Setup fuzzing in your CI/CD
The best tool is the one that runs automatically and lets you know when something's off. To accomplish this, you can integrate CI Fuzz into your CI/CD-pipeline and fuzz your code on every commit or at scheduled times.
Here you can find example workflows for GitHub Actions, Jenkins, and GitLab CI/CD that work out-of-the box with minimal setup but you can adjust or extend them to cover different use cases and setups.
For details concerning these systems, check the corresponding page for example workflows and detailed setup steps:
Download token
To install CI Fuzz in your workflow, you need the download token of the CI Fuzz installer. You can find it in the command in the "Installation" section of the current CI Fuzz installer at downloads.code-intelligence.com.
Features
| Feature \ Tool | GitHub Actions | Jenkins | GitLab CI/CD |
|---|---|---|---|
| Install dependencies | ✅ | Pre-install required | ✅ |
| Install CI Fuzz | ✅ | ✅ | ✅ |
| Run fuzzing | ✅ | ✅ | ✅ |
| Sync corpus | ✅ with rclone / User defined | ✅ with rclone / User defined | User defined |
| Generate artifacts with code coverage / Findings | ✅ | ✅ | ✅ |
| Store Findings in new commit | ✅ | User defined (Git Publisher) | ✅ |
| Upload code scanning report to GitHub | ✅ | ❌ | ❌ |
Dependencies
For Debian-based systems, you can run
sudo apt install cmake clang llvm lcov
See the "Get started" page for more details and information about other distributions and build systems.
Corpus synchronization
It's strongly recommended to synchronize the fuzzing corpus between your fuzzing runs to save the progress and enable testing for regressions.
The fuzzing corpus is stored in the .cifuzz-corpus directory in your project. You can use a tool
like rclone for easy synchronization.
Synchronization with rclone
rclone supports popular cloud storage providers like Amazon S3, Google Cloud Storage and Microsoft Azure File/Blob
Storage in addition to classic protocols like FTP, SMB, and SFTP and simply using the local file system. You can
find a full list of supported providers / protocols on the rclone website.
For example, you can copy the corpus with SFTP from storage.mysite.de before starting a fuzzing run with the
following command:
rclone copy -v --sftp-host storage.mysite.de :sftp:PROJECT_NAME .cifuzz-corpus
Equivalently, you can copy the corpus with SFTP to storage.mysite.de after the fuzzing run with the
following command:
rclone copy -v --sftp-host storage.mysite.de .cifuzz-corpus :sftp:PROJECT_NAME
It's also possible to add a rclone configuration to configure access to your remote storage. See
the rclone documentation for detailed instructions.
Finding synchronization
To allow easy access to your Findings, you can check them into the source code repository. This way, developers can access them easily for debugging.
If specific Findings shouldn't fail the CI/CD pipeline, you can assess them as not_affected. Then, subsequent runs of
CI Fuzz won't return an error if encountering this Finding. Read more about Finding assessment in Manage Findings.
The workflow examples for GitHub Actions contain code for automatically committing new Findings into the
repository. For Jenkins and GitLab CI/CD please refer to the corresponding documentation.
Alternatively, you can also synchronize your Findings with rclone or other tools.