- Suggest new features or improvements
- Submit pull requests with fixes or enhancements
- Share workflows, corpora, or modules with the community
See our Contributing Guide for details.
🗺️ Roadmap
Planned features and improvements:
- 📦 Public workflow & module marketplace
- 🤖 New specialized AI agents (Rust, Go, Android, Automotive)
- 🔗 Expanded fuzzer integrations (LibFuzzer, Jazzer, more network fuzzers)
- ☁️ Multi-tenant SaaS platform with team collaboration
- 📊 Advanced reporting & analytics
👉 Follow updates in the GitHub issues and Discord
📜 License
FuzzForge is released under the Business Source License (BSL) 1.1, with an automatic fallback to Apache 2.0 after 4 years.
See LICENSE and LICENSE-APACHE for details.