ClusterFuzzLite: Fuzz PRs in CI to Catch Bugs Early
Add ClusterFuzzLite to GitHub Actions workflows with minimal code to fuzz pull requests for vulnerabilities in C/C++/Java/Go/Python/Rust/Swift using libFuzzer and sanitizers, download crashes, view coverage, and run async batch fuzzing.
Embed Fuzzing in PR Workflows to Block Bugs Pre-Commit
ClusterFuzzLite integrates into CI pipelines like GitHub Actions via a few lines of code, triggering coverage-guided fuzzing on pull requests with libFuzzer. This catches regressions from code changes immediately, preventing vulnerable commits. Crashing testcases download directly for reproduction and fixing. For deeper issues missed in short PR runs, enable batch fuzzing to run asynchronously, building a corpus that improves future PR fuzzing efficiency. Coverage reports highlight unfuzzed code paths, guiding developers to expand targets and increase effectiveness.
Modular design lets you enable only needed features—skip batch fuzzing if PR checks suffice—keeping workflows lean. Based on Google's ClusterFuzz, it scales proven infrastructure for open-source and small teams without full ClusterFuzz overhead.
Target Memory and Behavior Bugs with libFuzzer + Sanitizers
Pair libFuzzer's coverage-guided mutation with sanitizers for precise vulnerability detection: AddressSanitizer uncovers memory errors like buffer overflows; MemorySanitizer flags uninitialized memory reads; UndefinedBehaviorSanitizer catches overflows, misaligned accesses, and other UB. Compile targets with these (e.g., -fsanitize=address,fuzzer) for drop-in integration.
This combo finds issues traditional tests miss, as fuzzers explore edge cases via random inputs guided by code coverage. PR fuzzing runs quickly (minutes), while batch mode sustains hours/days for rare deep bugs.
Minimize Setup with Multi-Language and CI Support
Supports C, C++, Java/JVM, Go, Python, Rust, Swift—cover most projects without engine swaps. CI compatibility includes GitHub Actions, GitLab, Google Cloud Build, Prow; extend to others by implementing a simple platform interface.
Start with build integration: expose fuzzer binaries via your build script. Then add runner steps for PR/event fuzzing. New to fuzzing? Review overview for libFuzzer/sanitizer basics; experienced users jump to build docs. Track issues on GitHub, join mailing list for updates, and report usage via form to influence roadmap.