feat(skills): add Atheris fuzz harness with CI workflow integration#1102
Merged
WilliamBerryiii merged 13 commits intomainfrom Mar 20, 2026
Merged
feat(skills): add Atheris fuzz harness with CI workflow integration#1102WilliamBerryiii merged 13 commits intomainfrom
WilliamBerryiii merged 13 commits intomainfrom
Conversation
- add polyglot fuzz_harness.py with 4 targets and 21 pytest tests - add fuzz dependency group and pytest discovery config - add error-level validation for fuzz harness convention - fix resolve_color crash on empty hex strings - add fuzzing convention docs and update contributing guide 🔒 - Generated by Copilot
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1102 +/- ##
==========================================
- Coverage 86.91% 86.89% -0.03%
==========================================
Files 59 59
Lines 8752 8774 +22
==========================================
+ Hits 7607 7624 +17
- Misses 1145 1150 +5
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
This was referenced Mar 17, 2026
- fix table formatting in fuzzing.md and security README.md - correct ms.topic value from conceptual to concept in fuzzing.md - update ms.date to current date on all changed markdown files - add explanatory comments to bare except blocks for CodeQL - add short-hex coverage tests for resolve_color and hex_brightness 🔧 - Generated by Copilot
katriendg
reviewed
Mar 18, 2026
Contributor
katriendg
left a comment
There was a problem hiding this comment.
Code review pass covering the Atheris fuzz harness implementation, bug fixes, and associated documentation.
auyidi1
reviewed
Mar 18, 2026
added 3 commits
March 19, 2026 17:10
- add missing-key variants to fuzz_max_severity with ConsumeBool toggles - add corpus seed directory with 12 binary seeds and naming convention - add fuzz dependency group and python_files validation in skill validator - fix Python test/lint scripts to default OutputPath to logs directory - clarify OSSF Scorecard wording in fuzzing.md 🧪 - Generated by Copilot
…ness' into feat/powerpoint-atheris-fuzz-harness # Conflicts: # scripts/linting/README.md
This was referenced Mar 20, 2026
- replace try/except pass blocks with contextlib.suppress - add missing copyright and SPDX license header 🔧 - Generated by Copilot
📝 - Generated by Copilot
5 tasks
- add fuzz-tests.yml reusable workflow with coverage-guided Atheris fuzzing - integrate fuzz-tests job into pr-validation.yml via discover-python-projects - produce step summary, crash artifacts, and JSON results per fuzz project - align all conventions with python-lint.yml and pip-audit.yml patterns 🧪 - Generated by Copilot
auyidi1
approved these changes
Mar 20, 2026
This was referenced Mar 20, 2026
33 tasks
WilliamBerryiii
added a commit
that referenced
this pull request
Mar 20, 2026
…1155) ## Description GitHub Linguist's *vendor.yml* classifies the entire `.github/` directory as vendored, which excluded all Python skill files from the repository's Languages API. OSSF Scorecard's Fuzzing check only evaluates languages that appear in that API, so the Atheris fuzz harness merged in PR #1102 remained invisible and **Fuzzing scored 0/10** despite correct test infrastructure. > The root cause was a mismatch between where skills live (`.github/skills/`) and Linguist's vendored-path regex. The fix adds a targeted `.gitattributes` override rather than relocating files. - Added **`linguist-vendored=false`** for `.github/skills/**/*.py` in *.gitattributes*, overriding the vendored classification so Python appears in language statistics - Included an explanatory comment documenting the Linguist vendor.yml interaction with OSSF Scorecard for future maintainers - Removed two duplicate `**/.hypothesis/` entries from *.gitignore* (the file contained three identical lines; one remains) ## Related Issue(s) None ## Type of Change Select all that apply: **Code & Documentation:** * [x] Bug fix (non-breaking change fixing an issue) * [ ] New feature (non-breaking change adding functionality) * [ ] Breaking change (fix or feature causing existing functionality to change) * [ ] Documentation update **Infrastructure & Configuration:** * [ ] GitHub Actions workflow * [ ] Linting configuration (markdown, PowerShell, etc.) * [ ] Security configuration * [ ] DevContainer configuration * [ ] Dependency update **AI Artifacts:** * [ ] Reviewed contribution with `prompt-builder` agent and addressed all feedback * [ ] Copilot instructions (`.github/instructions/*.instructions.md`) * [ ] Copilot prompt (`.github/prompts/*.prompt.md`) * [ ] Copilot agent (`.github/agents/*.agent.md`) * [ ] Copilot skill (`.github/skills/*/SKILL.md`) > Note for AI Artifact Contributors: > > * Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review `.github/agents/` before creating new ones. > * Skills: Must include both bash and PowerShell scripts. See [Skills](../docs/contributing/skills.md). > * Model Versions: Only contributions targeting the **latest Anthropic and OpenAI models** will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected. > * See [Agents Not Accepted](../docs/contributing/custom-agents.md#agents-not-accepted) and [Model Version Requirements](../docs/contributing/ai-artifacts-common.md#model-version-requirements). **Other:** * [ ] Script/automation (`.ps1`, `.sh`, `.py`) * [ ] Other (please describe): ## Testing - Verified `git check-attr linguist-vendored -- .github/skills/experimental/powerpoint/tests/fuzz_harness.py` returns `false`, confirming the override is active. - Confirmed the `.github/skills/**/*.py` glob covers all 35 Python files (427,782 bytes), approximately 3.5x the Linguist prominence threshold. - Ran `npm run validate:skills` — all 9 skills passed with 0 errors. ## Checklist ### Required Checks * [ ] Documentation is updated (if applicable) * [x] Files follow existing naming conventions * [x] Changes are backwards compatible (if applicable) * [ ] Tests added for new functionality (if applicable) ### AI Artifact Contributions * [ ] Used `/prompt-analyze` to review contribution * [ ] Addressed all feedback from `prompt-builder` review * [ ] Verified contribution follows common standards and type-specific requirements ### Required Automated Checks The following validation commands must pass before merging: * [x] Markdown linting: `npm run lint:md` * [x] Spell checking: `npm run spell-check` * [x] Frontmatter validation: `npm run lint:frontmatter` * [x] Skill structure validation: `npm run validate:skills` * [x] Link validation: `npm run lint:md-links` * [x] PowerShell analysis: `npm run lint:ps` * [x] Plugin freshness: `npm run plugin:generate` ## Security Considerations * [x] This PR does not contain any sensitive or NDA information * [x] Any new dependencies have been reviewed for security issues * [x] Security-related scripts follow the principle of least privilege ## Additional Notes - The 35 Python files under `.github/skills/` total approximately 427,782 bytes, which is well above the Linguist prominence threshold (~122,000 bytes). Even if small files are added or removed, Python visibility in the Languages API remains stable. - No new dependencies were introduced. The change is purely metadata (`.gitattributes` and `.gitignore`).
This was referenced Mar 20, 2026
WilliamBerryiii
added a commit
that referenced
this pull request
Mar 20, 2026
🤖 I have created a release *beep* *boop* --- ## [3.2.0](hve-core-v3.1.46...hve-core-v3.2.0) (2026-03-20) ### ✨ Features * add -OutputPath parameter to Validate-MarkdownFrontmatter.ps1 ([#1134](#1134)) ([fdf1bcf](fdf1bcf)), closes [#1006](#1006) * add action version consistency scan workflow ([#1127](#1127)) ([4229df1](4229df1)) * **agent:** MVE Experiment Designer ([#976](#976)) ([70f86ca](70f86ca)) * **agents:** add ADO Backlog Manager orchestrator agent ([#800](#800)) ([fae3987](fae3987)) * **agents:** add meeting analyst agent for transcript analysis using work-iq ([#502](#502)) ([5345b5b](5345b5b)) * **agents:** add quick-reference line to RPI Phase 5 suggestions ([#897](#897)) ([9a90f39](9a90f39)) * **agents:** add RAI Planner, enhance SSSC Planner, and redesign Security Planner ([#979](#979)) ([06f826c](06f826c)) * **agents:** add symmetric cross-system handoff to GitHub Backlog Manager ([#952](#952)) ([ba34a35](ba34a35)) * **agents:** Functional Code Review Agent — pre-PR functional correctness reviewer ([#733](#733)) ([9cf63b7](9cf63b7)) * **build:** add Python extensions and uv 0.10.8 to devcontainer ([#920](#920)) ([9ca0579](9ca0579)) * **build:** add uv ecosystem to Dependabot configuration ([#913](#913)) ([2a4bd39](2a4bd39)) * **build:** enable npm pinning enforcement in dependency scan ([#838](#838)) ([4e9e31f](4e9e31f)) * **build:** migrate attestation actions to v4.1.0 and add SBOM verification docs ([#841](#841)) ([ca1e65b](ca1e65b)) * **collections:** add four new validator checks (orphan, duplicate, companion, coverage) ([#869](#869)) ([1a96b73](1a96b73)) * **devcontainer,security:** add enterprise artifact hub configuration ([#1032](#1032)) ([1d56d25](1d56d25)) * **docs:** add Rust coding standards and guidelines ([#809](#809)) ([d4c4899](d4c4899)) * **extension:** add Microsoft logo icon to VS Code Marketplace listings ([#906](#906)) ([82aca41](82aca41)) * **github:** add declarative label management ([#953](#953)) ([a1a6845](a1a6845)) * **instructions:** add ADO backlog shared infrastructure ([#786](#786)) ([1914078](1914078)) * **instructions:** add ADO backlog sprint planning and capacity tracking ([#788](#788)) ([d6fb77d](d6fb77d)) * **instructions:** add ADO triage workflow and prompt ([#787](#787)) ([cde0190](cde0190)) * **instructions:** add shared story quality conventions and sprint planning ([#803](#803)) ([a2f18e3](a2f18e3)) * **prompts:** add ADO discovery and work item prompts with agent routing ([#790](#790)) ([7e74523](7e74523)) * **prompts:** add security review prompts ([#1118](#1118)) ([ad30967](ad30967)) * **scripts:** add dynamic Python skill discovery for lint/test ([#957](#957)) ([0a90f57](0a90f57)) * **scripts:** add Get-StandardTimestamp utility to CIHelpers module ([#1126](#1126)) ([b273a4b](b273a4b)) * **scripts:** add Python copyright header validation ([#905](#905)) ([67df902](67df902)) * **scripts:** add Python skill support to Validate-SkillStructure ([#903](#903)) ([68479d9](68479d9)) * **scripts:** add workflow npm command scanning to dependency pinning ([#837](#837)) ([6b5ae06](6b5ae06)) * **security:** add basic security reviewer agent with owasp skills ([#1008](#1008)) ([cb1fd05](cb1fd05)) * **security:** add sigstore attestation bundles and fix component-detection action ([#1148](#1148)) ([f79c272](f79c272)) * **skills:** add Atheris fuzz harness with CI workflow integration ([#1102](#1102)) ([d337e1d](d337e1d)) * **skills:** add PowerPoint automation skill with YAML-driven deck generation ([#868](#868)) ([00465cd](00465cd)) * **skills:** convert hve-core-installer agent to self-contained skill ([#846](#846)) ([1d821fb](1d821fb)) * **skills:** enhance pr-reference skill with flexible filtering and base branch detection ([#1095](#1095)) ([26a32ea](26a32ea)) * **workflows:** add devcontainer infrastructure change log workflow ([#899](#899)) ([8aca446](8aca446)) * **workflows:** add milestone auto-close on stable and pre-release publishes ([#834](#834)) ([79362b1](79362b1)) * **workflows:** add ms.date documentation freshness checking ([#969](#969)) ([3ed441c](3ed441c)) * **workflows:** add Python linting CI workflow with Ruff ([#951](#951)) ([f89f0eb](f89f0eb)) * **workflows:** add Python testing CI workflow with pytest and Codecov ([#934](#934)) ([5e8306f](5e8306f)) * **workflows:** add uv and Python package sync to copilot-setup-steps ([#921](#921)) ([45d517d](45d517d)) ### 🐛 Bug Fixes * **build:** override Linguist vendored flag for Python skill files ([#1155](#1155)) ([0eee5b6](0eee5b6)) * **build:** override serialize-javascript to >=7.0.3 for RCE fix ([#876](#876)) ([e49039a](e49039a)) * **build:** resolve Pinned-Dependencies alerts for vsce npm commands in extension workflows ([#782](#782)) ([89dad9d](89dad9d)) * **build:** update undici and yauzl overrides for security audit ([#1030](#1030)) ([2c2f92f](2c2f92f)) * **docs:** add CLI Plugins to install.md navigation surfaces ([#902](#902)) ([79d6595](79d6595)) * **docs:** add sidebar ordering for Design Thinking documentation ([#832](#832)) ([551fddc](551fddc)), closes [#830](#830) * **docs:** graduate design-thinking to preview and correct stale collection references ([#831](#831)) ([5110e35](5110e35)) * **docs:** include project-planning in UX Designer install guidance ([#908](#908)) ([e7aa9bc](e7aa9bc)) * **docs:** remediate writing-style convention violations ([#865](#865)) ([68b04bc](68b04bc)) * **docs:** remove draft content announcement banner ([#825](#825)) ([b45de80](b45de80)) * **docs:** remove unbounded path-to-regexp override breaking SSG ([#1153](#1153)) ([d810018](d810018)) * **docs:** use actual clone paths instead of folder display names in multi-root workspace settings ([#984](#984)) ([5dbab82](5dbab82)) * **instructions:** replace black with ruff in uv-projects ([#898](#898)) ([b0c06d9](b0c06d9)) * **scripts:** cover .github/ skill files in copyright header validation ([#1055](#1055)) ([#1098](#1098)) ([27fbd33](27fbd33)) * **scripts:** eliminate phantom git changes from plugin generation ([#1035](#1035)) ([e49a1b5](e49a1b5)) * **scripts:** enable JSON log output for lint:version-consistency ([#1033](#1033)) ([52b0885](52b0885)) * **security:** calculate compliance score from total scanned dependencies ([#930](#930)) ([c112c3d](c112c3d)) * **skills:** add AST validation and namespace restriction for content-extra.py ([#1027](#1027)) ([c50c7a3](c50c7a3)) * **skills:** add depth limits to recursive PowerPoint processing functions ([#1028](#1028)) ([bf08994](bf08994)) * **skills:** harden XML parsing and blob writes in powerpoint extract ([#1053](#1053)) ([89d24b1](89d24b1)) * **skills:** resolve ruff lint and format violations in powerpoint skill ([#1048](#1048)) ([17bbe7a](17bbe7a)) * **workflows:** add uv.lock dependencies submission have fork-skip condition ([#1109](#1109)) ([dec56ac](dec56ac)) * **workflows:** automate weekly SHA staleness check with issue creation ([#975](#975)) ([1ea4caa](1ea4caa)) * **workflows:** close Codecov integration gaps for Pester and pytest flags ([#1106](#1106)) ([cca29b7](cca29b7)) * **workflows:** propagate uv sync errors in copilot-setup-steps ([#961](#961)) ([df88d7c](df88d7c)) * **workflows:** resolve release-please skip cascade and Python project discovery ([#1043](#1043)) ([79993e2](79993e2)) * **workflows:** scan only commit subjects for breaking change detection ([#1157](#1157)) ([a38a657](a38a657)) ### 📚 Documentation * clarify HVE Core Extension vs Installer messaging across documentation ([#965](#965)) ([0fceb8f](0fceb8f)) * **docs:** add ADO integration user documentation ([#935](#935)) ([ec89302](ec89302)) * **docs:** add Project Planning agent documentation ([#936](#936)) ([3a3a0fd](3a3a0fd)) * **onboarding:** overhaul marketplace onboarding and documentation site ([#982](#982)) ([4309e10](4309e10)) ### ♻️ Refactoring * **build:** merge code-review collection into coding-standards ([#863](#863)) ([8027e7b](8027e7b)) * **workflows:** rename release pipeline workflows and add marketplace automation triggers ([#829](#829)) ([b6397f4](b6397f4)) ### 🔧 Maintenance * **build:** add clean:logs npm script ([#1122](#1122)) ([f85fe02](f85fe02)), closes [#988](#988) * **build:** add JSON reporter for cspell ([#1123](#1123)) ([6d59f67](6d59f67)) * **ci:** add multi-arch support to copilot-setup-steps binary downloads ([#955](#955)) ([8d0c706](8d0c706)) * **deps-dev:** bump cspell from 9.6.4 to 9.7.0 in the npm-dependencies group ([#839](#839)) ([3fa16ff](3fa16ff)) * **deps:** bump actions/dependency-review-action from 4.8.3 to 4.9.0 in the github-actions group across 1 directory ([#942](#942)) ([1a9b858](1a9b858)) * **deps:** bump cairosvg from 2.8.2 to 2.9.0 in /.github/skills/experimental/powerpoint ([#1025](#1025)) ([f4deda7](f4deda7)) * **deps:** bump dompurify from 3.3.1 to 3.3.2 in /docs/docusaurus ([#924](#924)) ([d2060d6](d2060d6)) * **deps:** bump svgo from 3.3.2 to 3.3.3 in /docs/docusaurus ([#880](#880)) ([6dc2406](6dc2406)) * **deps:** bump the github-actions group across 1 directory with 4 updates ([#1100](#1100)) ([2290dc0](2290dc0)) * **deps:** bump the github-actions group with 6 updates ([#840](#840)) ([f57bc01](f57bc01)) * **docs:** correct New-MsDateReport table rendering and refresh stale docs ([#1114](#1114)) ([c2b806f](c2b806f)) * **settings:** remove orphaned Checkov config and stale gitignore entries ([#870](#870)) ([98fcd74](98fcd74)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: hve-core-release-please[bot] <254602402+hve-core-release-please[bot]@users.noreply.github.com> Co-authored-by: Bill Berry <wberry@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Added a polyglot Atheris fuzz harness convention to the powerpoint skill, established it as a required pattern for all Python skills with tests, documented the convention across security and contributing guides, and integrated coverage-guided fuzzing into the PR validation pipeline. The fuzz harness immediately surfaced two crash bugs in pptx_colors.py that were fixed in the same changeset. A shell script bug in generate.sh was also discovered and fixed during the PR workflow.
Fuzz Harness Implementation
> OSSF Scorecard Fuzzing detection requires an
import atherisstatement reachable by its Phase 3 regex scanner. The polyglot harness pattern satisfies this while keeping CI-friendly pytest tests as the default execution mode.resolve_color,hex_brightness,max_severity, and_has_formatting_variationfuzz_dispatchrouter uses first byte modulo target count to distribute fuzzer input across targetsfuzz = ["atheris>=3.0"]dependency group to pyproject.toml, intentionally separate fromdevsince Atheris only ships manylinux wheelspython_files = ["test_*.py", "fuzz_harness.py"]to pytest discovery configurationCI Workflow Integration
discover-python-projectsjob and gates onfuzz_harness.pypresenceuv sync --locked --dev --group fuzzsoft-failandchanged-files-onlyinputs for flexible pipeline configurationBug Fixes
resolve_colornow returns a safe default RGB when hex strings are shorter than 6 charactershex_brightnessnow returns0for short hex strings instead of silently producing incorrect valuesprintf '%s\n'on an empty array produced a blank newline, causinggit diffto fail withfatal: empty string is not a valid pathspecif [[ ${#specs[@]} -gt 0 ]]Validation & Documentation
tests/directory includetests/fuzz_harness.pyRelated Issue(s)
Closes #1021
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md).github/skills/*/SKILL.md)Other:
.ps1,.sh,.py)Sample Prompts (for AI Artifact Contributions)
Testing
npm run validate:skills— fuzz harness validation passes for the powerpoint skillnpm run lint:ps— PowerShell analysis passes for Validate-SkillStructure.ps1 changesnpm run lint:md— markdown linting passes for all modified documentation filesnpm run spell-check— spelling validation passesnpm run lint:frontmatter— frontmatter validation passesnpm run lint:md-links— markdown link checking passesactionlint— workflow validation passes for both fuzz-tests.yml and pr-validation.ymlyaml-lint— YAML validation passes for fuzz-tests.ymlChecklist
Required Checks
AI Artifact Contributions
/prompt-analyzeto review contributionprompt-builderreviewRequired Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psSecurity Considerations
No sensitive data, credentials, or privilege escalation paths introduced. The Atheris dependency is isolated in a
fuzzgroup that is not installed by default. Thepptx_colors.pyfixes close input-validation gaps that could have caused unexpected behavior with malformed color strings. The fuzz-tests workflow runs withcontents: readpermissions only.Additional Notes
fuzzdependency group is intentionally separate fromdevbecause Atheris only ships manylinux wheels (no macOS). This preventsuv syncfailures on non-Linux platforms.cairosvgwheel addition that appears to be a pre-existing lock drift correction.