Skip to content
Close
Login
Login

Fuzzing As Easy As Unit Testing

CI Fuzz is an open-source solution that lets you run feedback-based fuzz tests from your command line. Every developer can use it to find bugs and vulnerabilities with three simple commands.

# Initialize fuzzing

$ cifuzz init

# Create your first fuzz test

$ cifuzz create my_fuzz_test

# Run fuzz test and find bugs

$ cifuzz run my_fuzz_test

Start Fuzzing

  README.md


See README.md on GitHub

cifuzz


makes fuzz tests as easy as unit tests

release v.1.6.0 68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f436f6465496e74656c6c6967656e636554657374696e672f636966757a7a2f706970656c696e655f74657374732e796d6c3f PRs welcome licence Apache-2.0

Docs | Glossary | Examples | Website | Blog | Twitter | YouTube


IMPORTANT: This project is under active development. Be aware that the behavior of the commands or the configuration can change.

What is cifuzz


cifuzz is a CLI tool that helps you to integrate and run fuzzing based tests into your project.

Features

  • Easily set up, create and run fuzz tests
  • Generate coverage reports that can be integrated in your IDE
  • Supports multiple programming languages and build systems

Integrations


Coming Soon

Getting started


If you are new to the world of fuzzing, we recommend you to take a look at our Glossary and our example projects.

Read the getting started guide if you just want to learn how to fuzz your applications with cifuzz.

Installation

You can get the latest release from GitHub or by running our install script:

sh -c "$(curl -fsSL https://raw.githubusercontent.com/CodeIntelligenceTesting/cifuzz/main/install.sh)"

If you are using Windows, you can download the latest release and execute it.

By default, CI Fuzz gets installed in your home directory under cifuzz. You can customize the installation directory with ./cifuzz_installer -i /target/dir.

Do not forget to add the installation's bin directory to your PATH.

Prerequisites

C/C++ (with CMake) Installation Prerequisites

Ubuntu / Debian

sudo apt install cmake clang llvm

Arch

sudo pacman -S cmake clang llvm

macOS

brew install cmake llvm

Windows

At least Visual Studio 2022 version 17 is required.

choco install cmake llvm
C/C++ (with Bazle) Installation Prerequisites

Ubuntu / Debian

sudo curl -L https://github.com/bazelbuild/bazelisk/releases/latest/download/bazelisk-linux-amd64 -o /usr/local/bin/bazel
sudo chmod +x /usr/local/bin/bazel
sudo apt install clang llvm lcov default-jdk

Arch

sudo pacman -S clang llvm lcov python jdk-openjdk
sudo curl -L https://github.com/bazelbuild/bazelisk/releases/latest/download/bazelisk-linux-amd64 -o /usr/local/bin/bazel
sudo chmod +x /usr/local/bin/bazel

macOS

brew install llvm lcov openjdk bazelisk

Windows

At least Visual Studio 2022 version 17 is required.

choco install cmake llvm microsoft-openjdk bazelisk
Java (with Maven)

Installation Prerequisites

Ubuntu / Debian

sudo apt install openjdk maven 

Arch

sudo pacman -S jdk-openjdk maven

macOS

brew install openjdk maven

Windows

choco install microsoft-openjdk maven
Java (with Gradle) Installation Prerequisites

Ubuntu / Debian

sudo apt install openjdk gradle

Arch

sudo pacman -S jdk-openjdk gradle

macOS

brew install openjdk gradle

Windows

choco install microsoft-openjdk gradle

Contributing

Want to help improve cifuzz? Check out our contributing documentation. There you will find instructions for building the tool locally.

If you find an issue, please report it on the issue tracker.

Start Fuzzing

Tutorial: How to Use CI Fuzz

Jochen Hilgers, one of the maintainers of CI Fuzz, demonstrates how CLI-integrated fuzz testing can be used to uncover bugs and vulnerabilities in C/C++.

Click here to see the full recording.
Uncovering Hidden Bugs and Vulnerabilities in C/C++
CARIAD VW Group
"Thanks to Code Intelligence, our security testing became significantly more effective. All our developers are now able to fix business critical bugs early in the development process, without false-positives."
Weichslgartner
Andreas WeichslgartnerDeveloper, Security Professional