oss-fuzz
by google
OSS-Fuzz provides continuous, scalable fuzz testing to automatically find and fix security vulnerabilities in open source software.
OSS-Fuzz - continuous fuzzing for open source software.
Primary Use Case
OSS-Fuzz is designed for open source software developers and security teams who want to improve software security and stability by continuously detecting bugs and vulnerabilities using automated fuzz testing. It is especially useful for projects seeking to leverage modern fuzzing engines and distributed execution to identify critical issues early in the development lifecycle.
- Continuous fuzzing with scalable, distributed execution via ClusterFuzz
- Supports multiple fuzzing engines: libFuzzer, AFL++, Honggfuzz
- Integration with Sanitizers for enhanced bug detection
- Supports multiple programming languages including C/C++, Rust, Go, Python, Java/JVM, and JavaScript
- Fuzzes x86_64 and i386 architectures
- Open source collaboration with Core Infrastructure Initiative and OpenSSF
- Has identified and helped fix over 13,000 vulnerabilities and 50,000 bugs across 1,000 projects
- Provides detailed documentation and community support
Installation
- Visit the OSS-Fuzz detailed documentation at https://google.github.io/oss-fuzz for setup guidance
- Prepare your open source project to integrate fuzz targets compatible with libFuzzer, AFL++, or Honggfuzz
- Configure your project build environment to include Sanitizers for enhanced detection
- Submit your project to OSS-Fuzz following the project onboarding process described in documentation
- For projects not qualifying for OSS-Fuzz, set up your own fuzzing instance using ClusterFuzz or ClusterFuzzLite
Usage
>_ Refer to https://google.github.io/oss-fuzz for detailed usage and integration stepsOSS-Fuzz does not provide direct CLI commands in the README; usage involves integrating fuzz targets and submitting projects for continuous fuzzing.
>_ Use ClusterFuzz to manage distributed fuzzing jobs and bug reportingClusterFuzz handles execution and reporting of fuzzing jobs across supported projects.
- Integrate OSS-Fuzz into CI/CD pipelines to enable continuous automated vulnerability discovery early in development.
- Leverage OSS-Fuzz findings to prioritize patching and risk assessment efforts within vulnerability management programs.
- Use OSS-Fuzz outputs to simulate realistic attack vectors for purple team exercises combining red and blue team insights.
- Combine OSS-Fuzz with static analysis tools to enhance coverage of both code quality and security vulnerabilities.
- Explore AI-powered fuzzing enhancements to accelerate discovery of complex bugs and reduce false positives.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about oss-fuzz. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
trivy
aquasecurity/trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
nuclei
projectdiscovery/nuclei
Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.
lynis
CISOfy/lynis
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
vuls
future-architect/vuls
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
nuclei-templates
projectdiscovery/nuclei-templates
Community curated list of templates for the nuclei engine to find security vulnerabilities.
grype
anchore/grype
A vulnerability scanner for container images and filesystems