Popular with:
Security Engineer

Nuclei Automation: Deep-dive into Templates & DevSecOps Workflows

February 8, 2023
Written by
Aneesh Bhargav

One of our favourite tools for dynamic security testing (DAST) is Nuclei by Project Discovery. It's one of the most lightweight, easy-to-use vulnerability scanners, but it's also got one unique feature that sets it apart from most other scan tools: templates.

If you want to learn the basics of what Nuclei templates are and why they're so useful, check out this article.

But in a nutshell, templates are YAML-based files which act as instructions that tell Nuclei what vulnerabilities to look for.

Most scanners maintain a vulnerability database, so when they perform a scan, they cross-reference their findings with the database to see if they found a vulnerability. This leads to far more false positives in the results, since the scanner is doing a 'broad sweep' for a large number of vulnerabilities.

Templates, however, let Nuclei target and find specific vulnerabilities in the software. This allows Nuclei to avoid the unnecessary load of false positives that you'd normally get from other tools.

Let's take a deep-dive into templates, workflows, and how Nuclei scans applications.

How Nuclei works: Deep-dive into templates

A typical Nuclei template consists of 5 parts or sections. Let's take the example of this template, which is designed to find email disclosure vulnerabilities.

  1. ID: Each template has a unique ID which is to specify the template name during the output.
  2. Information: This section contains the name, author, severity, and description, of the template. It may also include reference and tags that offer more info on the function of the template.
  3. Request: An HTTP request made by using the base components of a URL to the host server in order to access a resource.
  4. Extractors: Extractors are used to extract and display matches from the response in the results.
  5. Matchers: Matchers allow you to specify different types of comparisons on protocol responses.

Nuclei interprets the template as a set of instructions that tell it what kind of vulnerabilities it needs to identify.

What makes Nuclei endlessly customisable is the fact that you can write your own templates to suit your specific use case. You can even choose from a massive selection of templates created by Project Discovery themselves, or templates made by the community.

This is what a Nuclei workflow looks like

If you thought it would be too slow to look for individual vulnerabilities with Nuclei templates, don't worry!

You can feed multiple templates into the Nuclei engine, each of which can identify a different vulnerability. First, the Nuclei engine runs the scan on the target application. It then generates results in two simple forms: 'Yes' if the vulnerability is found, and 'No' if it's not found.

Pretty simple right?

But there's more: Nuclei can be automated for DevSecOps. That means you can scale up your vulnerability scanning even on an enterprise workflow.

BTW, check out our full course on how to use and automate Nuclei. 

DevSecOps workflow with Nuclei

In this example, we have 'N' number of releases of the application. After each new release, we can run the entire suite of Nuclei templates on that release.

If the scan finds any of the vulnerabilities specified in the templates, the release is denied.

Learn to automate DAST scans with Nuclei

Automating your Nuclei scans is the next step to take your dynamic testing (DAST) to the next level. As you just saw, Nuclei scans can even be part of your CI/CD pipeline for DevSecOps.

We've got 10 courses in DevSecOps, including one on Nuclei automation:

  • Learn the basics of Nuclei
  • Operate Nuclei with hands-on labs
  • Create real-world Nuclei workflows for DevSecOps
  • Build your own vulnerability suites

Learn more about the course here.

Ready to give it a go? Pick your AppSecEngineer plan now and start learning!

Source for article
Aneesh Bhargav

Aneesh Bhargav

Aneesh Bhargav is the Head of Content Strategy at AppSecEngineer. He has experience in creating long-form written content, copywriting, producing Youtube videos and promotional content. Aneesh has experience working in Application Security industry both as a writer and a marketer, and has hosted booths at globally recognized conferences like Black Hat. He has also assisted the lead trainer at a sold-out DevSecOps training at Black Hat. An avid reader and learner, Aneesh spends much of his time learning not just about the security industry, but the global economy, which directly informs his content strategy at AppSecEngineer. When he's not creating AppSec-related content, he's probably playing video games.

Aneesh Bhargav


Contact Support


1603 Capitol Avenue,
Suite 413A #2898,
Cheyenne, Wyoming 82001,
United States

Copyright AppSecEngineer © 2023