Skip to main content

Github Actions

Prerequisites

The CIFUZZ_DOWNLOAD_TOKEN from downloads.code-intelligence.com has to be added as a secret to the Github project so it can be accessed in the actions. It can be added in the projects' "Settings" under "Secrets and variables" -> "Actions".

For more details on what you can do with CI Fuzz and its outputs in your pipeline, check the general CI/CD-Setup page.

Example Workflow

The following Github Actions workflow shows an example of how you can run CI Fuzz in Github Actions.

  • If you want to commit your findings to the repository, uncomment the contents: write permission and the Commit findings and corpus to repository step.
  • If code scanning is not available or not needed in your project, comment the security-events: write permission and the Upload code-scanning report step.
name: Fuzzing with CI Fuzz

# Runs all Fuzz Tests in this repository with CI Fuzz.

# You need to set CIFUZZ_DOWNLOAD_TOKEN as a repository secret. Get the token
# from https://downloads.code-intelligence.com/.

# Run workflow each time code is pushed to default branch of the repository,
# for every pull request to the default branch and on a schedule. Allow to
# run this workflow manually.
# The scheduled workflow runs every day at 03:50 UTC.
on:
  push:
    branches: [ $default-branch ]
  pull_request:
    branches: [ $default-branch ]
  schedule:
    - cron: '50 03 * * *'
  workflow_dispatch:

jobs:
  fuzz:
    runs-on: ubuntu-latest

    permissions:
      # Please comment-out the ones you don't need and uncomment the ones you do need

      # Required to Upload findings to Github code scanning
      security-events: write

      # Required to commit findings to repository
      # contents: write

    steps:
      # Adapt this if you are not running on a container with Debian-based distribution
      - name: Install dependecies
        run: |
          sudo apt update
          sudo apt install cmake clang llvm lcov rclone

      - name: Checkout repository
        uses: "actions/checkout@v4"

      - name: Install CI Fuzz
        uses: "CodeIntelligenceTesting/actions/install-cifuzz@v1"
        with:
          version: 3.12.0
          download-token: ${{ secrets.CIFUZZ_DOWNLOAD_TOKEN }}


      # Needs configuration of rclone
      # - name: Copy corpus from cloud storage
      #   run: |
      #     mkdir -p .cifuzz-corpus
      #     rclone copy -v cloud-storage:corpora/PROJECT_NAME .cifuzz-corpus

      - name: Run fuzzing
        uses: "CodeIntelligenceTesting/actions/run-fuzzing@v1"
        with:
          duration: 15s

      # Needs configuration of rclone
      # - name: Copy corpus to cloud storage
      #   run: |
      #     rclone copy -v .cifuzz-corpus cloud-storage:corpora/PROJECT_NAME

      - name: Upload code-scanning report
        uses: "CodeIntelligenceTesting/actions/upload-code-scanning-report@v1"

      # Uncomment this step if you want to commit all findings found when running this workflow:
      # - name: Commit findings to repository
      #   run: |
      #     git config --global user.name 'Github Action'
      #     git config --global user.email 'zgtm@users.noreply.github.com'
      #     git add .cifuzz-findings
      #     git commit -m "Automated commit of CI Fuzz findings"
      #     git push

      - name: Upload coverage report
        uses: actions/upload-artifact@v4
        with:
          name: cifuzz-coverage
          path: coverage_report

      - name: Upload lcov report
        uses: actions/upload-artifact@v4
        with:
          name: cifuzz-coverage-lcov
          path: lcov.info

      - name: Upload findings report
        uses: actions/upload-artifact@v4
        with:
          name: cifuzz-findings
          path: findings.txt