Repository files navigation

AI-powered workflow automation and AI Agents for AppSec, Fuzzing & Offensive Security

_{Overview •Features •Installation •Quickstart •AI Demo •Contributing •Roadmap}

FuzzForge helps security researchers and engineers automateapplication security andoffensive security workflows with the power of AI and fuzzing frameworks.

• Orchestrate static & dynamic analysis
• Automate vulnerability research
• Scale AppSec testing with AI agents
• Build, share & reuse workflows across teams

FuzzForge isopen source, built to empower security teams, researchers, and the community.

🚧 FuzzForge is under active development. Expect breaking changes.

Note: Fuzzing workflows (atheris_fuzzing,cargo_fuzzing,ossfuzz_campaign) are in early development. OSS-Fuzz integration is under heavy active development. For stable workflows, use:security_assessment,gitleaks_detection,trufflehog_detection, orllm_secret_detection.

Setting up and running security workflows through the interface

👉 More installation options in theDocumentation.

• 🤖AI Agents for Security – Specialized agents for AppSec, reversing, and fuzzing
• 🛠Workflow Automation – Define & execute AppSec workflows as code
• 📈Vulnerability Research at Scale – Rediscover 1-days & find 0-days with automation
• 🔗Fuzzer Integration – Atheris (Python), cargo-fuzz (Rust), OSS-Fuzz campaigns
• 🌐Community Marketplace – Share workflows, corpora, PoCs, and modules
• 🔒Enterprise Ready – Team/Corp cloud tiers for scaling offensive security

If you find FuzzForge useful, please star the repo to support development 🚀

FuzzForge includes three secret detection workflows benchmarked on a controlled dataset of32 documented secrets (12 Easy, 10 Medium, 10 Hard):

📊Full benchmark results and analysis

The LLM-based detector excels at finding obfuscated and hidden secrets through semantic analysis, while pattern-based tools (Gitleaks) offer speed for standard secret formats.

Python 3.11+Python 3.11 or higher is required.

uv Package Manager

curl -LsSf https://astral.sh/uv/install.sh| sh

DockerFor containerized workflows, see theDocker Installation Guide.

For AI-powered workflows, configure your LLM API keys:

cp volumes/env/.env.template volumes/env/.env# Edit volumes/env/.env and add your API keys (OpenAI, Anthropic, Google, etc.)# Add your key to LITELLM_GEMINI_API_KEY

Dont change the OPENAI_API_KEY default value, as it is used for the LLM proxy.

This is required for:

• llm_secret_detection workflow
• AI agent features (ff ai agent)

Basic security workflows (gitleaks, trufflehog, security_assessment) work without this configuration.

After installing the requirements, install the FuzzForge CLI:

# Clone the repositorygit clone https://github.com/fuzzinglabs/fuzzforge_ai.gitcd fuzzforge_ai# Install CLI with uv (from the root directory)uv tool install --python python3.12.

Run your first workflow withTemporal orchestration andautomatic file upload:

# 1. Clone the repogit clone https://github.com/fuzzinglabs/fuzzforge_ai.gitcd fuzzforge_ai# 2. Copy the default LLM env configcp volumes/env/.env.template volumes/env/.env# 3. Start FuzzForge with Temporaldocker compose up -d# 4. Start the Python worker (needed for security_assessment workflow)docker compose up -d worker-python

The first launch can take 2-3 minutes for services to initialize ☕

Workers don't auto-start by default (saves RAM). Start the worker you need before running workflows.

Workflow-to-Worker Quick Reference:

# 5. Run your first workflow (files are automatically uploaded)cd test_projects/vulnerable_app/fuzzforge init# Initialize FuzzForge projectff workflow run security_assessment.# Start workflow - CLI uploads files automatically!# The CLI will:# - Detect the local directory# - Create a compressed tarball# - Upload to backend (via MinIO)# - Start the workflow on vertical worker

What's running:

• Temporal: Workflow orchestration (UI athttp://localhost:8080)
• MinIO: File storage for targets (Console athttp://localhost:9001)
• Vertical Workers: Pre-built workers with security toolchains
• Backend API: FuzzForge REST API (http://localhost:8000)

AI agents automatically analyzing code and providing security insights

• 🌐Website
• 📖Documentation
• 💬Community Discord
• 🎓FuzzingLabs Academy

We welcome contributions from the community!
There are many ways to help:

• Report bugs by opening anissue
• Suggest new features or improvements
• Submit pull requests with fixes or enhancements
• Share workflows, corpora, or modules with the community

See ourContributing Guide for details.

Planned features and improvements:

• 📦 Public workflow & module marketplace
• 🤖 New specialized AI agents (Rust, Go, Android, Automotive)
• 🔗 Expanded fuzzer integrations (LibFuzzer, Jazzer, more network fuzzers)
• ☁️ Multi-tenant SaaS platform with team collaboration
• 📊 Advanced reporting & analytics

👉 Follow updates in theGitHub issues andDiscord

FuzzForge is released under theBusiness Source License (BSL) 1.1, with an automatic fallback toApache 2.0 after 4 years.
SeeLICENSE andLICENSE-APACHE for details.