What is Nuclei — Fast and Customizable Vulnerability Scanner?

Nuclei is a fast, template-based vulnerability scanner. Its community-driven template library covers CVEs, misconfigurations, exposed panels, and security checks — letting you scan applications, APIs, networks, and cloud configurations with simple YAML templates.

Is Nuclei — Fast and Customizable Vulnerability Scanner free to use?

Yes. Nuclei — Fast and Customizable Vulnerability Scanner is freely available on TokRepo. Check the Source & Thanks section on the asset page for the specific open-source license.

How do I install Nuclei — Fast and Customizable Vulnerability Scanner?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

Nuclei — Fast and Customizable Vulnerability Scanner

Introduction

Nuclei is a vulnerability scanner that uses YAML-based templates to send requests and detect security issues. Unlike traditional scanners that rely on built-in checks, Nuclei has a community-maintained library of 9,000+ templates covering the latest CVEs, misconfigurations, default credentials, and exposed services.

With over 28,000 GitHub stars, Nuclei is one of the most popular security tools. Created by ProjectDiscovery, it is used by bug bounty hunters, penetration testers, and security teams to automate vulnerability detection across web applications, APIs, cloud infrastructure, and networks.

What Nuclei Does

Nuclei reads YAML template files that define HTTP requests, DNS queries, or network interactions along with matchers that identify vulnerable responses. It sends these requests to targets, evaluates responses against the matchers, and reports findings. Templates range from simple header checks to complex multi-step authentication bypass chains.

Architecture Overview

[Targets]
URLs, IPs, domains
from stdin or file
        |
   [Nuclei Engine (Go)]
   High-performance scanner
   Parallel execution
        |
   [Template Library]
   9,000+ YAML templates
+-------+-------+-------+
|       |       |       |
[CVEs]   [Misconfig] [Exposed]
Known    Default     Admin panels
vulns    configs     Debug endpoints
         Open ports  Sensitive files
        |
   [Protocols]
   HTTP, DNS, TCP, SSL,
   WebSocket, Headless Chrome
        |
   [Output]
   JSON, SARIF, Markdown
   Jira, GitHub Issues
   Webhooks

Self-Hosting & Configuration

# Custom template example: check for exposed .env file
id: exposed-env-file

info:
  name: Exposed .env File
  author: your-name
  severity: high
  tags: exposure,config

http:
  - method: GET
    path:
      - "{{BaseURL}}/.env"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "DB_PASSWORD"
          - "APP_KEY"
          - "SECRET"
        condition: or
      - type: status
        status:
          - 200
      - type: word
        part: header
        words:
          - "text/plain"

# Advanced usage

# Scan with severity filter
nuclei -u https://target.com -severity critical,high

# Scan with specific tags
nuclei -u https://target.com -tags cve,owasp

# Rate limiting for responsible scanning
nuclei -u https://target.com -rate-limit 50 -concurrency 10

# Output to JSON
nuclei -u https://target.com -json -o results.json

# Scan with custom templates
nuclei -u https://target.com -t ./my-templates/

# Headless browser scanning
nuclei -u https://target.com -headless

Key Features

Template-Based — 9,000+ community YAML templates for any check
Multi-Protocol — HTTP, DNS, TCP, SSL, WebSocket, and headless browser
Fast — Go-based with parallel execution for high throughput
Custom Templates — write your own checks with simple YAML syntax
CI/CD Integration — SARIF output for GitHub Security, GitLab SAST
Severity Filtering — scan only for critical, high, medium, or low issues
Rate Limiting — responsible scanning with configurable limits
Interactsh — OOB (out-of-band) interaction testing for blind vulnerabilities

Comparison with Similar Tools

Feature	Nuclei	Nmap + NSE	Burp Suite	ZAP	Trivy
Focus	Web + Network vulns	Network scanning	Web app testing	Web app testing	Container scanning
Templates	9,000+ (community)	NSE scripts	Extensions	Scan rules	Built-in
Speed	Very Fast	Moderate	Slow (manual)	Moderate	Fast
Custom Checks	YAML templates	Lua scripts	Extensions	Scripts	Limited
Cost	Free (OSS)	Free	Paid	Free (OSS)	Free (OSS)
CI/CD	SARIF, JSON	Limited	CI plugin	CI plugin	Native
Best For	Automated scanning	Network recon	Manual testing	DAST	Containers

FAQ

Q: Is Nuclei legal to use? A: Nuclei is a security tool. Only scan systems you own or have explicit authorization to test. Unauthorized scanning is illegal in most jurisdictions.

Q: How do I keep templates updated? A: Run "nuclei -update-templates" regularly. New templates are added daily by the community for newly discovered CVEs and vulnerabilities.

Q: Can I integrate Nuclei into CI/CD? A: Yes. Run Nuclei in CI with SARIF output for GitHub Security tab integration, or JSON output for custom processing. Use severity filters to fail builds on critical findings.

Q: How is Nuclei different from Trivy? A: Trivy scans container images and IaC for known vulnerabilities (CVE matching). Nuclei actively tests running applications by sending requests and analyzing responses.

Sources

GitHub: https://github.com/projectdiscovery/nuclei
Templates: https://github.com/projectdiscovery/nuclei-templates
Documentation: https://docs.projectdiscovery.io
Created by ProjectDiscovery
License: MIT

Nuclei — Fast and Customizable Vulnerability Scanner

先拿来用，再决定要不要深挖

Introduction

What Nuclei Does

Architecture Overview

Self-Hosting & Configuration

Key Features

Comparison with Similar Tools

FAQ

Sources

讨论

相关资产

Task — Fast Cross-Platform Build Tool for Modern Workflows

sqlc — Generate Type-Safe Go Code from SQL

gRPC-Go — High-Performance RPC Framework for Go