[feature] Implement fuzz tests #2915
Description
Is your feature request related to a problem? Please describe.
Currently, the project does not include fuzz tests. This means certain classes of bugs—such as unexpected input handling issues, parsing errors, or edge-case crashes—may go undetected during regular unit or integration testing. OpenSSF scorecard also flags this currently.
Describe the solution you'd like
Introduce fuzz testing for components that process external or complex inputs (e.g., parsers, input validation logic, and serialization/deserialization paths). Modern fuzzing approaches such as coverage-guided fuzzing (e.g., Go’s native fuzzing support) can help automatically generate diverse inputs and uncover hidden edge cases.
Best practices could include:
- Starting with fuzz tests for critical input-handling functions.
- Using Go’s built-in fuzzing framework (
go test -fuzz) for easy integration. - Running fuzz tests periodically in CI or as part of security testing workflows.
Describe alternatives you've considered
Relying solely on unit tests and integration tests to cover edge cases. However, fuzz testing is particularly effective at discovering unexpected input combinations that are difficult to anticipate when writing deterministic tests.
Additional context
Fuzz testing is increasingly recommended as a security best practice for open source projects and is widely adopted across many projects in the security ecosystem.