OSS-CRS is a standard orchestration framework for building and running LLM-based autonomous bug-finding and bug-fixing systems (Cyber Reasoning Systems).

• Standard CRS Interface — OSS-CRS defines a unified interface for CRS development. Build your CRS once following the development guide, and run it across different environments (local, Azure, ...) without any modification.
• Effortless Targeting — Run any CRS against projects in OSS-Fuzz format. If your project is compatible with OSS-Fuzz, OSS-CRS can orchestrate CRSs against it out of the box.
• Ensemble Multiple CRSs — Compose and run multiple CRSs together in a single campaign to combine their strengths and maximize bug-finding and bug-fixing coverage.
• Resource Control — Manage CPU limits and LLM budgets per CRS to keep costs and resources in check.
• Multi-Environment Support — Run locally today; deploy to Azure (coming soon) with zero changes to your CRS.

OSS-CRS works with any project that follows the OSS-Fuzz project structure. Clone the OSS-Fuzz repository to get started:

git clone git@github.com:google/oss-fuzz.git ~/oss-fuzz

Tip: You can also prepare your own target repository as long as it is compatible with the OSS-Fuzz project format.

The example below uses crs-libfuzzer, a lightweight CRS that runs libFuzzer on the target. See ./example/crs-libfuzzer/compose.yaml for the full configuration.

# Prepare the CRS (pull images, set up dependencies)
uv run oss-crs prepare \
  --compose-file ./example/crs-libfuzzer/compose.yaml

# Build the target project
uv run oss-crs build-target \
  --compose-file ./example/crs-libfuzzer/compose.yaml \
  --fuzz-proj-path ~/oss-fuzz/projects/libxml2

# Run the CRS against a specific harness (e.g., "xml")
uv run oss-crs run \
  --compose-file ./example/crs-libfuzzer/compose.yaml \
  --fuzz-proj-path ~/oss-fuzz/projects/libxml2 \
  --target-harness xml

For a more advanced CRS that leverages LLMs, you can use atlantis-multilang. This CRS supports multiple languages and uses an LLM to generate and refine fuzz harnesses. See ./example/multilang/multilang-compose.yaml for the full configuration.

Environment variables: For LLM-backed runs, you can either export provider credentials in your shell or place them in a .env file in the directory where you run oss-crs. The CLI loads .env automatically via dotenv before parsing the compose file.

# Prepare the LLM-powered CRS, for example, multilang
uv run oss-crs prepare \
  --compose-file ./example/multilang/multilang-compose.yaml 

# Build the target
uv run oss-crs build-target \
  --compose-file ./example/multilang/multilang-compose.yaml \
  --fuzz-proj-path ~/oss-fuzz/projects/libxml2 

# Run the CRS
export OPENAI_API_KEY=<OPENAI_API_KEY>
export GEMINI_API_KEY=<GEMINI_API_KEY>
export ANTHROPIC_API_KEY=<ANTHROPIC_API_KEY>
# Or put the same variables in .env and skip the export lines.
uv run oss-crs run \
  --compose-file ./example/multilang/multilang-compose.yaml \
  --fuzz-proj-path ~/oss-fuzz/projects/libxml2 \
  --target-harness xml

Note: LLM-powered CRSs require an LLM API key. Refer to docs/config/llm.md for configuration details.

For CRSs that generate source patches (bug-fixing), the Builder CRS provides fast incremental builds. Instead of rebuilding the target from scratch for each patch, the builder creates a snapshot of the compiled project and applies patches on top of it.

First, fetch the required oss-fuzz scripts (one-time setup):

bash scripts/setup-third-party.sh

Then add the builder as a separate CRS entry in your compose file alongside your patcher CRS:

oss-crs-builder:
  source:
    local_path: /path/to/oss-crs/builder
  cpuset: "2-3"
  memory: "8G"

my-patcher-crs:
  source:
    local_path: /path/to/my-patcher-crs
  cpuset: "4-7"
  memory: "16G"

The framework automatically creates a snapshot image, starts the builder service, and connects it with your patcher CRS. Any CRS that uses libCRS.apply_patch_build() will communicate with the builder via HTTP.

See builder/README.md for full details on the builder's API and configuration.

Combine multiple CRSs in a single campaign to get the best of each approach. Simply define them in an ensemble compose file For example, ./example/ensemble/ensemble-compose.yaml launches both crs-libfuzzer and multilang simultaneously. Check the compose file for detailed configuration.

# Prepare 
uv run oss-crs prepare \
  --compose-file ./example/ensemble/ensemble-compose.yaml 

# Build the target
uv run oss-crs build-target \
  --compose-file ./example/ensemble/ensemble-compose.yaml  \
  --fuzz-proj-path ~/oss-fuzz/projects/libxml2 

# Run the CRS
export OPENAI_API_KEY=<OPENAI_API_KEY>
export GEMINI_API_KEY=<GEMINI_API_KEY>
export ANTHROPIC_API_KEY=<ANTHROPIC_API_KEY>
# Or put the same variables in .env and skip the export lines.
uv run oss-crs run \
  --compose-file ./example/ensemble/ensemble-compose.yaml  \
  --fuzz-proj-path ~/oss-fuzz/projects/libxml2 \
  --target-harness xml

Each CRS runs independently with its own resource allocation, and results are aggregated automatically.

OSS-CRS is designed to make CRS development simple. Follow the CRS Development Guide to package your bug-finding or bug-fixing tool as a CRS. Once integrated, your CRS will:

• Work with any OSS-Fuzz-compatible target
• Run in any supported environment (local, Azure, ...) without modification
• Be composable with other CRSs for ensemble campaigns

• CRS Development Guide: How to build or integrate your own CRS
• Architecture: System design and component overview
• Target Project: Target project setup and OSS-Fuzz compatibility
• CRS Configuration: CRS config reference
• CRS-Compose Configuration: Compose file reference
• Builder CRS: Incremental build service for patch-testing CRSs
• LLM Configuration: LLM provider setup
• Changelog: Breaking changes, deprecations, and migration notes
• Plan: Upcoming features and planned improvements

We welcome contributions! Please see CONTRIBUTING.md for guidelines.

See LICENSE for details.