CalvinBackup/fuzzforge_ai
1
0
Fork 0
mirror of https://github.com/FuzzingLabs/fuzzforge_ai.git synced 2026-02-13 09:52:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e0948533c053b48b8244ee3faa4745e941bdaaf9
fuzzforge_ai/test_projects
History
tduhamel42 ddc6f163f7 feat(test): add automated workflow testing framework 
- Add test matrix configuration (.github/test-matrix.yaml)
  - Maps 8 workflows to workers, test projects, and parameters
  - Excludes LLM and OSS-Fuzz workflows
  - Defines fast, full, and platform test suites

- Add workflow execution test script (scripts/test_workflows.py)
  - Executes workflows with parameter validation
  - Validates SARIF export and structure
  - Counts findings and measures execution time
  - Generates test summary reports

- Add platform detection unit tests (cli/tests/test_platform_detection.py)
  - Tests platform detection (x86_64, aarch64, arm64)
  - Tests Dockerfile selection for multi-platform workers
  - Tests metadata.yaml parsing
  - Includes integration tests

- Add GitHub Actions workflow (.github/workflows/test-workflows.yml)
  - Platform detection unit tests
  - Fast workflow tests (5 workflows on every PR)
  - Android platform-specific tests (AMD64 + ARM64)
  - Full workflow tests (on main/schedule)
  - Automatic log collection on failure

- Add comprehensive testing documentation (docs/docs/development/testing.md)
  - Local testing guide
  - CI/CD testing explanation
  - Platform-specific testing guide
  - Debugging guide and best practices

- Update test.yml with reference to new workflow tests

- Remove tracked .fuzzforge/findings.db (already in .gitignore)

Tested locally:
- Single workflow test: python_sast (6.87s) 
- Fast test suite: 5/5 workflows passed 
  - android_static_analysis (98.98s) 
  - python_sast (6.78s) 
  - secret_detection (38.04s) 
  - gitleaks_detection (1.67s) 
  - trufflehog_detection (1.64s)
2025-10-29 14:34:31 +01:00
..
android_test
feat: Add Android static analysis workflow with Jadx, OpenGrep, and MobSF
2025-10-23 10:25:52 +02:00
python_fuzz_waterfall
CI/CD Integration with Ephemeral Deployment Model (#14)
2025-10-14 10:13:45 +02:00
rust_fuzz_test
feat: Add secret detection workflows and comprehensive benchmarking (#15)
2025-10-16 11:21:24 +02:00
secret_detection_benchmark
feat(test): add automated workflow testing framework
2025-10-29 14:34:31 +01:00
vulnerable_app
feat: Add Android static analysis workflow with Jadx, OpenGrep, and MobSF
2025-10-23 10:25:52 +02:00
README.md
docs: Remove obsolete volume_mode references from documentation
2025-10-16 11:36:53 +02:00

README.md

FuzzForge Vulnerable Test Project

This directory contains a comprehensive vulnerable test application designed to validate FuzzForge's security workflows. The project contains multiple categories of security vulnerabilities to test security_assessment, gitleaks_detection, trufflehog_detection, and llm_secret_detection workflows.

Test Project Overview

Vulnerable Application (vulnerable_app/)

Purpose: Comprehensive vulnerable application for testing security workflows

Supported Workflows:

  • security_assessment - General security scanning and analysis
  • gitleaks_detection - Pattern-based secret detection
  • trufflehog_detection - Entropy-based secret detection with verification
  • llm_secret_detection - AI-powered semantic secret detection

Vulnerabilities Included:

  • SQL injection vulnerabilities
  • Command injection
  • Hardcoded secrets and credentials
  • Path traversal vulnerabilities
  • Weak cryptographic functions
  • Server-side template injection (SSTI)
  • Pickle deserialization attacks
  • CSRF missing protection
  • Information disclosure
  • API keys and tokens
  • Database connection strings
  • Private keys and certificates

Files:

  • Multiple source code files with various vulnerability types
  • Configuration files with embedded secrets
  • Dependencies with known vulnerabilities

Expected Detections: 30+ findings across both security assessment and secret detection workflows

Usage Instructions

Testing with FuzzForge Workflows

The vulnerable application can be tested with multiple security workflows:

# Test security assessment workflow
curl -X POST http://localhost:8000/workflows/security_assessment/submit \
  -H "Content-Type: application/json" \
  -d '{
    "target_path": "/path/to/test_projects/vulnerable_app"
  }'

# Test Gitleaks secret detection workflow
curl -X POST http://localhost:8000/workflows/gitleaks_detection/submit \
  -H "Content-Type: application/json" \
  -d '{
    "target_path": "/path/to/test_projects/vulnerable_app"
  }'

# Test TruffleHog secret detection workflow
curl -X POST http://localhost:8000/workflows/trufflehog_detection/submit \
  -H "Content-Type: application/json" \
  -d '{
    "target_path": "/path/to/test_projects/vulnerable_app"
  }'

Expected Results

Each workflow should produce SARIF-formatted results with:

  • High-severity findings for critical vulnerabilities
  • Medium-severity findings for moderate risks
  • Detailed descriptions and remediation guidance
  • Code flow information where applicable

Validation Criteria

A successful test should detect:

  • Security Assessment: At least 20 various security vulnerabilities
  • Gitleaks Detection: At least 10 different types of secrets
  • TruffleHog Detection: At least 5 high-entropy secrets
  • LLM Secret Detection: At least 15 secrets with semantic understanding

Security Notice

⚠️ WARNING: This project contains intentional security vulnerabilities and should NEVER be deployed in production environments or exposed to public networks. It is designed solely for security testing and validation purposes.

File Structure

test_projects/
├── README.md
└── vulnerable_app/
    ├── [Multiple vulnerable source files]
    ├── [Configuration files with secrets]
    └── [Dependencies with known issues]
Reference in New Issue View Git Blame Copy Permalink