ClusterFuzzLite (repo) is a continuous fuzzing solution that runs as part of Continuous Integration (CI) workflows to find vulnerabilities faster than ever before. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed.
ClusterFuzzLite is based on ClusterFuzz.
- Quick code change (pull request) fuzzing to find bugs before they land
- Downloads of crashing testcases
- Continuous longer running fuzzing (batch fuzzing) to asynchronously find deeper bugs missed during code change fuzzing and build a corpus for use in code change fuzzing
- Coverage reports showing which parts of your code are fuzzed
- Modular functionality, so you can decide which features you want to use
- Java (and other JVM-based languages)
- GitHub Actions
- Google Cloud Build
- Support for more CI systems is in-progess, and extending support to other CI systems is easy
- libFuzzer for coverage-guided testing
- AddressSanitizer for finding memory safety issues
- MemorySanitizer for finding use of uninitialized memory
- UndefinedBehaviorSanitizer for finding undefined behavior (e.g. integer overflows)
If you’re new to using libFuzzer and sanitizers, start with the Overview for an explanation of terms and the fuzzing process.
If you’re already familiar with using libFuzzer and sanitizers, start with Step 1: Build Integration.
Join our mailing list for announcements and discussions.
If you use ClusterFuzzLite, please fill out this form so we know who is using it. This gives us an idea of the impact of ClusterFuzzLite and allows us to justify future work.
Please file an issue if you experience any trouble or have feature requests.