Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/shogo82148/actions-go-fuzz

GitHub Actions for Go fuzzing test
https://github.com/shogo82148/actions-go-fuzz

fuzzing github-actions golang

Last synced: 23 days ago
JSON representation

GitHub Actions for Go fuzzing test

Host: GitHub
URL: https://github.com/shogo82148/actions-go-fuzz
Owner: shogo82148
License: mit
Created: 2023-06-25T10:07:54.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2024-10-07T19:42:40.000Z (29 days ago)
Last Synced: 2024-10-13T20:47:14.246Z (23 days ago)
Topics: fuzzing, github-actions, golang
Language: TypeScript
Homepage:
Size: 7.69 MB
Stars: 1
Watchers: 2
Forks: 0
Open Issues: 5
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

[![test](https://github.com/shogo82148/actions-go-fuzz/actions/workflows/test.yml/badge.svg)](https://github.com/shogo82148/actions-go-fuzz/actions/workflows/test.yml)

# GitHub Action for Go Fuzz

This action runs [Go Fuzzing](https://go.dev/security/fuzz/) on GitHub Actions.

## Usage

### Report as a Pull Request

Create a workflow file such as `.github/workflows/fuzz.yml` in your repository:

```yaml
name: "fuzz"
on:
workflow_dispatch:
schedule:
- cron: "36 2 * * 1,4"

permissions:
contents: write
pull-requests: write

jobs:
list:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: "stable"
- id: list
uses: shogo82148/actions-go-fuzz/list@v1
outputs:
fuzz-tests: ${{steps.list.outputs.fuzz-tests}}

fuzz:
runs-on: ubuntu-latest
timeout-minutes: 360
needs: list
strategy:
fail-fast: false
matrix:
include: ${{fromJson(needs.list.outputs.fuzz-tests)}}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: "stable"
- uses: shogo82148/actions-go-fuzz/run@v1
with:
packages: ${{ matrix.package }}
fuzz-regexp: ${{ matrix.func }}
fuzz-time: "355m"
```

The `actions-go-fuzz` runs fuzz tests by `go test -fuzz FuzzFoo`, commits [failing input](https://go.dev/security/fuzz/#glos-failing-input) and create a pull request if fuzz tests fails.
See [an example of a pull request](https://github.com/shogo82148/actions-go-fuzz/pull/53) generated by the action.

### Report as a Slack Message

You can also receive the report as Slack Message.
[Create an Incoming Webhook](https://api.slack.com/messaging/webhooks) and set this as the `SLACK_INCOMING_WEBHOOK` secret value.
And then, add a workflow file in your repository:

```yaml
name: "fuzz"
on:
workflow_dispatch:
schedule:
- cron: "36 2 * * 1,4"

permissions:
contents: write
pull-requests: write

## Permissions

With `pull-request` report method, the `actions-go-fuzz` action requires the following GitHub permissions:

- `contents: write`
- `pull-requests: write`

You can specify the permissions in the workflow YAML file:

```yaml
permissions:
contents: write
pull-requests: write
```

With `slack` report method, `actions-go-fuzz` action requires the following GitHub permissions:

- `contents: read`

## Inputs of the list action

- `packages`: This is an optional parameter that lets you specify the Go packages for which you want to list the fuzz tests. By default, it targets all packages in your project (`./...`).
- `working-directory`: This is also an optional parameter that allows you to specify a working directory. The default is the root directory (`.`).
- `tags`: A comma-separated list of additional build tags to consider satisfied during the build. It is equivalent to the `-tags` flag of the `go test` command.

## Outputs of the list action

- `fuzz-tests`: JSON-encoded list of all the fuzz tests for the specified Go packages.

## Inputs of the run action

- `repository`: The name of the repository with owner (e.g., `shogo82148/actions-go-fuzz`). It defaults to the repository where the action is running.
- `token`: The GitHub token for the repository. It defaults to the token provided by the GitHub Actions environment.
- `packages`: An optional parameter to specify the Go packages for fuzz tests. By default, it targets all packages in your project (`./...`).
- `working-directory`: This is also an optional parameter that allows you to specify a working directory. The default is the root directory (`.`).
- `fuzz-regexp`: Run the fuzz test matching the regular expression. Corresponds to the `-fuzz` flag for the `go test` command.
- `fuzz-time`: Fuzz target iteration duration, specified as a `time.Duration` (for example `1h30s`). Corresponds to `-fuzztime` flag for the `go test` command. Ensure this is less than your job timeout.
- `fuzz-minimize-time`: Fuzz minimization duration, specified as a `time.Duration` (for example `1h30s`). Corresponds to `-fuzzminimizetime` flag for the `go test` command. If you provide this input, ensure it is less than your job timeout.
- `report-method`: The method to report the result. `pull-request` to create a pull request, `slack` to send a message via Slack Incoming Web Hook.
- `base-branch`: The base branch name of the pull request.
- `head-branch-prefix`: The prefix of the head branch name of the pull request.
- `webhook-url`: The URL of the Slack Incoming Web Hook.
- `tags`: A comma-separated list of additional build tags to consider satisfied during the build. It is equivalent to the `-tags` flag of the `go test` command.

## Outputs of the list action

- `found`: `true` if new crashers are found. otherwise, it is falsy value.
- `head-branch`: the name of the head branch of the pull request the action created.
- `pull-request-number`: the number of the pull request the action created.
- `pull-request-url`: the URL of the pull request the action created.

## Security

The pull request created by this action can be viewed by anyone who has read permissions for the repository.
Be careful in handling it as the pull request may contain information about vulnerabilities.
If possible, we recommend using the `slack` report method.

## License

The scripts and documentation in this project are released under the [MIT License](LICENSE).