Nuclei: How YAML Templates Turned Vulnerability Scanning Into a Community Sport

Hook

While most vulnerability scanners treat detection logic as proprietary black boxes, Nuclei bet its entire architecture on a radical idea: what if anyone could write a vulnerability check in 20 lines of YAML?

Context

Traditional vulnerability scanners face a fundamental bottleneck: when a new CVE drops, you wait weeks for your vendor to ship an update. Security teams are stuck choosing between expensive commercial tools with proprietary signatures or building custom scripts that don’t scale. Nuclei emerged from ProjectDiscovery to solve this by separating the scanning engine from detection logic entirely.

The insight was architectural: if you build a fast, protocol-agnostic engine and define vulnerabilities in human-readable templates, the security community can crowdsource detection rules faster than any single vendor. Today, the nuclei-templates repository appears to contain thousands of community-contributed checks covering everything from CVEs to misconfigurations to cloud security issues. The tool has earned 27,569 GitHub stars by democratizing vulnerability detection—anyone who can write YAML can contribute a template the same day a vulnerability is disclosed.

Technical Insight

Nuclei’s architecture revolves around a template-driven execution model. Templates are YAML files that define the target protocol, requests to send, and matchers to verify vulnerabilities. Here’s a minimal HTTP template checking for an exposed Git config:

id: git-config-exposure
info:
  name: Git Config File Exposure
  severity: medium
  
http:
  - method: GET
    path:
      - "{{BaseURL}}/.git/config"
    
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "[core]"
      - type: status
        status:
          - 200

The engine parses this template, sends the HTTP GET request to /.git/config, and checks if the response contains [core] with a 200 status. The matchers-condition: and ensures both conditions must pass, eliminating false positives.

The real power emerges with workflows—chaining templates to simulate multi-step attacks. A workflow might first check if a service is running (template A), then exploit it only if vulnerable (template B). This reduces noise and models real attack paths:

workflows:
  - template: detect-jira.yaml
  - template: jira-cve-2021-26086.yaml
    subtemplates:
      - tags: jira

Nuclei supports multiple protocols beyond HTTP: DNS for subdomain takeovers, TCP for network services, SSL for certificate issues, and JavaScript protocol support. The DNS protocol handler can detect dangling CNAME records:

dns:
  - name: "{{FQDN}}"
    type: CNAME
    
    matchers:
      - type: word
        words:
          - "azure.com"
          - "cloudapp.net"

Under the hood, Nuclei uses request clustering—grouping similar requests across templates to reduce redundant network calls. If 50 templates all need to check the same endpoint, Nuclei fetches it once and evaluates all matchers against the cached response. Combined with Go’s goroutine-based parallelism, this architecture enables fast parallel scanning.

The extractor system pulls data from responses for further processing. You can extract a version number, then use it in subsequent matchers:

extractors:
  - type: regex
    name: version
    regex:
      - 'WordPress ([0-9.]+)'
    group: 1

Templates live in a separate repository (nuclei-templates), versioned independently from the engine. This separation is critical: the community contributes new CVE checks daily without touching core code. The template library appears to update frequently, helping ensure scans use recent vulnerability signatures.

Gotcha

Nuclei is explicitly designed as a CLI tool, not a persistent service. The maintainers warn that running it as a daemon poses security risks—it’s meant to execute scans and exit, not listen on ports. If you need continuous scanning, you’ll need to consider your orchestration approach carefully rather than trying to force it into a server architecture.

Template quality varies wildly. Community contributions are powerful but not peer-reviewed like commercial signatures. A poorly written template can generate false positives or miss edge cases. You’ll need to audit critical templates yourself and maintain custom forks for high-stakes environments. The project moves quickly with active development, and breaking changes can occur between releases. The README explicitly warns to review the release changelog before updating and notes the project is in active development. Pin versions in production and test upgrades in staging.

Finally, Nuclei excels at known vulnerabilities but struggles with zero-days or highly custom business logic. If your application uses a proprietary authentication scheme, you’ll spend significant time writing custom templates. For deep stateful testing (like multi-step form workflows with CSRF tokens), dedicated DAST tools with browsers and session management may be more efficient.

Verdict

Use Nuclei if you’re scanning diverse infrastructure (web apps, APIs, DNS, cloud configs) and want a single tool that keeps pace with emerging CVEs through community templates. It’s ideal for CI/CD integration, bug bounty hunters, or security teams that value flexibility over vendor lock-in. The YAML DSL is approachable enough for non-developers, making it perfect for collaborative security programs. Skip it if you need a point-and-click GUI for manual testing (try OWASP ZAP), require guaranteed accuracy for compliance audits (commercial DAST tools have better QA), or need deep browser-based testing with JavaScript execution (Burp Suite crawls more thoroughly). Also avoid if you’re committed to a service-oriented architecture—Nuclei intentionally resists running as a daemon, and fighting that design will cause pain.

[![Featured on Starlog](https://starlog.is/api/badge/cybersecurity/projectdiscovery-nuclei.svg)](https://starlog.is/api/badge-click/cybersecurity/projectdiscovery-nuclei)