# Nuclei — Fast and Customizable Vulnerability Scanner > Nuclei is a fast, template-based vulnerability scanner. Its community-driven template library covers CVEs, misconfigurations, exposed panels, and security checks — letting you scan applications, APIs, networks, and cloud configurations with simple YAML templates. ## Install Save in your project root: # Nuclei — Fast and Customizable Vulnerability Scanner ## Quick Use ```bash # Install Nuclei go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest # Or: brew install nuclei # Update templates nuclei -update-templates # Scan a target nuclei -u https://example.com # Scan with specific templates nuclei -u https://example.com -t cves/ nuclei -u https://example.com -t exposures/ # Scan multiple targets from a file nuclei -l targets.txt -t critical/ ``` ## Introduction Nuclei is a vulnerability scanner that uses YAML-based templates to send requests and detect security issues. Unlike traditional scanners that rely on built-in checks, Nuclei has a community-maintained library of 9,000+ templates covering the latest CVEs, misconfigurations, default credentials, and exposed services. With over 28,000 GitHub stars, Nuclei is one of the most popular security tools. Created by ProjectDiscovery, it is used by bug bounty hunters, penetration testers, and security teams to automate vulnerability detection across web applications, APIs, cloud infrastructure, and networks. ## What Nuclei Does Nuclei reads YAML template files that define HTTP requests, DNS queries, or network interactions along with matchers that identify vulnerable responses. It sends these requests to targets, evaluates responses against the matchers, and reports findings. Templates range from simple header checks to complex multi-step authentication bypass chains. ## Architecture Overview ``` [Targets] URLs, IPs, domains from stdin or file | [Nuclei Engine (Go)] High-performance scanner Parallel execution | [Template Library] 9,000+ YAML templates +-------+-------+-------+ | | | | [CVEs] [Misconfig] [Exposed] Known Default Admin panels vulns configs Debug endpoints Open ports Sensitive files | [Protocols] HTTP, DNS, TCP, SSL, WebSocket, Headless Chrome | [Output] JSON, SARIF, Markdown Jira, GitHub Issues Webhooks ``` ## Self-Hosting & Configuration ```yaml # Custom template example: check for exposed .env file id: exposed-env-file info: name: Exposed .env File author: your-name severity: high tags: exposure,config http: - method: GET path: - "{{BaseURL}}/.env" matchers-condition: and matchers: - type: word words: - "DB_PASSWORD" - "APP_KEY" - "SECRET" condition: or - type: status status: - 200 - type: word part: header words: - "text/plain" ``` ```bash # Advanced usage # Scan with severity filter nuclei -u https://target.com -severity critical,high # Scan with specific tags nuclei -u https://target.com -tags cve,owasp # Rate limiting for responsible scanning nuclei -u https://target.com -rate-limit 50 -concurrency 10 # Output to JSON nuclei -u https://target.com -json -o results.json # Scan with custom templates nuclei -u https://target.com -t ./my-templates/ # Headless browser scanning nuclei -u https://target.com -headless ``` ## Key Features - **Template-Based** — 9,000+ community YAML templates for any check - **Multi-Protocol** — HTTP, DNS, TCP, SSL, WebSocket, and headless browser - **Fast** — Go-based with parallel execution for high throughput - **Custom Templates** — write your own checks with simple YAML syntax - **CI/CD Integration** — SARIF output for GitHub Security, GitLab SAST - **Severity Filtering** — scan only for critical, high, medium, or low issues - **Rate Limiting** — responsible scanning with configurable limits - **Interactsh** — OOB (out-of-band) interaction testing for blind vulnerabilities ## Comparison with Similar Tools | Feature | Nuclei | Nmap + NSE | Burp Suite | ZAP | Trivy | |---|---|---|---|---|---| | Focus | Web + Network vulns | Network scanning | Web app testing | Web app testing | Container scanning | | Templates | 9,000+ (community) | NSE scripts | Extensions | Scan rules | Built-in | | Speed | Very Fast | Moderate | Slow (manual) | Moderate | Fast | | Custom Checks | YAML templates | Lua scripts | Extensions | Scripts | Limited | | Cost | Free (OSS) | Free | Paid | Free (OSS) | Free (OSS) | | CI/CD | SARIF, JSON | Limited | CI plugin | CI plugin | Native | | Best For | Automated scanning | Network recon | Manual testing | DAST | Containers | ## FAQ **Q: Is Nuclei legal to use?** A: Nuclei is a security tool. Only scan systems you own or have explicit authorization to test. Unauthorized scanning is illegal in most jurisdictions. **Q: How do I keep templates updated?** A: Run "nuclei -update-templates" regularly. New templates are added daily by the community for newly discovered CVEs and vulnerabilities. **Q: Can I integrate Nuclei into CI/CD?** A: Yes. Run Nuclei in CI with SARIF output for GitHub Security tab integration, or JSON output for custom processing. Use severity filters to fail builds on critical findings. **Q: How is Nuclei different from Trivy?** A: Trivy scans container images and IaC for known vulnerabilities (CVE matching). Nuclei actively tests running applications by sending requests and analyzing responses. ## Sources - GitHub: https://github.com/projectdiscovery/nuclei - Templates: https://github.com/projectdiscovery/nuclei-templates - Documentation: https://docs.projectdiscovery.io - Created by ProjectDiscovery - License: MIT --- Source: https://tokrepo.com/en/workflows/40702aa3-372b-11f1-9bc6-00163e2b0d79 Author: AI Open Source