{"id":13809700,"url":"https://github.com/trailofbits/testing-handbook","last_synced_at":"2025-04-15T00:32:00.504Z","repository":{"id":216149284,"uuid":"740581793","full_name":"trailofbits/testing-handbook","owner":"trailofbits","description":"Trail of Bits Testing Handbook","archived":false,"fork":false,"pushed_at":"2025-04-09T19:36:17.000Z","size":20411,"stargazers_count":69,"open_issues_count":19,"forks_count":12,"subscribers_count":13,"default_branch":"main","last_synced_at":"2025-04-09T20:29:17.087Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://appsec.guide/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc-by-4.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trailofbits.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-08T16:29:56.000Z","updated_at":"2025-04-09T19:36:20.000Z","dependencies_parsed_at":"2024-04-01T12:27:43.679Z","dependency_job_id":"56a15692-edce-4635-b929-c8160934faf0","html_url":"https://github.com/trailofbits/testing-handbook","commit_stats":null,"previous_names":["trailofbits/testing-handbook"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Ftesting-handbook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Ftesting-handbook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Ftesting-handbook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Ftesting-handbook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trailofbits","download_url":"https://codeload.github.com/trailofbits/testing-handbook/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248984395,"owners_count":21193742,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T02:00:34.604Z","updated_at":"2025-04-15T00:31:55.494Z","avatar_url":"https://github.com/trailofbits.png","language":"Rust","readme":"# Trail of Bits Testing Handbook\n\n![Testing-Handbook-logo][logo]\n\n[logo]:th-logo.jpg\n\nThe Trail of Bits Testing Handbook is a resource for developers and security professionals on configuring, optimizing,\nand automating many static and dynamic analysis tools we use at Trail of Bits.\n\n## Preview Testing Handbook: [https://appsec.guide](https://appsec.guide) 🌐\n\n## Why is this needed? ✨\n\n- 📃 The documentation for configuring and optimizing existing tools is often not developer-friendly, as it is often meant\nfor security professionals. This is especially the case when it comes to fuzzing utilities. This can lead to frustration\nand poor adoption of security tools that should be straightforward to configure.\n- ⚙️ Even if the tool is easy to configure locally, it can be difficult to configure them in CI/CD pipelines.\nOften, security tools are set up by following online documentation, but their configuration is rarely optimized.\nThis can lead to a noisy tool that is more difficult to maintain than worth.\n- 🧠 We aim to make it as easy as possible to set up security tools effectively. In doing so, we also\nhope to demystify static and dynamic analysis techniques such as fuzzing and taint analysis.\n\n## Chapters\n\n### ✅ Released\n\n|Topic|Announcing Blog Post|Year|\n|---|---|---|\n|[Semgrep](https://appsec.guide/docs/static-analysis/semgrep/)| [Announcing the Trail of Bits Testing Handbook](https://blog.trailofbits.com/2023/07/26/announcing-the-trail-of-bits-testing-handbook/)|2023|\n|[CodeQL](https://appsec.guide/docs/static-analysis/codeql/)| [Say hello to the next chapter of the Testing Handbook!](https://blog.trailofbits.com/2023/12/11/say-hello-to-the-next-chapter-of-the-testing-handbook/)|2023|\n|[Fuzzing](https://appsec.guide/docs/fuzzing/)| [Master fuzzing with our new Testing Handbook chapter](https://blog.trailofbits.com/2024/02/09/master-fuzzing-with-our-new-testing-handbook-chapter/)|2024|\n|[Burp](https://appsec.guide/docs/web/burp/)| [Announcing the Burp Suite Professional chapter in the Testing Handbook](https://blog.trailofbits.com/2024/06/14/announcing-the-burp-suite-professional-chapter-in-the-testing-handbook/)|2024|\n| [Cryptographic testing - Wycheproof and Constant time analysis tooling](https://appsec.guide/docs/crypto/) | TBD | 2024 |\n\n### 🎥 Webinars\n\n| Topic | Link |\n|---|---|\n| Introduction to Semgrep | https://www.youtube.com/watch?v=yKQlTbVlf0Q |\n| Introduction to CodeQL: Examples, Tools and CI Integration | https://www.youtube.com/watch?v=rQRlnUQPXDw |\n| Mastering Web Research with Burp Suite | https://www.youtube.com/watch?v=0PV5QEQTmPg |\n\n### 🚧 Under construction\n\n- Formal verification and Tamarin\n- Rust\n\n## How to contribute\n\nIf you would like to contribute to the Testing Handbook, here are some guidelines to help you get started:\n\n1. **Add a New Tool**: If you want to cover a new tool in the Testing Handbook,\npropose a topic in GitHub Issues. Afterward, you can work on a new pull request.\n1. **Improve Existing Chapters**: If you have an idea to make a specific chapter better,\nyou can add a GitHub issue.\n1. **Pick Up Small Tasks**: If you don't have much time but still want to contribute,\nyou can pick up any small task from the GitHub issues list.\n1. **Report Issues**: If you find a small technical issue or a typo,\ncreate a new GitHub issue and/or fix it in the new pull request.\n\n### Quick setup for convenient development\n\n1. Install Hugo in your system\n\n    ```shell\n    brew install hugo\n    ```\n\n2. Clone the repo\n\n    ```shell\n    git clone --recurse-submodules https://github.com/trailofbits/testing-handbook.git\n    ```\n\n3. Create a new branch or select a branch you want to work on\n\n   ```shell\n   cd testing-handbook\n   # then\n   git checkout -b name-of-your-new-branch\n   # or\n   git checkout name-of-existing-branch\n\n4. Run the Hugo server with drafts turned on (`-D`) from the project's root directory.\nYour browser will be automatically refreshed with changes whenever you save a file.\n\n    ```shell\n    hugo server -D\n    ```\n\n5. Add a new tool as \"doc\", and run the following from the project's root directory.\n\n    ```shell\n    hugo new docs/\u003cname of tool\u003e\n    ```\n\n    **Note**: This project uses the same hugo template as [zkdocs](https://www.zkdocs.com/). The template refers to each\n    new page as a \"doc,\" as opposed to a post. This is why you'd want to type `hugo new docs/\u003cname of tool\u003e` and not `post/my-new-post`.\n\n6. Edit, add, and create pull requests to merge your changes into `main`.\n\n7. ❗Keep in mind that when you merge your PR into `main`, the content goes live in \u003chttps://appsec.guide\u003e.\n    Our current policy forces at least one review before merging.\n\n8. For updates to the home page, edit [content/_index.md](content/_index.md)\n\n## Guidelines\n\n- The format should be consistent between each \"doc.\" When adding a new doc (i.e., when adding a new tool), follow the\n  template in [content/docs/template.md](content/docs/template.md). Send a PR for this file with suggested changes as needed.\n\n- Create a new branch with your changes, and create a PR to merge into `main` when you are done.\n\n- The GitHub workflow in this repository verifies the correctness of Markdown files through three checks:\n  1. **Markdown Link Check**: This step extracts links from Markdown files and verifies if they are valid and accessible.\n    It uses the [lychee link checking action](https://github.com/lycheeverse/lychee-action).\n  2. **Markdown Linter**: This step ensures that Markdown files adhere to the desired style and formatting rules.\n    It uses a custom configuration file (`.github/workflows/.markdownlint.jsonc`) and the\n     [markdownlint-cli2-action](https://github.com/DavidAnson/markdownlint-cli2-action) action.\n     Use the [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint) extension\n     with Visual Studio Code for better user experience while working on the Testing Handbook.\n  3. **Spellcheck**: This step checks the spelling in Markdown files\n     (built on top of [retext](https://github.com/retextjs/retext) and [remark](https://github.com/remarkjs/remark)).\n     Uses the [tbroadley/spellchecker-cli-action](https://github.com/tbroadley/spellchecker-cli-action) action.\n\n- Familiarize yourself with the [Hugo Book theme](https://hugo-book-demo.netlify.app/)\nas it has a couple of nice features (buttons, etc.)\n- Reach out in [#testing-handbook](https://empirehacking.slack.com/archives/C06CSLSQAMB) Empire Hacking Slack if you have any questions.\n\n## Editing\n\n### Writing Guidelines\n\n- The term \"Testing Handbook\" should be capitalized any time it appears on the website (whether in a header/subheader or running text),\nsince it is the title of a document. But if you'd like to avoid the capitalization because it looks strange, you can substitute\n\"Testing Handbook\" for \"this handbook\" (since it's clear enough what the title of the handbook is).\n\n### Workflow: From Google Docs\n\nYou can export the document from Google Docs as Markdown. Open the document in Google Docs. Click `File` \u003e `Download`, and then select `Markdown (.md)`.\n\n### Custom environments\n\n```md\n{{\u003c customFigure \"Caption\" \u003e}}\n{{\u003c /customFigure \u003e}}\n\n{{\u003c resourceFigure \"cov1.png\" \u003e}}\n{{\u003c /resourceFigure \u003e}}\n\n{{\u003c hint info \u003e}}\n{{\u003c /hint \u003e}}\n```\n","funding_links":[],"categories":["CodeQL Getting Started and Guides (along side the [official docs](https://codeql.github.com/docs/))"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Ftesting-handbook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrailofbits%2Ftesting-handbook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Ftesting-handbook/lists"}