{"id":13618705,"url":"https://github.com/suecodelabs/cnfuzz","last_synced_at":"2025-04-12T06:31:00.126Z","repository":{"id":38010349,"uuid":"469769148","full_name":"suecodelabs/cnfuzz","owner":"suecodelabs","description":"Breaking Cloud Native Web APIs in their natural habitat.","archived":false,"fork":false,"pushed_at":"2023-04-24T06:00:55.000Z","size":1922,"stargazers_count":36,"open_issues_count":20,"forks_count":2,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-04-11T20:42:49.175Z","etag":null,"topics":["aws","aws-s3","cicd","cloud-native","data-lake","fuzzing","golang","kubernetes","microsoft","openapi","openapi-spec","opensource","rest-api","rest-api-test","restler","security-tools","service-mesh"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/suecodelabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2022-03-14T14:27:57.000Z","updated_at":"2025-03-06T07:40:45.000Z","dependencies_parsed_at":"2023-12-18T07:50:37.620Z","dependency_job_id":null,"html_url":"https://github.com/suecodelabs/cnfuzz","commit_stats":{"total_commits":291,"total_committers":10,"mean_commits":29.1,"dds":0.5051546391752577,"last_synced_commit":"878580d4bc3c39f03bcc788d10e971ddd461d668"},"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/suecodelabs%2Fcnfuzz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/suecodelabs%2Fcnfuzz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/suecodelabs%2Fcnfuzz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/suecodelabs%2Fcnfuzz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/suecodelabs","download_url":"https://codeload.github.com/suecodelabs/cnfuzz/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248529340,"owners_count":21119493,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-s3","cicd","cloud-native","data-lake","fuzzing","golang","kubernetes","microsoft","openapi","openapi-spec","opensource","rest-api","rest-api-test","restler","security-tools","service-mesh"],"created_at":"2024-08-01T21:00:29.378Z","updated_at":"2025-04-12T06:31:00.069Z","avatar_url":"https://github.com/suecodelabs.png","language":"Go","funding_links":[],"categories":["NF Development Projects"],"sub_categories":["Blogs and Websites"],"readme":"[![Go GitHub Action](https://github.com/suecodelabs/cnfuzz/actions/workflows/go.yml/badge.svg)](https://github.com/suecodelabs/cnfuzz/actions/workflows/go.yml) [![Container Build GitHub Action](https://github.com/suecodelabs/cnfuzz/actions/workflows/docker-publish.yml/badge.svg)](https://github.com/suecodelabs/cnfuzz/actions/workflows/docker-publish.yml) [![Kubernetes Integration GitHub Action](https://github.com/suecodelabs/cnfuzz/actions/workflows/kind.yml/badge.svg)](https://github.com/suecodelabs/cnfuzz/actions/workflows/kind.yml)\n\n\n\u003cimg align=\"right\" width=\"250px\" src=\"images/gopher-throw.png\"\u003e\n\n## cnfuzz - Cloud Native Web API Fuzzer\n\n_\"Breaking Cloud Native Web APIs in their natural habitat.\"_\n\nFuzzing web APIs in their fully converged Cloud Native state renders more representative results, just like it would have been deployed in production.\n\n`cnfuzz` is a project written in Golang that automates fuzzing web APIs deployed in Kubernetes clusters. By tracking hashes of all container images, _(re)deployed_ web API versions will be fuzzed - to detect potential security and stability issues and stores its results in a [data lake](https://aws.amazon.com/big-data/datalakes-and-analytics/what-is-a-data-lake/).\n\nBy using [Pod Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/), [OpenAPI](https://www.openapis.org/) and [RESTler](https://github.com/microsoft/restler-fuzzer) by Microsoft both discovery and fuzzing is being completely automated.\n\n## Why?\n\n- [x] You want to fuzz web API logic where they actually operate, especially when fuzzing complete **Service Meshes**\n- [x] You want to integrate and/or build **data lakes** with fuzzing data on top of **AWS S3** based storage\n- [x] You want to save expensive Cloud CI/CD pipeline credits by using *idle* Kubernetes cluster resources\n- [x] You want fuzzing te be done outside of your CI/CD pipeline\n- [x] You have heavy performance requirements for your fuzzing and Cloud based CI/CD pipelines do not suffice\n- [x] You want to fuzz web API's of services which are interconnected and are being deployed by different teams in the same Kubernetes cluster\n- [x] You want to automatically fuzz existing opensource software for instability issues\n- [x] You get excited over fuzzing farms\n\n## Architecture\n\n\u003cimg align=\"center\" src=\"images/cnfuzz-arch.png\"\u003e\n\n## Usage\n### Installation\n\n```sh\nhelm repo add cnfuzz https://suecodelabs.github.io/cnfuzz\nhelm repo update\nhelm install cnfuzz cnfuzz/cnfuzz\n```\n\n### Getting started\n\nAll it takes to getting started after installation of `cnfuzz` on your Kubernetes cluster is to `annotate` your Kubernetes `Pods`, `Deployments`, `DaemonSets`, etc like in the following example:\n\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n  name: my-api\nspec:\n  selector:\n    matchLabels:\n      app: my-api\n  replicas: 1\n  template:\n    metadata:\n      labels:\n        app: my-api\n      annotations:\n        cnfuzz/enable: \"true\"\n        cnfuzz/open-api-doc: \"/swagger/swagger.json\"\n        cnfuzz/secret: \"0d5989ed-d60c-470e-b1b5-576fcf0f5d8c\"\n    spec:\n      containers:\n        - name: myapi\n          image: my-api\n          imagePullPolicy: Always\n          ports:\n            - containerPort: 80\n```\n## Development\n\n### Setup Kubernetes development environment\n\n- Install [Kind](https://kind.sigs.k8s.io/) and/or [Rancher Desktop](https://rancherdesktop.io/)\n\n- Install [Helm](https://helm.sh/docs/intro/install/)\n\n\u003cdetails markdown=\"1\"\u003e\u003csummary\u003e\u003ch3\u003eBuild and run\u003c/h3\u003e\u003c/summary\u003e\n\n#### Kind\n\n```sh\n# don't forget to commit your changes locally before deploying to Kind.\nmake kind-init\n```\n#### Rancher Desktop\n\n```sh\n# don't forget to commit your changes locally before deploying to Rancher Desktop.\nmake rancher-init\n```\n\nThese commands do the following:\n- Setup initial deployment of `cnfuzz`\n- Build a container image and load it into `Kubernetes`\n- Install `cnfuzz` via helm with the local built image\n- Create example webapi deployment to fuzz\n\n#### Kind\n\n```sh\n# don't forget to commit your changes locally before deploying to Kind.\nmake kind-build\n```\n#### Rancher Desktop\n\n```sh\n# don't forget to commit your changes locally before deploying to Kind.\nmake rancher-build\n```\n\nThese commands do the following:\n- (re)-build `cnfuzz` and upgrade deployment with latest image\n\n#### Cleanup the build\n\nThis command does the following:\n- delete the `cnfuzz` installation from `Kubernetes`\n\n```sh\nmake k8s-clean\n# If you did a git pull between the above build and the below k8s-clean\n# you will see an error. Specify the release as follows:\nmake k8s-clean GIT_COMMIT=f4fd3d2\n```\n\u003c/details\u003e\n\u003cdetails markdown=\"1\"\u003e\u003csummary\u003e\u003ch3\u003eBuild project\u003c/h3\u003e\u003c/summary\u003e\n\nFor building the project you can use the [`Makefile`](./Makefile).\n\n#### Build Docker image\n\n```sh\nCNFUZZ_IMAGE=myrepo/cnfuzz RESTLERWRAPPER_IMAGE=myrepo/restlerwrapper make image\n```\n#### Compile binary\n\n```sh\n# Compile project to binaries in dist/\nmake all\n```\n\u003c/details\u003e\n\u003cdetails markdown=\"1\"\u003e\u003csummary\u003e\u003ch3\u003eDebugging\u003c/h3\u003e\u003c/summary\u003e\n\nUseful flags for debugging:\n```yaml\n# cnfuzz\n--debug # extra logging\n--local-config # cnfuzz will use your local config in $HOME/.kube/config (by default)\n--config \"hack/default_config.yaml\"\n--ddoc-ip localhost # overwrite the OpenApi doc source IP\n--ddoc-port 8080 # overwrite the OpenApi doc source port\n\n# restlerwrapper\n--debug\n--pod todo-api-xxxxxxxxxx-xxxxx\n--port 8080 # set the port of the target service\n--ddoc-ip localhost # overwrite the IP that is used to get the OpenApi doc\n--dry-run # don't do anything, just print the commands to the console\n--local-config\n--time-budget 0.001 # RESTler jobs complete almost instantly\n```\n\n**NOTE:** *The Devspace setup is currently broken :(*  \n*see [issue #84](https://github.com/suecodelabs/cnfuzz/issues/84)*\n\nThe code can be debugged in your IDE (outside the cluster) with the `--inside-cluster=false` flag.\nBut you can also attach a debugger to a running pod inside a cluster using [DevSpace](https://github.com/loft-sh/devspace).\n\n1. Start by [installing DevSpace](https://github.com/loft-sh/devspace#1-install-devspace)\n2. Run `devspace dev` in the root directory of this repository\n3. Run `air -c air.toml` inside the container\n4. Edit the code and set breakpoints\n5. [Attach your IDE](https://golangdocs.com/remote-debugging-in-golang-java) to the debugger inside the container\n\n\u003c/details\u003e\n\u003cdetails markdown=\"1\"\u003e\u003csummary\u003e\u003ch3\u003ePrepare for release\u003c/h3\u003e\u003c/summary\u003e\n\n```sh\ncd docs\nhelm package ../chart/cnfuzz\nhelm repo index --url https://suecodelabs.github.io/cnfuzz/ .\n```\n\u003c/details\u003e\n\n## Roadmap\n\n- [x] Opensource graduation research project ❤️\n- [x] Get more control over the Restler runtime\n- [ ] Convert the output of Restler to a format that is easier to consume\n- [ ] Integrate more tightly with Kubernetes\n- [ ] Autodiscovery of possible URI prefixes\n- [ ] Add some form of dashboarding\n\n## Sponsors\n\n- [Sue B.V. - Cloud Native Solutions](https://sue.nl/)\n\n## Engineering Team\n\n- Luuk van den Maagdenberg, Lead Developer\n- Pim Merks, Developer\n- Robert Scholts, Developer\n- Sylvia van Os, Developer\n- Ofer Chen, Developer\n- Serge van Namen, Developer / Community Lead\n- Hans Strijker, Maintainer\n- Sam Crauwels, Maintainer\n- Michiel Westerink, Maintainer\n\n## Contribution\n\nCreate an issue, open up a PR or contact us via \u003cengineering@sue.nl\u003e\n\n## Community\n\nEvery first Thursday of the month at 18:30 CET there will be a hybrid community meetup for users, developers and maintainers of the project hosted at Sue B.V. in the Netherlands.\n\n[Google Meet](https://meet.google.com/zom-asij-qkq) or see you at [Sue B.V.](https://g.page/SueBV?share) including lovely drinks and food before the meetup!\n\n## Swag\n\nDo you want swag that our awesome marketing team created for this project?\nCome to our community meetup on prem or contact marketing@sue.nl to receive your swag!\n\n### Stickers \u0026 Gear\n\n\u003cdiv align=\"center\"\u003e\n\u003cimg src=\"images/gopher-throw.png\" width=\"250px\" /\u003e\u003cimg src=\"images/gopher-hold.png\" width=\"250px\" /\u003e\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n\u003cimg src=\"images/cnfuzz-cap.png\" width=\"250px\" /\u003e\u003cimg src=\"images/cnfuzz-shirt.png\" width=\"250px\" /\u003e\n\u003c/div\u003e\n\n## Support\n\nDo you need support that cannot be handled via issue tracking? Please contact us at \u003cengineering@sue.nl\u003e or via the contact form on [this](https://sue.nl/cnfuzz/) page.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsuecodelabs%2Fcnfuzz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsuecodelabs%2Fcnfuzz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsuecodelabs%2Fcnfuzz/lists"}