Setup Fuzzing in your CI/CD
The best tool is the one that runs automatically and lets you know when something's off! CI Fuzz can be integrated into your CI/CD-pipeline and fuzz your code on every commit or at scheduled times.
We offer example workflows for Github Actions, Jenkins and Gitlab CI/CD that mostly work out-of-the box with minimal setup but can be extended to cover different use cases and setups.
For details concerning these systems, check the corresponding page for example workflows and detailed setup steps:
Download Token
The download token of the CI Fuzz installer is required to install CI Fuzz in your workflow. It can be found in the command in the "Installation" section of the current CI Fuzz installer at downloads.code-intelligence.com.
Features
| Feature \ Tool | Github Actions | Jenkins | Gitlab CI/CD |
|---|---|---|---|
| Install dependencies | ✅ | Preinstall required | ✅ |
| Install CI Fuzz | ✅ | ✅ | ✅ |
| Run fuzzing | ✅ | ✅ | ✅ |
| Sync corpus | ✅ with rclone / User defined | ✅ with rclone / User defined | User defined |
| Generate artifacts with code coverage / findings | ✅ | ✅ | ✅ |
| Store findings in new commit | ✅ | User defined (Git Publisher) | ✅ |
| Upload code scanning report to Github | ✅ | ❌ | ❌ |
Dependencies
For Debian-based systems (Debian, Ubuntu), you can run
sudo apt install cmake clang llvm lcov
See "Get started" for more details and information about other distributions and build systems.
Corpus Synchronisation
We strongly recommend to synchronise the fuzzing corpus between your fuzzing runs to save the progress and enable testing for regressions.
The fuzzing corpus is stored in the .cifuzz-corpus directory in your project. We recommend using a tool like rclone for easy synchronization. Usage instructions are described in the next section.
Synchronisation with rclone
rclone supports popular cloud storage providers like Amazon S3, Google Cloud Storage and Microsoft Azure File/Blob Storage in addition to classic protocols like ftp, smb and sftp(ssh) and simply using the local file system. You can find a full list of supported providers / protocols on the rclone website.
For example, copying the corpus with sftp from storage.mysite.de before starting a fuzzing run, can be done with the following command:
rclone copy -v --sftp-host storage.mysite.de :sftp:PROJECT_NAME .cifuzz-corpus
Equivalently, to copy the corpus with sftp to storage.mysite.de after the fuzzing run has ended:
rclone copy -v --sftp-host storage.mysite.de .cifuzz-corpus :sftp:PROJECT_NAME
It's also possible to add a rclone configuration to configure access to your remote storage. See the rclone documentation for detailed instructions.
Finding Synchronisation
To allow easy access to your findings, we recommend to check them into the source code repository. This way, developers can access them easily for debugging.
With Git Commits
We recommend to check in your Findings with your code into the git repository. This can either be done manually by the developers or automatically in the CI/CD pipeline.
Our workflow examples for Github Actions already contain code for automatically committing new findings into the repository. For Jenkins and Gitlab CI/CD please refer to the corresponding documentation.
With rclone
Alternatively, you can also synchronise your Findings with rclone or other tools. However, using git commits makes it easier for developers to get access to all Finding information by just using the repository.