AI-powered workflow automation and AI Agents for AppSec, Fuzzing & Offensive Security
Overview β’ Features β’ Installation β’ Quickstart β’ AI Demo β’ Contributing β’ Roadmap
Crashwise helps security researchers and engineers automate application security and offensive security workflows with the power of AI and fuzzing frameworks.
- Orchestrate static & dynamic analysis
- Automate vulnerability research
- Scale AppSec testing with AI agents
- Build, share & reuse workflows across teams
Crashwise is open source, built to empower security teams, researchers, and the community.
π§ Crashwise is under active development. Expect breaking changes.
Note: Fuzzing workflows (
atheris_fuzzing,cargo_fuzzing,ossfuzz_campaign) are in early development. OSS-Fuzz integration is under heavy active development. For stable workflows, use:security_assessment,gitleaks_detection,trufflehog_detection, orllm_secret_detection.
- π€ AI Agents for Security β Specialized agents for AppSec, reversing, and fuzzing
- π Workflow Automation β Define & execute AppSec workflows as code
- π Vulnerability Research at Scale β Rediscover 1-days & find 0-days with automation
- π Fuzzer Integration β Atheris (Python), cargo-fuzz (Rust), OSS-Fuzz campaigns
- π Community Marketplace β Share workflows, corpora, PoCs, and modules
- π Enterprise Ready β Team/Corp cloud tiers for scaling offensive security
If you find Crashwise useful, please star the repo to support development π
Crashwise includes three secret detection workflows benchmarked on a controlled dataset of 32 documented secrets (12 Easy, 10 Medium, 10 Hard):
| Tool | Recall | Secrets Found | Speed |
|---|---|---|---|
| LLM (gpt-5-mini) | 84.4% | 41 | 618s |
| LLM (gpt-4o-mini) | 56.2% | 30 | 297s |
| Gitleaks | 37.5% | 12 | 5s |
| TruffleHog | 0.0% | 1 | 5s |
π Full benchmark results and analysis
The LLM-based detector excels at finding obfuscated and hidden secrets through semantic analysis, while pattern-based tools (Gitleaks) offer speed for standard secret formats.
Python 3.11+ Python 3.11 or higher is required.
uv Package Manager
curl -LsSf https://astral.sh/uv/install.sh | shDocker For containerized workflows, see the Docker Installation Guide.
For AI-powered workflows, authenticate via OAuth (preferred):
cw oauth setup -p openai_codex
# or
cw oauth setup -p gemini_cliEnvironment variables can still be used if your policy allows it:
cp volumes/env/.env.template volumes/env/.env
# Add provider keys only if you explicitly want env-based authThis is required for:
llm_secret_detectionworkflow- AI agent features (
cw ai agent)
Basic security workflows (gitleaks, trufflehog, security_assessment) work without this configuration.
After installing the requirements, install the Crashwise CLI:
# Clone the repository
git clone https://github.com/YahyaToubali/Crashwise.git
cd Crashwise
# Install CLI with uv (from the root directory)
uv tool install --python python3.12 .Run your first workflow with Temporal orchestration and automatic file upload:
# 1. Clone the repo
git clone https://github.com/YahyaToubali/Crashwise.git
cd Crashwise
# 2. Copy the default LLM env config
cp volumes/env/.env.template volumes/env/.env
# 3. Start Crashwise with Temporal
docker compose up -d
# 4. Start the Python worker (needed for security_assessment workflow)
docker compose up -d worker-pythonThe first launch can take 2-3 minutes for services to initialize β
Workers don't auto-start by default (saves RAM). Start the worker you need before running workflows.
Workflow-to-Worker Quick Reference:
| Workflow | Worker Required | Startup Command |
|---|---|---|
security_assessment, python_sast, llm_analysis, atheris_fuzzing |
worker-python | docker compose up -d worker-python |
android_static_analysis |
worker-android | docker compose up -d worker-android |
cargo_fuzzing |
worker-rust | docker compose up -d worker-rust |
ossfuzz_campaign |
worker-ossfuzz | docker compose up -d worker-ossfuzz |
llm_secret_detection, trufflehog_detection, gitleaks_detection |
worker-secrets | docker compose up -d worker-secrets |
# 5. Run your first workflow (files are automatically uploaded)
cd test_projects/vulnerable_app/
cw init # Initialize Crashwise project
cw workflow run security_assessment . # Start workflow - CLI uploads files automatically!
# The CLI will:
# - Detect the local directory
# - Create a compressed tarball
# - Upload to backend (via MinIO)
# - Start the workflow on vertical workerWhat's running:
- Temporal: Workflow orchestration (UI at http://localhost:8080)
- MinIO: File storage for targets (Console at http://localhost:9001)
- Vertical Workers: Pre-built workers with security toolchains
- Backend API: Crashwise REST API (http://localhost:8000)
AI agents automatically analyzing code and providing security insights
We welcome contributions from the community!
There are many ways to help:
- Report bugs by opening an issue
- Suggest new features or improvements
- Submit pull requests with fixes or enhancements
- Share workflows, corpora, or modules with the community
See our Contributing Guide for details.
Planned features and improvements:
- π¦ Public workflow & module marketplace
- π€ New specialized AI agents (Rust, Go, Android, Automotive)
- π Expanded fuzzer integrations (LibFuzzer, Jazzer, more network fuzzers)
- βοΈ Multi-tenant SaaS platform with team collaboration
- π Advanced reporting & analytics
π Follow updates in the GitHub issues
Crashwise is based on the original open-source work of FuzzForge by FuzzingLabs. The project has been rebranded and extended, but we credit the original authors and community for the foundation.
Crashwise is released under the Business Source License 1.1 (BSL).
Production use requires a commercial license until the change date, when Apache 2.0 applies.
See LICENSE and LICENSE-APACHE for details.