Favicon of nuclei

nuclei

A command-line vulnerability scanner that runs YAML templates against URLs, hosts, and networks to find CVEs, misconfigurations, and other security issues.

Nuclei is a command-line vulnerability scanner written in Go. Instead of hard-coding detection logic, it runs YAML-based templates against a target and reports matches, which makes it fast to extend for new CVEs and misconfigurations. It's built for security researchers, penetration testers, and engineering teams who want to run repeatable vulnerability checks against URLs, hosts, or entire networks. The project is maintained by ProjectDiscovery, and template contributions come from thousands of security researchers worldwide.

The template-driven design is the main thing that separates it from older scanners. New checks don't require patching the scanner's code, they're added as YAML files, so the detection library can grow quickly as new vulnerabilities are disclosed, and anyone can contribute or write their own without touching Go at all.

Key features

  • YAML-based templates: define detection logic in a human-readable format instead of writing custom scanner code for every check.
  • Low false positives: templates simulate real-world exploitation steps rather than relying on banner grabbing alone, which is what the project credits for its low false-positive rate.
  • Broad protocol support: scans run over TCP, DNS, HTTP, SSL, WHOIS, JavaScript, Code, and more, so a single tool covers several classes of checks.
  • Parallel scanning: request clustering and concurrent execution keep large scans fast, with tunable concurrency, rate limits, and bulk-size settings.
  • CI/CD friendly: runs from the command line and can output JSON, JSONL, SARIF, or Markdown, making it straightforward to wire into pipelines for regression testing.
  • Third-party integrations: results can flow into Jira, Splunk, GitHub, Elastic, and GitLab.
  • Community template library: the separate nuclei-templates repository holds templates covering known CVEs, exposed secrets, default credentials, SSRF, XSS, open redirects, and more, contributed by the community and rewarded through bounty and pioneer programs.
  • Optional cloud dashboard: scan results can be uploaded to a free ProjectDiscovery cloud dashboard for storage and visualization, separate from the paid Pro/Enterprise tier aimed at larger security teams.

Ideal use cases

Nuclei fits teams that need to check a list of URLs or an entire subnet against a large, evolving set of known vulnerability signatures. Typical scenarios include running scheduled scans against production infrastructure to catch newly disclosed CVEs, adding a scan step to a CI/CD pipeline before deployment, or using it as part of a bug bounty workflow to triage a large number of targets quickly. The -automatic-scan flag, which maps detected technologies to relevant tags, is useful when you don't want to hand-pick templates for every target.

It's a weaker fit for a single, deeply manual penetration test rather than repeatable, template-driven checks, and it isn't an exploitation framework. Nuclei detects and reports, so pairing it with other tools is expected if you need to go further than confirming a vulnerability exists. The maintainers also explicitly warn against running it as a long-lived network service, since it's designed as a standalone CLI tool, and exposing it as a service can introduce its own security risks.

The README also flags that the project sees active development, with breaking changes possible between releases, so it's worth reviewing the changelog before updating a version you depend on in an automated pipeline.

Installation

Nuclei requires Go 1.24.2 or later to install from source:

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

Once installed, check the available flags:

nuclei -h

Run a scan against a single target:

nuclei -target https://example.com

Scan a list of targets from a file:

nuclei -list urls.txt

Scan an entire subnet for network-related issues, such as open ports or misconfigured services:

nuclei -target 192.168.1.0/24

Run a custom template against a target:

nuclei -u https://example.com -t /path/to/your-template.yaml

Optionally, upload results to the ProjectDiscovery cloud dashboard for further analysis:

nuclei -target https://example.com -dashboard

Frequently asked questions

Share:

Stars
29.6K
Forks
3.6K
Last commit
2 days ago
Repository age
6 years
License
MIT
Self-hosted
No
Activity score
84/100
View Repository
Built with:

Similar to nuclei

Favicon

 

  
  
Favicon

 

  
  
Favicon