Nuclei: Fast Vulnerability Scanning with YAML Templates
When a new CVE drops, attackers start exploiting it within hours. Traditional vulnerability scanners take weeks to add detection rules. Nuclei flips this model by using community-contributed YAML templates that can detect new vulnerabilities within days of disclosure.
What Is Nuclei?
Nuclei is an open-source vulnerability scanner built by ProjectDiscovery. Instead of relying on closed-source detection logic, it uses simple YAML templates that anyone can write, share, and customize.
Key features:
- Ultra-fast parallel scanning
- 9,000+ community templates covering CVEs, misconfigs, and exposures
- Simple YAML-based template format
- Supports HTTP, DNS, TCP, SSL, and more protocols
- Zero false positives through multi-step verification
- CI/CD integration ready
Installation
# Using Go (requires Go 1.24+)
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Using Homebrew
brew install nuclei
# Using Docker
docker pull projectdiscovery/nuclei:latest
After installation, Nuclei automatically downloads the latest templates:
nuclei -update-templates
Basic Usage
Single Target Scan
nuclei -target https://example.com
This runs all applicable templates against the target and reports any findings.
Scan Multiple Targets
# From a file
nuclei -list targets.txt
# Scan a subnet
nuclei -target 192.168.1.0/24
Filter by Severity
# Only critical and high severity
nuclei -target https://example.com -severity critical,high
# Exclude info-level findings
nuclei -target https://example.com -exclude-severity info
Filter by Tags
# Only CVE templates
nuclei -target https://example.com -tags cve
# Multiple tags
nuclei -target https://example.com -tags cve,rce,sqli
Understanding Templates
Nuclei templates are YAML files that define:
- What requests to send
- What responses to match
- How to extract and validate data
Here's a simplified example:
id: example-cve-detection
info:
name: Example CVE Detection
author: security-researcher
severity: high
tags: cve,example
http:
- method: GET
path:
- "{{BaseURL}}/vulnerable-endpoint"
matchers:
- type: word
words:
- "vulnerable_response_string"
The template library covers:
| Category | Examples |
|---|---|
| CVEs | Log4Shell, Spring4Shell, ProxyShell |
| Misconfigurations | Open S3 buckets, exposed admin panels |
| Default credentials | Jenkins, Tomcat, phpMyAdmin |
| Exposures | .git folders, .env files, backups |
| Takeovers | Subdomain takeover detection |
Practical Examples
Scan for Log4Shell
nuclei -target https://example.com -tags log4j
Check for Exposed Sensitive Files
nuclei -target https://example.com -tags exposure
Scan for Default Credentials
nuclei -target https://example.com -tags default-login
Full Security Assessment
nuclei -target https://example.com \
-severity critical,high,medium \
-output results.json \
-jsonl
CI/CD Integration
Add Nuclei to your pipeline to catch vulnerabilities before deployment:
# GitHub Actions example
- name: Run Nuclei Scan
uses: projectdiscovery/nuclei-action@main
with:
target: https://staging.example.com
flags: "-severity critical,high"
output: nuclei-results.txt
- name: Fail on findings
run: |
if [ -s nuclei-results.txt ]; then
echo "Vulnerabilities found!"
cat nuclei-results.txt
exit 1
fi
Writing Custom Templates
Create templates for your own applications:
id: internal-api-auth-bypass
info:
name: Internal API Auth Bypass
author: your-team
severity: critical
description: Checks for authentication bypass in internal API
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/admin/users"
headers:
X-Internal: "true"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- '"users":'
- '"email":'
condition: and
Save as internal-api-check.yaml and run:
nuclei -target https://internal.example.com -t internal-api-check.yaml
Performance Tuning
For large-scale scanning:
nuclei -list targets.txt \
-rate-limit 500 \
-bulk-size 50 \
-concurrency 50 \
-timeout 5
| Flag | Purpose | Default |
|---|---|---|
-rate-limit |
Requests per second | 150 |
-bulk-size |
Hosts per template batch | 25 |
-concurrency |
Parallel templates | 25 |
-timeout |
Request timeout (seconds) | 10 |
Output Formats
# JSON Lines (for processing)
nuclei -target example.com -jsonl -output results.jsonl
# Markdown report
nuclei -target example.com -markdown-export report/
# SARIF (for GitHub Security)
nuclei -target example.com -sarif-export results.sarif
Best Practices for SRE Teams
- Schedule regular scans: Run Nuclei weekly against staging and production
- Start with high severity: Focus on critical/high first, then expand
- Use tag filtering: Run specific checks (e.g.,
-tags sslfor cert issues) - Integrate with alerting: Pipe JSON output to your monitoring system
- Maintain custom templates: Write checks for your specific stack
- Keep templates updated: Run
nuclei -update-templatesregularly
Comparison with Other Scanners
| Tool | Speed | Customization | Community Templates |
|---|---|---|---|
| Nuclei | Fast | YAML templates | 9,000+ |
| Nessus | Medium | Limited | Proprietary |
| OpenVAS | Slow | Complex | 50,000+ (mixed quality) |
| Nikto | Medium | None | Built-in only |
Nuclei excels at speed and customization while maintaining accuracy through its verification-based approach.
FAQ
Does Nuclei cause damage to targets?
By default, no. Most templates are passive checks. Fuzzing templates exist but are opt-in with -dast flag.
How do I reduce false positives?
Nuclei templates use multi-step verification. If you still get false positives, report them on the template repository.
Can I scan internal networks?
Yes. Nuclei works on any reachable target. Use -interface to specify network interface for internal scans.
How often are templates updated?
The community adds templates daily. Run nuclei -update-templates to get the latest.
Want to automate vulnerability management and incident response? Akmatori helps SRE teams build AI-powered runbooks that can detect, alert, and respond to security issues automatically.