ConfigsApr 13, 2026·3 min read

Nuclei — Fast and Customizable Vulnerability Scanner

Nuclei is a fast, template-based vulnerability scanner. Its community-driven template library covers CVEs, misconfigurations, exposed panels, and security checks — letting you scan applications, APIs, networks, and cloud configurations with simple YAML templates.

AI
AI Open Source · Community
Quick Use

Use it first, then decide how deep to go

This block should tell both the user and the agent what to copy, install, and apply first.

# Install Nuclei
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Or: brew install nuclei

# Update templates
nuclei -update-templates

# Scan a target
nuclei -u https://example.com

# Scan with specific templates
nuclei -u https://example.com -t cves/
nuclei -u https://example.com -t exposures/

# Scan multiple targets from a file
nuclei -l targets.txt -t critical/

Introduction

Nuclei is a vulnerability scanner that uses YAML-based templates to send requests and detect security issues. Unlike traditional scanners that rely on built-in checks, Nuclei has a community-maintained library of 9,000+ templates covering the latest CVEs, misconfigurations, default credentials, and exposed services.

With over 28,000 GitHub stars, Nuclei is one of the most popular security tools. Created by ProjectDiscovery, it is used by bug bounty hunters, penetration testers, and security teams to automate vulnerability detection across web applications, APIs, cloud infrastructure, and networks.

What Nuclei Does

Nuclei reads YAML template files that define HTTP requests, DNS queries, or network interactions along with matchers that identify vulnerable responses. It sends these requests to targets, evaluates responses against the matchers, and reports findings. Templates range from simple header checks to complex multi-step authentication bypass chains.

Architecture Overview

[Targets]
URLs, IPs, domains
from stdin or file
        |
   [Nuclei Engine (Go)]
   High-performance scanner
   Parallel execution
        |
   [Template Library]
   9,000+ YAML templates
+-------+-------+-------+
|       |       |       |
[CVEs]   [Misconfig] [Exposed]
Known    Default     Admin panels
vulns    configs     Debug endpoints
         Open ports  Sensitive files
        |
   [Protocols]
   HTTP, DNS, TCP, SSL,
   WebSocket, Headless Chrome
        |
   [Output]
   JSON, SARIF, Markdown
   Jira, GitHub Issues
   Webhooks

Self-Hosting & Configuration

# Custom template example: check for exposed .env file
id: exposed-env-file

info:
  name: Exposed .env File
  author: your-name
  severity: high
  tags: exposure,config

http:
  - method: GET
    path:
      - "{{BaseURL}}/.env"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "DB_PASSWORD"
          - "APP_KEY"
          - "SECRET"
        condition: or
      - type: status
        status:
          - 200
      - type: word
        part: header
        words:
          - "text/plain"
# Advanced usage

# Scan with severity filter
nuclei -u https://target.com -severity critical,high

# Scan with specific tags
nuclei -u https://target.com -tags cve,owasp

# Rate limiting for responsible scanning
nuclei -u https://target.com -rate-limit 50 -concurrency 10

# Output to JSON
nuclei -u https://target.com -json -o results.json

# Scan with custom templates
nuclei -u https://target.com -t ./my-templates/

# Headless browser scanning
nuclei -u https://target.com -headless

Key Features

  • Template-Based — 9,000+ community YAML templates for any check
  • Multi-Protocol — HTTP, DNS, TCP, SSL, WebSocket, and headless browser
  • Fast — Go-based with parallel execution for high throughput
  • Custom Templates — write your own checks with simple YAML syntax
  • CI/CD Integration — SARIF output for GitHub Security, GitLab SAST
  • Severity Filtering — scan only for critical, high, medium, or low issues
  • Rate Limiting — responsible scanning with configurable limits
  • Interactsh — OOB (out-of-band) interaction testing for blind vulnerabilities

Comparison with Similar Tools

Feature Nuclei Nmap + NSE Burp Suite ZAP Trivy
Focus Web + Network vulns Network scanning Web app testing Web app testing Container scanning
Templates 9,000+ (community) NSE scripts Extensions Scan rules Built-in
Speed Very Fast Moderate Slow (manual) Moderate Fast
Custom Checks YAML templates Lua scripts Extensions Scripts Limited
Cost Free (OSS) Free Paid Free (OSS) Free (OSS)
CI/CD SARIF, JSON Limited CI plugin CI plugin Native
Best For Automated scanning Network recon Manual testing DAST Containers

FAQ

Q: Is Nuclei legal to use? A: Nuclei is a security tool. Only scan systems you own or have explicit authorization to test. Unauthorized scanning is illegal in most jurisdictions.

Q: How do I keep templates updated? A: Run "nuclei -update-templates" regularly. New templates are added daily by the community for newly discovered CVEs and vulnerabilities.

Q: Can I integrate Nuclei into CI/CD? A: Yes. Run Nuclei in CI with SARIF output for GitHub Security tab integration, or JSON output for custom processing. Use severity filters to fail builds on critical findings.

Q: How is Nuclei different from Trivy? A: Trivy scans container images and IaC for known vulnerabilities (CVE matching). Nuclei actively tests running applications by sending requests and analyzing responses.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Task — Fast Cross-Platform Build Tool for Modern Workflows

Task is a task runner and build tool written in Go. It uses simple YAML configuration as a modern, cross-platform alternative to Make — with better syntax, built-in variables, watch mode, and no platform-specific quirks.

AI Open Source

sqlc — Generate Type-Safe Go Code from SQL

sqlc generates fully type-safe Go code from your SQL queries. Write SQL, run sqlc generate, and get Go functions with proper types for parameters and results — no ORM, no reflection, just compile-time safe database access.

AI Open Source

gRPC-Go — High-Performance RPC Framework for Go

gRPC-Go is the Go implementation of gRPC, a high-performance, open-source RPC framework. It uses Protocol Buffers for serialization and HTTP/2 for transport, enabling efficient communication between microservices with strongly-typed contracts.

AI Open Source
Home🔍Search👤Me