Go CI Fuzz

CLI and set of GitHub Actions to help you run Native Go Fuzz Tests in CI.

It's a light wrapper around go test -fuzz= supporting multiple test targets.

Motivation

This project was created to achieve a developer friendly and lightweight way of running Native Go Fuzz Tests in Continuous Integration pipelines.

It implements missing functionalities in 'go test -fuzz' such as

• run multiple test targets in a single command
• extract failed outputs

Current alternatives (ClusterFuzzLite, go-fuzz, etc.) don't support Native Go Fuzzing or only inadequately through wrappers.

Workflow

flowchart LR
    engineer[Engineer] -- 1. Writes Fuzz Tests --> GitHub
    GitHub -- 2. Schedules a run --> go-ci-fuzz[Go CI Fuzz]
    go-ci-fuzz -- 3. Reports failing inputs --> engineer
    engineer -- 4. Commits failing inputs & fixes  the issue --> GitHub

Loading

Run

Locally

Although this tool is meant for CI pipelines, it's still useful in local development.

If your project has many fuzz tests you can run all of them with:

go install github.com/form3tech-oss/go-ci-fuzz@{version}
go-ci-fuzz fuzz --fuzz-time 10m <packages> [--out /tmp/failures]

As GitHub Action

From your own workflow, you can reference our reusable Github actions located in ./ci/github-actions.

All fuzz findings are uploaded as artifacts to the workflow run.

Here are the Github Action properties:

inputs:
  version:
    description: "Version of go-ci-fuzz, e.g. latest or 0.1.3"
    required: false
    default: "0.1.3"
  source-path:
    description: "Path to the project's source code, current directory by default."
    required: false
    default: "."
  fail-fast:
    description: "Whether to continue fuzzing other targets if failing input was found."
    required: false
    default: "false"
  fuzz-time:
    description: "Cumulative time FuzzTests will run, in Go time.Duration format."
    required: false
    default: "5m"
  artifact-name:
    description: "Name of the artifact"
    required: false
    default: "failing-inputs"

Examples

Here are some example workflows to incorporate in your CI pipelines. Feel free to adjust the fuzz-time according to your appetite!

Fuzz incoming Pull Requests

# .github/workflows/gocifuzz_pr.yml
name: Go CI Fuzz - Pull Requests
on:
  pull_request:
    
permissions:
  contents: read

jobs:
  Fuzz:
    runs-on: ubuntu-20.04
    steps:
    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
    - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
      with:
        go-version: stable
    - name: Run fuzzers
      id: build
      uses: form3tech-oss/go-ci-fuzz/ci/github-actions/fuzz@2b38b4142d7fa5dde3823e60a358c28ed17635df # v0.1.3
      with:
        fuzz-time: 5m
        fail-fast: true

Fuzz on fixed schedule

# .github/workflows/gocifuzz_schedule.yml
name: Go CI Fuzz - Scheduled
on:
  workflow_dispatch: {}
  schedule:
    - cron: '0 2 * * *'

permissions:
  contents: read
  
jobs:
  Fuzz:
    runs-on: ubuntu-20.04
    steps:
    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
    - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
      with:
        go-version: stable
    - name: Run fuzzers
      id: build
      uses: form3tech-oss/go-ci-fuzz/ci/github-actions/fuzz@2b38b4142d7fa5dde3823e60a358c28ed17635df # v0.1.3
      with:
        fuzz-time: 30m
        fail-fast: false