Guides¶
Task-oriented pages for the operator running an audit and for the maintainer receiving its output. Pick the one that matches what you are about to do. If you have not set up a target and run a first iteration yet, start with Getting started — these pages assume that baseline.
Read these in order for a first run¶
- Configure a target — review the generated
target.tomland make sure the runner or sanitizer build is real. - Backends and ensembling — pick one backend for a reproducible run, or cycle hosted backends when you want broader coverage.
- Non-C/C++ targets or Browser targets — only if your target needs ecosystem-specific runner setup.
- Recon discovery — understand the cold-start
survey that
bin/auditruns automatically, or run it standalone when you want to inspect candidate work first. - Triage results — review crashes, findings, rejected candidates, and duplicate clusters.
Two rules that shape the guides¶
findings/is for concrete security issues, with or without a runnable reproducer.crashes/is stricter: it is for sanitizer-backed reproductions, runtime-race diagnostics, or accepted security-boundary violations that can be clustered and exported.
All guide pages¶
| Page | Use it when |
|---|---|
| Configure a target | Review target.toml after bin/setup-target generates it. |
| Backends and ensembling | Run a single backend, cycle multiple hosted backends, or compare them. |
| Non-C/C++ targets | Configure language runners, findings-only targets, or non-ASan sanitizers such as Go race. |
| Browser targets | Audit Firefox, Chromium, or a JS/Wasm runtime. |
| Recon discovery | Understand or refresh the breadth-first source survey that seeds the audit queue. |
| Triage results | Decide which crashes and findings to promote, reject, or refine. |
| Reproduce a crash | Re-run an exported TokenFuzz crash bundle against a clean upstream checkout. |