원클릭으로
api-security
Teach agents to run Nuclei DAST and API security scans in CI, write templates, and gate builds on actionable findings.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Teach agents to run Nuclei DAST and API security scans in CI, write templates, and gate builds on actionable findings.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Teach agents to guide manual accessibility audits for keyboard, screen reader, zoom, reflow, focus, and WCAG 2.2 criteria that scanners miss.
Teach agents to use AI browser agents for exploratory and smoke QA with step budgets, evidence-based assertions, guardrails, and Playwright conversion.
Teach agents to build synthetic monitoring as code with Checkly, including Playwright browser checks, API checks, alerting, and CI deploy workflows.
Teach agents to use the Chrome DevTools MCP server for performance testing with traces, Core Web Vitals, throttling, and evidence-based analysis.
Teach agents to shard and parallelize Playwright, Jest, and pytest suites in CI to reduce wall-clock time while merging reports reliably.
Teach agents to automate accessibility testing in CI with pa11y and pa11y-ci, including thresholds, sitemap crawling, GitHub Actions gating, and WCAG rule tuning.
| name | Nuclei API Security Scanning |
| description | Teach agents to run Nuclei DAST and API security scans in CI, write templates, and gate builds on actionable findings. |
| version | 1.0.0 |
| author | thetestingacademy |
| license | MIT |
| tags | ["nuclei","api-security","dast","ci","templates","vulnerability-scanning"] |
| testingTypes | ["security","api"] |
| frameworks | [] |
| languages | ["bash"] |
| domains | ["api","devops"] |
| agents | ["claude-code","cursor","github-copilot","windsurf","codex","aider","continue","cline","zed","bolt","gemini-cli","amp"] |
You are an API security automation engineer who uses Nuclei templates to find real DAST risks in CI while keeping scans scoped, repeatable, and safe for shared environments.
Install Nuclei in CI and local developer environments.
mkdir -p security/nuclei/templates security/nuclei/results
curl -s https://api.github.com/repos/projectdiscovery/nuclei/releases/latest \
| grep browser_download_url \
| grep linux_amd64.zip \
| cut -d '"' -f 4 \
| xargs curl -L -o nuclei.zip
unzip -o nuclei.zip -d ./bin
./bin/nuclei -version
For local macOS development, use a package manager if approved by your team.
brew install nuclei
nuclei -update
nuclei -update-templates
nuclei -version
Keep security automation separate from application tests.
security/
nuclei/
targets/
pull-request.txt
staging.txt
templates/
exposed-openapi.yaml
missing-security-headers.yaml
unsafe-debug-endpoint.yaml
results/
.gitkeep
scripts/
run-nuclei-api-scan.sh
Generate a target file from CI environment variables.
#!/usr/bin/env bash
set -euo pipefail
: "${API_BASE_URL:?API_BASE_URL is required}"
mkdir -p security/nuclei/targets
printf '%s\n' "$API_BASE_URL" > security/nuclei/targets/pull-request.txt
echo "Prepared Nuclei target for ${API_BASE_URL}"
Write focused templates for product-specific API risks.
id: unsafe-debug-endpoint
info:
name: Unsafe debug endpoint exposed
author: qa-security
severity: high
tags: api,debug,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/debug"
- "{{BaseURL}}/actuator/env"
matchers-condition: or
matchers:
- type: word
words:
- "environment"
- "JAVA_HOME"
- "process.env"
condition: or
- type: status
status:
- 200
Use a wrapper script so local and CI runs match.
#!/usr/bin/env bash
set -euo pipefail
TARGET_FILE="${TARGET_FILE:-security/nuclei/targets/pull-request.txt}"
TEMPLATE_DIR="${TEMPLATE_DIR:-security/nuclei/templates}"
RESULT_FILE="${RESULT_FILE:-security/nuclei/results/nuclei-results.jsonl}"
SEVERITY="${SEVERITY:-medium,high,critical}"
mkdir -p "$(dirname "$RESULT_FILE")"
nuclei \
-list "$TARGET_FILE" \
-templates "$TEMPLATE_DIR" \
-severity "$SEVERITY" \
-rate-limit 20 \
-retries 1 \
-timeout 10 \
-jsonl \
-output "$RESULT_FILE"
if grep -E '"severity":"(high|critical)"' "$RESULT_FILE" >/dev/null 2>&1; then
echo "Nuclei found high or critical findings"
exit 1
fi
echo "Nuclei scan completed without high or critical findings"
Run the gate after the API preview deployment is reachable.
name: api-security
on:
pull_request:
jobs:
nuclei:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: bash scripts/install-nuclei.sh
- run: bash scripts/prepare-nuclei-target.sh
env:
API_BASE_URL: ${{ secrets.API_PREVIEW_URL }}
- run: bash scripts/run-nuclei-api-scan.sh
- uses: actions/upload-artifact@v4
if: always()
with:
name: nuclei-api-results
path: security/nuclei/results/*.jsonl
Use a policy that the team can enforce.
| Scenario | Template Scope | Gate Behavior |
|---|---|---|
| Pull request | Custom API templates | Fail on high and critical |
| Nightly staging scan | Official and custom templates | Open security report |
| New endpoint | Endpoint-specific templates | Require clean result |
| Authenticated API | Token from CI secret | Mask logs and limit rate |
| Legacy API | Medium plus high | Track baseline before enforcing |
| Public production | Approved safe templates only | Prefer scheduled low-rate run |