-
Notifications
You must be signed in to change notification settings - Fork 61
177 lines (156 loc) · 6.07 KB
/
fuzz.yaml
File metadata and controls
177 lines (156 loc) · 6.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
# Copyright 2026 Chainguard, Inc.
# SPDX-License-Identifier: Apache-2.0
name: Fuzz Tests
on:
schedule:
# Run weekly on Sunday at midnight UTC
- cron: "0 0 * * 0"
workflow_dispatch:
inputs:
fuzz_target:
description: "Specific fuzzer to run (leave empty for all)"
required: false
default: ""
type: string
fuzz_time:
description: "Fuzz duration per target (e.g., 30s, 1m, 5m)"
required: false
default: "30s"
type: choice
options:
- "10s"
- "30s"
- "1m"
- "5m"
- "10m"
- "30m"
- "60m"
- "180m"
env:
GO_RELEASE: "go-1.26"
YARA_X_RELEASE: "1.15.0"
permissions: {}
jobs:
discover:
if: ${{ github.repository == 'chainguard-dev/malcontent' }}
runs-on: ubuntu-24.04-arm
permissions:
contents: read
outputs:
targets: ${{ steps.find.outputs.targets }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
*.blob.core.windows.net:443
*.githubapp.com:443
github.com:443
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Discover fuzz targets
id: find
env:
TARGET_FILTER: ${{ inputs.fuzz_target }}
run: |
# Find all Fuzz* functions in test files and build JSON array
# Format: [{"test": "FuzzName", "package": "./pkg/path/"}]
all_targets=$(grep -r "^func Fuzz" --include="*_test.go" -l pkg/ | while read -r file; do
dir="./$(dirname "${file}")/"
grep -o "^func Fuzz[A-Za-z0-9_]*" "${file}" | sed 's/^func //' | while read -r func; do
echo "{\"test\":\"${func}\",\"package\":\"${dir}\"}"
done
done | jq -s -c '.')
targets="${all_targets}"
# If a specific target is requested, validate and filter
if [ -n "${TARGET_FILTER}" ]; then
# Validate format: must start with "Fuzz" and contain only alphanumeric/underscore
if ! echo "${TARGET_FILTER}" | grep -qE '^Fuzz[A-Za-z0-9_]+$'; then
echo "::error::Invalid fuzz target format: '${TARGET_FILTER}'. Must match pattern 'Fuzz[A-Za-z0-9_]+'"
exit 1
fi
# Filter to the requested target
targets=$(echo "${all_targets}" | jq -c --arg t "${TARGET_FILTER}" '[.[] | select(.test == $t)]')
# Check if target exists
if [ "${targets}" = "[]" ]; then
echo "::error::Fuzz target '${TARGET_FILTER}' not found."
echo "Available targets:"
echo "${all_targets}" | jq -r '.[].test' | sort | sed 's/^/ - /'
exit 1
fi
fi
echo "targets=${targets}" >> "${GITHUB_OUTPUT}"
echo "Discovered targets: ${targets}"
fuzz:
if: ${{ github.repository == 'chainguard-dev/malcontent' && needs.discover.outputs.targets != '[]' }}
needs: discover
runs-on: ${{ matrix.target.test == 'FuzzExtractArchive' && 'ubuntu-latest-arm-8-core' || 'ubuntu-24.04-arm' }}
permissions:
contents: read
strategy:
fail-fast: false
matrix:
target: ${{ fromJson(needs.discover.outputs.targets) }}
container:
image: cgr.dev/chainguard/wolfi-base:latest@sha256:9a74366aa10eff2bf14dab0948123bd2c51703e1c553a73740ef687f723aecf4
options: >-
--cap-add DAC_OVERRIDE
--cap-add SETGID
--cap-add SETUID
--cap-drop ALL
--cgroupns private
--cpu-shares=${{ matrix.target.test == 'FuzzExtractArchive' && '8192' || '4096' }}
--memory-swappiness=0
--security-opt no-new-privileges
--ulimit core=0
--ulimit nofile=65535:65535
--ulimit nproc=65535:65535
steps:
- name: Install dependencies
run: |
apk update
apk add curl findutils git gnutar "${GO_RELEASE}" nodejs upx xz "yara-x~${YARA_X_RELEASE}"
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Trust repository
run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
- name: Get Go cache paths
id: go-env
run: |
echo "modcache=$(go env GOMODCACHE)" >> "${GITHUB_OUTPUT}"
echo "cache=$(go env GOCACHE)" >> "${GITHUB_OUTPUT}"
- name: Cache Go dependencies
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: |
${{ steps.go-env.outputs.modcache }}
${{ steps.go-env.outputs.cache }}
key: go-${{ hashFiles('go.sum') }}
restore-keys: go-
- name: Get samples commit
id: samples
if: contains(matrix.target.package, 'programkind')
run: echo "commit=$(grep '^SAMPLES_COMMIT' Makefile | head -1 | cut -d'=' -f2 | tr -d ' ?')" >> "$GITHUB_OUTPUT"
- name: Cache malcontent samples
if: contains(matrix.target.package, 'programkind')
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: out/chainguard-sandbox/malcontent-samples
key: samples-${{ steps.samples.outputs.commit }}
- name: Clone malcontent samples (required for programkind fuzzers)
if: contains(matrix.target.package, 'programkind')
run: |
make samples
# -parallel=1 is used for now due to this: https://github.com/golang/go/issues/56238
- name: Run fuzzer - ${{ matrix.target.test }}
env:
FUZZ_TARGET: ${{ matrix.target.test }}
FUZZ_PACKAGE: ${{ matrix.target.package }}
FUZZ_TIME: ${{ inputs.fuzz_time || '30s' }}
run: |
go test -parallel=1 -timeout 0 -fuzz="^${FUZZ_TARGET}$" -fuzztime="${FUZZ_TIME}" "${FUZZ_PACKAGE}"