| name | dast-nuclei |
| description | Fast, template-based vulnerability scanning using ProjectDiscovery's Nuclei with extensive community templates covering CVEs, OWASP Top 10, misconfigurations, and security issues across web applications, APIs, and infrastructure. Use when: (1) Performing rapid vulnerability scanning with automated CVE detection, (2) Testing for known vulnerabilities and security misconfigurations in web apps and APIs, (3) Running template-based security checks in CI/CD pipelines with customizable severity thresholds, (4) Creating custom security templates for organization-specific vulnerability patterns, (5) Scanning multiple targets efficiently with concurrent execution and rate limiting controls.
|
| version | 0.1.0 |
| maintainer | SirAppSec |
| category | appsec |
| tags | ["dast","nuclei","vulnerability-scanning","cve","owasp","api-testing","automation","templates"] |
| frameworks | ["OWASP","CWE","CVE"] |
| dependencies | {"tools":["nuclei"],"optional":["docker","git"]} |
| references | ["https://docs.projectdiscovery.io/tools/nuclei/overview","https://github.com/projectdiscovery/nuclei","https://github.com/projectdiscovery/nuclei-templates"] |
DAST with Nuclei
Overview
Nuclei is a fast, template-based vulnerability scanner from ProjectDiscovery that uses YAML templates to detect
security vulnerabilities, misconfigurations, and exposures across web applications, APIs, networks, and cloud
infrastructure. With 7,000+ community templates covering CVEs, OWASP vulnerabilities, and custom checks, Nuclei
provides efficient automated security testing with minimal false positives.
Quick Start
Installation
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
docker pull projectdiscovery/nuclei:latest
nuclei -update-templates
Basic Vulnerability Scan
nuclei -u https://target-app.com
nuclei -u https://target-app.com -severity critical,high
nuclei -list targets.txt -severity critical,high,medium -o results.txt
Quick CVE Scan
nuclei -u https://target-app.com -tags cve -severity critical,high
nuclei -u https://target-app.com -tags cve -severity critical -template-condition "contains(id, 'CVE-')"
Core Workflow
Workflow Checklist
Progress:
[ ] 1. Install Nuclei and update templates to latest version
[ ] 2. Define target scope (URLs, domains, IP ranges)
[ ] 3. Select appropriate templates based on target type and risk tolerance
[ ] 4. Configure scan parameters (rate limiting, severity, concurrency)
[ ] 5. Execute scan with proper authentication if needed
[ ] 6. Review findings, filter false positives, and verify vulnerabilities
[ ] 7. Map findings to OWASP/CWE frameworks
[ ] 8. Generate security report with remediation guidance
Work through each step systematically. Check off completed items.
Step 1: Template Selection and Target Scoping
Identify target applications and select relevant template categories:
nuclei -tl
nuclei -tl -tags owasp
nuclei -tl -tags cve,misconfig
nuclei -tl -tags cve -severity critical | wc -l
Template Categories:
- cve: Known CVE vulnerabilities (7000+ CVE templates)
- owasp: OWASP Top 10 vulnerabilities
- misconfig: Common security misconfigurations
- exposed-panels: Admin panels and login pages
- takeovers: Subdomain takeover vulnerabilities
- default-logins: Default credentials
- exposures: Sensitive file and data exposures
- tech: Technology detection and fingerprinting
Target Scoping Best Practices:
- Create target list excluding third-party services
- Group targets by application type for focused scanning
- Define exclusions for sensitive endpoints (payment, logout, delete actions)
Step 2: Configure Scan Parameters
Set appropriate rate limiting and concurrency for target environment:
nuclei -u https://target-app.com \
-severity critical,high \
-rate-limit 50 \
-concurrency 10 \
-timeout 10
nuclei -u https://target-app.com \
-severity critical,high,medium \
-rate-limit 150 \
-concurrency 25 \
-bulk-size 25
Parameter Guidelines:
- rate-limit: Requests per second (50-150 typical, lower for production)
- concurrency: Parallel template execution (10-25 typical)
- bulk-size: Parallel host scanning (10-25 for multiple targets)
- timeout: Per-request timeout in seconds (10-30 typical)
For CI/CD integration patterns, see scripts/nuclei_ci.sh.
Step 3: Execute Targeted Scans
Run scans based on security objectives:
Critical Vulnerability Scan:
nuclei -u https://target-app.com \
-severity critical,high \
-tags cve,owasp \
-o critical-findings.txt \
-json -jsonl-export critical-findings.jsonl
Technology-Specific Scan:
nuclei -u https://target-app.com -tags apache,nginx,wordpress,drupal
nuclei -u https://target-app.com -tags exposure,config
nuclei -u https://target-app.com -tags auth,login,default-logins
API Security Scan:
nuclei -u https://api.target.com \
-tags api,graphql,swagger \
-severity critical,high,medium \
-header "Authorization: Bearer $API_TOKEN"
Custom Template Scan:
nuclei -u https://target-app.com \
-t custom-templates/ \
-t nuclei-templates/http/cves/ \
-severity critical,high
Step 4: Authenticated Scanning
Perform authenticated scans for complete coverage:
nuclei -u https://target-app.com \
-header "Authorization: Bearer $AUTH_TOKEN" \
-header "Cookie: session=$SESSION_COOKIE" \
-tags cve,owasp
python3 scripts/nuclei_auth_scan.py \
--target https://target-app.com \
--auth-type bearer \
--token-env AUTH_TOKEN \
--severity critical,high \
--output auth-scan-results.jsonl
For OAuth, SAML, and MFA scenarios, see references/authentication_patterns.md.
Step 5: Results Analysis and Validation
Review findings and eliminate false positives:
python3 scripts/parse_nuclei_results.py \
--input critical-findings.jsonl \
--output report.html \
--group-by severity
nuclei -u https://target-app.com \
-tags cve \
-severity critical \
-verify \
-verbose
Validation Workflow:
- Review critical findings first (immediate action required)
- Verify each finding manually (curl, browser inspection, PoC testing)
- Check for false positives using
references/false_positive_guide.md
- Map confirmed vulnerabilities to OWASP Top 10 using
references/owasp_mapping.md
- Cross-reference with CWE classifications for remediation patterns
Feedback Loop Pattern:
nuclei -u https://target-app.com -severity critical,high -o scan1.txt
nuclei -u https://target-app.com -severity critical,high -o scan2.txt
diff scan1.txt scan2.txt
Step 6: Reporting and Remediation Tracking
Generate comprehensive security reports:
python3 scripts/nuclei_report_generator.py \
--input scan-results.jsonl \
--output security-report.html \
--format html \
--include-remediation \
--map-frameworks owasp,cwe
nuclei -u https://target-app.com \
-severity critical,high \
-sarif-export github-sarif.json
See assets/report_templates/ for customizable report formats.
Automation & CI/CD Integration
GitHub Actions Integration
name: Nuclei Security Scan
on: [push, pull_request]
jobs:
nuclei:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Nuclei Scan
uses: projectdiscovery/nuclei-action@main
with:
target: https://staging.target-app.com
severity: critical,high
templates: cves,owasp,misconfig
- name: Upload Results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: nuclei.sarif
Docker-Based CI/CD Scanning
docker run --rm \
-v $(pwd):/reports \
projectdiscovery/nuclei:latest \
-u $TARGET_URL \
-severity critical,high \
-json -jsonl-export /reports/nuclei-results.jsonl
if grep -q '"severity":"critical"' nuclei-results.jsonl; then
echo "Critical vulnerabilities detected!"
exit 1
fi
Advanced Automation with Custom Scripts
./scripts/nuclei_bulk_scanner.sh \
--targets-file production-apps.txt \
--severity critical,high \
--slack-webhook $SLACK_WEBHOOK \
--output-dir scan-reports/
./scripts/nuclei_scheduler.sh \
--schedule daily \
--targets targets.txt \
--diff-mode \
--alert-on new-findings
For complete CI/CD integration examples, see scripts/ci_integration_examples/.
Custom Template Development
Create organization-specific security templates:
id: custom-api-key-exposure
info:
name: Custom API Key Exposure Check
author: security-team
severity: high
description: Detects exposed API keys in custom application endpoints
tags: api,exposure,custom
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/config"
- "{{BaseURL}}/.env"
matchers-condition: and
matchers:
- type: word
words:
- "api_key"
- "secret_key"
- type: status
status:
- 200
extractors:
- type: regex
name: api_key
regex:
- 'api_key["\s:=]+([a-zA-Z0-9_-]{32,})'
Template Development Resources:
references/template_development.md - Complete template authoring guideassets/template_examples/ - Sample templates for common patterns- Nuclei Template Guide
Security Considerations
- Authorization: Obtain explicit written permission before scanning any systems not owned by your organization
- Rate Limiting: Configure appropriate rate limits to avoid overwhelming target applications or triggering DDoS protections
- Production Safety: Use conservative scan parameters (rate-limit 50, concurrency 10) for production environments
- Sensitive Data: Scan results may contain sensitive URLs, parameters, and application details - sanitize before sharing
- False Positives: Manually verify all critical and high severity findings before raising security incidents
- Access Control: Restrict access to scan results and templates containing organization-specific vulnerability patterns
- Audit Logging: Log all scan executions, targets, findings severity, and remediation actions for compliance
- Legal Compliance: Adhere to computer fraud and abuse laws; unauthorized scanning may violate laws
- Credentials Management: Never hardcode credentials in templates; use environment variables or secrets management
- Scope Validation: Double-check target lists to avoid scanning third-party or out-of-scope systems
Bundled Resources
Scripts (scripts/)
nuclei_ci.sh - CI/CD integration wrapper with exit code handling and artifact generationnuclei_auth_scan.py - Authenticated scanning with multiple authentication methods (Bearer, API key, Cookie)nuclei_bulk_scanner.sh - Parallel scanning of multiple targets with aggregated reportingnuclei_scheduler.sh - Scheduled scanning with diff detection and alertingparse_nuclei_results.py - JSON/JSONL parser for generating HTML/CSV reports with severity groupingnuclei_report_generator.py - Comprehensive report generator with OWASP/CWE mappings and remediation guidancetemplate_validator.py - Custom template validation and testing framework
References (references/)
owasp_mapping.md - OWASP Top 10 mapping for Nuclei findingstemplate_development.md - Custom template authoring guideauthentication_patterns.md - Advanced authentication patterns (OAuth, SAML, MFA)false_positive_guide.md - False positive identification and handling
Assets (assets/)
github_actions.yml - GitHub Actions workflow with SARIF exportnuclei_config.yaml - Comprehensive configuration template
Common Patterns
Pattern 1: Progressive Severity Scanning
Start with critical vulnerabilities and progressively expand scope:
nuclei -u https://target-app.com -severity critical -o critical.txt
if [ -s critical.txt ]; then
nuclei -u https://target-app.com -severity high -o high.txt
fi
nuclei -u https://target-app.com -severity medium,low -o all-findings.txt
Pattern 2: Technology-Specific Scanning
Focus on known technology stack vulnerabilities:
nuclei -u https://target-app.com -tags tech -o tech-detected.txt
TECHS=$(grep -oP 'matched at \K\w+' tech-detected.txt | sort -u)
for tech in $TECHS; do
nuclei -u https://target-app.com -tags $tech -severity critical,high -o vulns-$tech.txt
done
Pattern 3: Multi-Stage API Security Testing
Comprehensive API security assessment:
nuclei -u https://api.target.com -tags api,swagger,graphql -o api-discovery.txt
nuclei -u https://api.target.com -tags auth,jwt,oauth -o api-auth.txt
nuclei -u https://api.target.com -tags api,cve -severity critical,high -o api-cves.txt
nuclei -u https://api.target.com -t custom-templates/api/ -o api-custom.txt
Pattern 4: Continuous Security Monitoring
nuclei -u https://production-app.com \
-severity critical,high -tags cve \
-json -jsonl-export scan-$(date +%Y%m%d).jsonl
Integration Points
- CI/CD: GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure DevOps, Travis CI
- Issue Tracking: Jira, GitHub Issues, ServiceNow, Linear (via SARIF or custom scripts)
- Security Platforms: Defect Dojo, Splunk, ELK Stack, SIEM platforms (via JSON export)
- Notification: Slack, Microsoft Teams, Discord, PagerDuty, email (via webhook scripts)
- SDLC: Pre-deployment scanning, security regression testing, vulnerability monitoring
- Cloud Platforms: AWS Lambda, Google Cloud Functions, Azure Functions (serverless scanning)
- Reporting: HTML, JSON, JSONL, SARIF, Markdown, CSV formats
Troubleshooting
Common issues and solutions:
- Too Many False Positives: Filter by severity (
-severity critical,high), exclude tags (-etags tech,info). See references/false_positive_guide.md
- Incomplete Coverage: Verify templates loaded (
nuclei -tl | wc -l), update templates (nuclei -update-templates)
- Rate Limiting/WAF: Reduce aggressiveness (
-rate-limit 20 -concurrency 5 -timeout 15)
- High Resource Usage: Reduce parallelism (
-concurrency 5 -bulk-size 5)
- Auth Headers Not Working: Debug with
-debug, verify token format, see references/authentication_patterns.md
References
