agentsecops/dast-nuclei
skills/appsec/dast-nuclei/SKILL.md
Fast, template-based vulnerability scanning using ProjectDiscovery's Nuclei with extensive community templates covering CVEs, OWASP Top 10, misconfigurations, and security issues across web applications, APIs, and infrastructure. Use when: (1) Performing rapid vulnerability scanning with automated CVE detection, (2) Testing for known vulnerabilities and security misconfigurations in web apps and APIs, (3) Running template-based security checks in CI/CD pipelines with customizable severity thresholds, (4) Creating custom security templates for organization-specific vulnerability patterns, (5) Scanning multiple targets efficiently with concurrent execution and rate limiting controls.
$ install --global
skillsauthnpx skillsauth add agentsecops/secopsagentkit dast-nucleiInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 30, 2026, 4:56 PM56.8s11 files scanned
SKILL.md
- name:
- dast-nuclei
- description:
- >
- APIs, and infrastructure. Use when:
- (1) Performing rapid vulnerability scanning with automated CVE
- version:
- 0.1.0
- maintainer:
- SirAppSec
- category:
- appsec
- tags:
- [dast, nuclei, vulnerability-scanning, cve, owasp, api-testing, automation, templates]
- frameworks:
- [OWASP, CWE, CVE]
- tools:
- [nuclei]
- optional:
- [docker, git]
- - https:
- //github.com/projectdiscovery/nuclei-templates
DAST with Nuclei
Overview
Nuclei is a fast, template-based vulnerability scanner from ProjectDiscovery that uses YAML templates to detect security vulnerabilities, misconfigurations, and exposures across web applications, APIs, networks, and cloud infrastructure. With 7,000+ community templates covering CVEs, OWASP vulnerabilities, and custom checks, Nuclei provides efficient automated security testing with minimal false positives.
Quick Start
Installation
# Install via Go
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Or using Docker
docker pull projectdiscovery/nuclei:latest
# Update templates (automatically downloads 7000+ community templates)
nuclei -update-templates
Basic Vulnerability Scan
# Scan single target with all templates
nuclei -u https://target-app.com
# Scan with specific severity levels
nuclei -u https://target-app.com -severity critical,high
# Scan multiple targets from file
nuclei -list targets.txt -severity critical,high,medium -o results.txt
Quick CVE Scan
# Scan for specific CVEs
nuclei -u https://target-app.com -tags cve -severity critical,high
# Scan for recent CVEs
nuclei -u https://target-app.com -tags cve -severity critical -template-condition "contains(id, 'CVE-')"
Core Workflow
Workflow Checklist
Progress: [ ] 1. Install Nuclei and update templates to latest version [ ] 2. Define target scope (URLs, domains, IP ranges) [ ] 3. Select appropriate templates based on target type and risk tolerance [ ] 4. Configure scan parameters (rate limiting, severity, concurrency) [ ] 5. Execute scan with proper authentication if needed [ ] 6. Review findings, filter false positives, and verify vulnerabilities [ ] 7. Map findings to OWASP/CWE frameworks [ ] 8. Generate security report with remediation guidance
Work through each step systematically. Check off completed items.
Step 1: Template Selection and Target Scoping
Identify target applications and select relevant template categories:
# List available template categories
nuclei -tl
# List templates by tag
nuclei -tl -tags owasp
nuclei -tl -tags cve,misconfig
# Show template statistics
nuclei -tl -tags cve -severity critical | wc -l
Template Categories:
- cve: Known CVE vulnerabilities (7000+ CVE templates)
- owasp: OWASP Top 10 vulnerabilities
- misconfig: Common security misconfigurations
- exposed-panels: Admin panels and login pages
- takeovers: Subdomain takeover vulnerabilities
- default-logins: Default credentials
- exposures: Sensitive file and data exposures
- tech: Technology detection and fingerprinting
Target Scoping Best Practices:
- Create target list excluding third-party services
- Group targets by application type for focused scanning
- Define exclusions for sensitive endpoints (payment, logout, delete actions)
Step 2: Configure Scan Parameters
Set appropriate rate limiting and concurrency for target environment:
# Conservative scan (avoid overwhelming target)
nuclei -u https://target-app.com \
-severity critical,high \
-rate-limit 50 \
-concurrency 10 \
-timeout 10
# Aggressive scan (faster, higher load)
nuclei -u https://target-app.com \
-severity critical,high,medium \
-rate-limit 150 \
-concurrency 25 \
-bulk-size 25
Parameter Guidelines:
- rate-limit: Requests per second (50-150 typical, lower for production)
- concurrency: Parallel template execution (10-25 typical)
- bulk-size: Parallel host scanning (10-25 for multiple targets)
- timeout: Per-request timeout in seconds (10-30 typical)
For CI/CD integration patterns, see scripts/nuclei_ci.sh.
Step 3: Execute Targeted Scans
Run scans based on security objectives:
Critical Vulnerability Scan:
# Focus on critical and high severity issues
nuclei -u https://target-app.com \
-severity critical,high \
-tags cve,owasp \
-o critical-findings.txt \
-json -jsonl-export critical-findings.jsonl
Technology-Specific Scan:
# Scan specific technology stack
nuclei -u https://target-app.com -tags apache,nginx,wordpress,drupal
# Scan for exposed sensitive files
nuclei -u https://target-app.com -tags exposure,config
# Scan for authentication issues
nuclei -u https://target-app.com -tags auth,login,default-logins
API Security Scan:
# API-focused security testing
nuclei -u https://api.target.com \
-tags api,graphql,swagger \
-severity critical,high,medium \
-header "Authorization: Bearer $API_TOKEN"
Custom Template Scan:
# Scan with organization-specific templates
nuclei -u https://target-app.com \
-t custom-templates/ \
-t nuclei-templates/http/cves/ \
-severity critical,high
Step 4: Authenticated Scanning
Perform authenticated scans for complete coverage:
# Scan with authentication headers
nuclei -u https://target-app.com \
-header "Authorization: Bearer $AUTH_TOKEN" \
-header "Cookie: session=$SESSION_COOKIE" \
-tags cve,owasp
# Scan with custom authentication using bundled script
python3 scripts/nuclei_auth_scan.py \
--target https://target-app.com \
--auth-type bearer \
--token-env AUTH_TOKEN \
--severity critical,high \
--output auth-scan-results.jsonl
For OAuth, SAML, and MFA scenarios, see references/authentication_patterns.md.
Step 5: Results Analysis and Validation
Review findings and eliminate false positives:
# Parse JSON output for high-level summary
python3 scripts/parse_nuclei_results.py \
--input critical-findings.jsonl \
--output report.html \
--group-by severity
# Filter and verify findings
nuclei -u https://target-app.com \
-tags cve \
-severity critical \
-verify \
-verbose
Validation Workflow:
- Review critical findings first (immediate action required)
- Verify each finding manually (curl, browser inspection, PoC testing)
- Check for false positives using
references/false_positive_guide.md - Map confirmed vulnerabilities to OWASP Top 10 using
references/owasp_mapping.md - Cross-reference with CWE classifications for remediation patterns
Feedback Loop Pattern:
# 1. Initial scan
nuclei -u https://target-app.com -severity critical,high -o scan1.txt
# 2. Apply fixes to identified vulnerabilities
# 3. Re-scan to verify remediation
nuclei -u https://target-app.com -severity critical,high -o scan2.txt
# 4. Compare results to ensure vulnerabilities are resolved
diff scan1.txt scan2.txt
Step 6: Reporting and Remediation Tracking
Generate comprehensive security reports:
# Generate detailed report with OWASP/CWE mappings
python3 scripts/nuclei_report_generator.py \
--input scan-results.jsonl \
--output security-report.html \
--format html \
--include-remediation \
--map-frameworks owasp,cwe
# Export to SARIF for GitHub Security tab
nuclei -u https://target-app.com \
-severity critical,high \
-sarif-export github-sarif.json
See assets/report_templates/ for customizable report formats.
Automation & CI/CD Integration
GitHub Actions Integration
# .github/workflows/nuclei-scan.yml
name: Nuclei Security Scan
on: [push, pull_request]
jobs:
nuclei:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Nuclei Scan
uses: projectdiscovery/nuclei-action@main
with:
target: https://staging.target-app.com
severity: critical,high
templates: cves,owasp,misconfig
- name: Upload Results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: nuclei.sarif
Docker-Based CI/CD Scanning
# Run in CI/CD pipeline with Docker
docker run --rm \
-v $(pwd):/reports \
projectdiscovery/nuclei:latest \
-u $TARGET_URL \
-severity critical,high \
-json -jsonl-export /reports/nuclei-results.jsonl
# Check exit code and fail build on critical findings
if grep -q '"severity":"critical"' nuclei-results.jsonl; then
echo "Critical vulnerabilities detected!"
exit 1
fi
Advanced Automation with Custom Scripts
# Automated multi-target scanning with parallel execution
./scripts/nuclei_bulk_scanner.sh \
--targets-file production-apps.txt \
--severity critical,high \
--slack-webhook $SLACK_WEBHOOK \
--output-dir scan-reports/
# Scheduled vulnerability monitoring
./scripts/nuclei_scheduler.sh \
--schedule daily \
--targets targets.txt \
--diff-mode \
--alert-on new-findings
For complete CI/CD integration examples, see scripts/ci_integration_examples/.
Custom Template Development
Create organization-specific security templates:
# custom-templates/api-key-exposure.yaml
id: custom-api-key-exposure
info:
name: Custom API Key Exposure Check
author: security-team
severity: high
description: Detects exposed API keys in custom application endpoints
tags: api,exposure,custom
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/config"
- "{{BaseURL}}/.env"
matchers-condition: and
matchers:
- type: word
words:
- "api_key"
- "secret_key"
- type: status
status:
- 200
extractors:
- type: regex
name: api_key
regex:
- 'api_key["\s:=]+([a-zA-Z0-9_-]{32,})'
Template Development Resources:
references/template_development.md- Complete template authoring guideassets/template_examples/- Sample templates for common patterns- Nuclei Template Guide
Security Considerations
- Authorization: Obtain explicit written permission before scanning any systems not owned by your organization
- Rate Limiting: Configure appropriate rate limits to avoid overwhelming target applications or triggering DDoS protections
- Production Safety: Use conservative scan parameters (rate-limit 50, concurrency 10) for production environments
- Sensitive Data: Scan results may contain sensitive URLs, parameters, and application details - sanitize before sharing
- False Positives: Manually verify all critical and high severity findings before raising security incidents
- Access Control: Restrict access to scan results and templates containing organization-specific vulnerability patterns
- Audit Logging: Log all scan executions, targets, findings severity, and remediation actions for compliance
- Legal Compliance: Adhere to computer fraud and abuse laws; unauthorized scanning may violate laws
- Credentials Management: Never hardcode credentials in templates; use environment variables or secrets management
- Scope Validation: Double-check target lists to avoid scanning third-party or out-of-scope systems
Bundled Resources
Scripts (scripts/)
nuclei_ci.sh- CI/CD integration wrapper with exit code handling and artifact generationnuclei_auth_scan.py- Authenticated scanning with multiple authentication methods (Bearer, API key, Cookie)nuclei_bulk_scanner.sh- Parallel scanning of multiple targets with aggregated reportingnuclei_scheduler.sh- Scheduled scanning with diff detection and alertingparse_nuclei_results.py- JSON/JSONL parser for generating HTML/CSV reports with severity groupingnuclei_report_generator.py- Comprehensive report generator with OWASP/CWE mappings and remediation guidancetemplate_validator.py- Custom template validation and testing framework
References (references/)
owasp_mapping.md- OWASP Top 10 mapping for Nuclei findingstemplate_development.md- Custom template authoring guideauthentication_patterns.md- Advanced authentication patterns (OAuth, SAML, MFA)false_positive_guide.md- False positive identification and handling
Assets (assets/)
github_actions.yml- GitHub Actions workflow with SARIF exportnuclei_config.yaml- Comprehensive configuration template
Common Patterns
Pattern 1: Progressive Severity Scanning
Start with critical vulnerabilities and progressively expand scope:
# Stage 1: Critical vulnerabilities only (fast)
nuclei -u https://target-app.com -severity critical -o critical.txt
# Stage 2: High severity if critical issues found
if [ -s critical.txt ]; then
nuclei -u https://target-app.com -severity high -o high.txt
fi
# Stage 3: Medium/Low for comprehensive assessment
nuclei -u https://target-app.com -severity medium,low -o all-findings.txt
Pattern 2: Technology-Specific Scanning
Focus on known technology stack vulnerabilities:
# 1. Identify technologies
nuclei -u https://target-app.com -tags tech -o tech-detected.txt
# 2. Parse detected technologies
TECHS=$(grep -oP 'matched at \K\w+' tech-detected.txt | sort -u)
# 3. Scan for technology-specific vulnerabilities
for tech in $TECHS; do
nuclei -u https://target-app.com -tags $tech -severity critical,high -o vulns-$tech.txt
done
Pattern 3: Multi-Stage API Security Testing
Comprehensive API security assessment:
# Stage 1: API discovery and fingerprinting
nuclei -u https://api.target.com -tags api,swagger,graphql -o api-discovery.txt
# Stage 2: Authentication testing
nuclei -u https://api.target.com -tags auth,jwt,oauth -o api-auth.txt
# Stage 3: Known API CVEs
nuclei -u https://api.target.com -tags api,cve -severity critical,high -o api-cves.txt
# Stage 4: Business logic testing with custom templates
nuclei -u https://api.target.com -t custom-templates/api/ -o api-custom.txt
Pattern 4: Continuous Security Monitoring
# Daily scan with diff detection
nuclei -u https://production-app.com \
-severity critical,high -tags cve \
-json -jsonl-export scan-$(date +%Y%m%d).jsonl
# Use bundled scripts for diff analysis and alerting
Integration Points
- CI/CD: GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure DevOps, Travis CI
- Issue Tracking: Jira, GitHub Issues, ServiceNow, Linear (via SARIF or custom scripts)
- Security Platforms: Defect Dojo, Splunk, ELK Stack, SIEM platforms (via JSON export)
- Notification: Slack, Microsoft Teams, Discord, PagerDuty, email (via webhook scripts)
- SDLC: Pre-deployment scanning, security regression testing, vulnerability monitoring
- Cloud Platforms: AWS Lambda, Google Cloud Functions, Azure Functions (serverless scanning)
- Reporting: HTML, JSON, JSONL, SARIF, Markdown, CSV formats
Troubleshooting
Common issues and solutions:
- Too Many False Positives: Filter by severity (
-severity critical,high), exclude tags (-etags tech,info). Seereferences/false_positive_guide.md - Incomplete Coverage: Verify templates loaded (
nuclei -tl | wc -l), update templates (nuclei -update-templates) - Rate Limiting/WAF: Reduce aggressiveness (
-rate-limit 20 -concurrency 5 -timeout 15) - High Resource Usage: Reduce parallelism (
-concurrency 5 -bulk-size 5) - Auth Headers Not Working: Debug with
-debug, verify token format, seereferences/authentication_patterns.md
References
- Nuclei Documentation
- Nuclei Templates Repository
- OWASP Top 10
- CWE Database
Related Skills
agentsecops/privesc-linpeas
testing
VerifiedTrustedCommunity
Linux privilege escalation enumeration and attack surface analysis using LinPEAS (Linux Privilege Escalation Awesome Script). Automates post-exploitation discovery of escalation vectors, misconfigurations, and credential exposure on Linux targets. Use when: (1) Enumerating privilege escalation vectors after initial access on a Linux system, (2) Identifying SUID/SGID binaries, sudo misconfigurations, and capability abuses, (3) Hunting for credentials in config files, history, and logs, (4) Detecting container breakout opportunities and writable service files, (5) Mapping kernel exploits and CVE exposure for a target system, (6) Conducting authorized CTF, red team, or penetration test post-exploitation phases.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/ot-security-assessment
development
VerifiedTrustedCommunity
Operational Technology (OT) security assessment using a two-stage methodology: (1) Identification/Discovery of OT devices and protocols, and (2) Vulnerability Assessment using online sources and Metasploit. Use when: (1) Conducting authorized OT/ICS security assessments, (2) Identifying and enumerating OT protocols (Modbus, S7, IEC 104, DNP3, BACnet, EtherNet/IP), (3) Discovering industrial control devices and PLCs, (4) Assessing OT protocol vulnerabilities and security weaknesses, (5) Performing compliance scanning aligned with IEC 62443 standards, (6) Validating network segmentation and access controls in OT environments.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/vuln-defectdojo
tools
VerifiedTrustedCommunity
Vulnerability management and findings aggregation using DefectDojo. Centralizes security findings from all SecOpsAgentKit scanners (Semgrep, Bandit, ZAP, Trivy, Grype, Gitleaks, Nuclei, Checkov, Horusec) into a unified platform with automatic deduplication, SLA tracking, risk-based prioritization, and compliance reporting. Use when: (1) Aggregating findings from multiple scanners across products and pipelines, (2) Tracking remediation status and SLA compliance against policy thresholds, (3) Deduplicating overlapping findings across security tools, (4) Generating vulnerability reports for compliance audits (SOC2, PCI-DSS, GDPR), (5) Managing security debt and vulnerability backlog across teams and applications.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/pytm
tools
VerifiedTrustedCommunity
Python-based threat modeling using pytm library for programmatic STRIDE analysis, data flow diagram generation, and automated security threat identification. Use when: (1) Creating threat models programmatically using Python code, (2) Generating data flow diagrams (DFDs) with automatic STRIDE threat identification, (3) Integrating threat modeling into CI/CD pipelines and shift-left security practices, (4) Analyzing system architecture for security threats across trust boundaries, (5) Producing threat reports with STRIDE categories and mitigation recommendations, (6) Maintaining threat models as code for version control and automation.
82SKILL.mdUpdated Mar 27, 2026