We currently have a few fuzzers already, but we basically don't run them yet, except if people want to run them manually. We just use the associated unit tests, that don't actually fuzz but just run randomly for 10 seconds.

We should set up some fuzzing infrastructure that would automatically run our fuzzers.

The complete solution would be clusterfuzz. It's also the best solution (it can open github issues, etc.). However, it's also a behemoth, and not easy to configure.

For our still-relatively-limited use case, and until we have many more fuzzers, we could probably live pretty well with clusterfuzzlite, that runs directly in github actions and just requires a bucket to store corpus between runs. It can emit SARIF, so it should be possible to get it to log the issues in the code scanning alerts, though we're not monitoring these closely for now.

For both options, our rust fuzzers are built using bolero. We should be able to use the cargo bolero build-clusterfuzz command that I contributed there a few years ago in order to build our fuzzer tarballs.