Merge pull request #162 from adamdecaf/native-gofuzz

build: switch to native Go fuzzing

.github/workflows/fuzz.yml

@@ -0,0 +1,39 @@
+name: Go Fuzz Testing
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *"
+
+permissions:
+  contents: read
+
+jobs:
+  fuzz-ach:
+    name: Fuzz Metro2
+    runs-on: ubuntu-latest
+    timeout-minutes: 12
+
+    steps:
+    - name: Set up Go 1.x
+      uses: actions/setup-go@v4
+      with:
+        go-version: stable
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+
+    - uses: actions/cache@v3
+      with:
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+
+    - name: Fuzz
+      run: |
+        go test ./test/fuzz/... -fuzz Fuzz -fuzztime 10m

README.md

@@ -325,9 +325,10 @@ We maintain a comprehensive suite of unit tests and recommend table-driven testi
 
 ### Fuzzing
 
-We currently run fuzzing over ImageCashLetter in the form of a [`moov/metro2`](https://hub.docker.com/r/moov/metro2fuzz) Docker image. You can [read more](./test/fuzz-reader/README.md) or run the image and report crasher examples to [`security@moov.io`](mailto:security@moov.io). Thanks!
+We currently run fuzzing over ACH in the form of a [Github Action](https://github.com/moov-io/metro2/actions/workflows/fuzz.yml). Please report crashes examples to [`oss@moov.io`](mailto:oss@moov.io). Thanks!
 
 ## Related projects
+
 As part of Moov's initiative to offer open source fintech infrastructure, we have a large collection of active projects you may find useful:
 
 - [Moov Watchman](https://github.com/moov-io/watchman) offers search functions over numerous trade sanction lists from the United States and European Union.

makefile

@@ -52,13 +52,6 @@ docker: clean
 # OpenShift Docker image
 	docker build --pull -t quay.io/moov/metro2:$(VERSION) -f Dockerfile-openshift --build-arg VERSION=$(VERSION) .
 	docker tag quay.io/moov/metro2:$(VERSION) quay.io/moov/metro2:latest
-# ACH Fuzzing Docker image
-	docker build --pull -t moov/metro2fuzz:$(VERSION) . -f Dockerfile-fuzz
-	docker tag moov/metro2fuzz:$(VERSION) moov/metro2fuzz:latest
-
-.PHONY: fuzz
-fuzz:
-	docker run moov/metro2fuzz:latest
 
 .PHONY: clean
 clean:
@@ -90,7 +83,6 @@ AUTHORS:
 release-push:
 	docker push moov/metro2:$(VERSION)
 	docker push moov/metro2:latest
-	docker push moov/metro2fuzz:$(VERSION)
 
 quay-push:
 	docker push quay.io/moov/metro2:$(VERSION)