Nuclei Vulnerability Scanner Installation
Nuclei is a fast, template-based vulnerability scanner that automates security testing using community-contributed YAML templates covering CVEs, misconfigurations, exposed panels, and more. This guide covers installing Nuclei on Linux, using and customizing templates, integrating with CI/CD pipelines, and responsible disclosure workflows.
Prerequisites
- Linux (Ubuntu 20.04+/Debian 11+ or CentOS 8+/Rocky Linux 8+)
- Go 1.21+ (for building from source) or use pre-built binary
- 2+ GB RAM for large scans
- Written authorization to scan the target systems
Important: Only scan systems you own or have explicit written permission to test.
Installing Nuclei
# Method 1: Download pre-built binary (recommended)
VERSION=$(curl -s https://api.github.com/repos/projectdiscovery/nuclei/releases/latest \
| grep '"tag_name"' | cut -d'"' -f4)
wget "https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION#v}_linux_amd64.zip"
unzip nuclei_*.zip
sudo mv nuclei /usr/local/bin/
chmod +x /usr/local/bin/nuclei
# Method 2: Install via Go
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Binary will be at ~/go/bin/nuclei
sudo mv ~/go/bin/nuclei /usr/local/bin/
# Verify installation
nuclei --version
# Download nuclei-templates (community templates)
nuclei -update-templates
ls ~/nuclei-templates/
Running Your First Scan
# Basic scan against a target
nuclei -u https://yourdomain.com
# Scan multiple targets from a file
echo -e "https://yourdomain.com\nhttps://api.yourdomain.com" > targets.txt
nuclei -l targets.txt
# Scan with a specific template category
nuclei -u https://yourdomain.com -tags cve
# Scan with only critical/high severity templates
nuclei -u https://yourdomain.com -severity critical,high
# Fast initial reconnaissance (info + low templates, quick checks)
nuclei -u https://yourdomain.com -severity info,low -rate-limit 100 -timeout 5
# Comprehensive scan with all templates
nuclei -u https://yourdomain.com \
-severity info,low,medium,high,critical \
-rate-limit 50 \
-timeout 10 \
-retries 2 \
-o results.txt
Template Management
Nuclei templates are organized by category:
# List template categories
ls ~/nuclei-templates/
# Common categories:
# cves/ - CVE-specific checks
# exposed-panels/ - Admin panel detection
# misconfiguration/ - Security misconfigurations
# vulnerabilities/ - General vulnerability checks
# technologies/ - Technology fingerprinting
# network/ - Network service checks
# dns/ - DNS misconfigurations
# ssl/ - SSL/TLS issues
# Update templates to latest
nuclei -update-templates
# List all templates
nuclei -list
# List templates for a specific tag
nuclei -list -tags apache
# Search templates by CVE
nuclei -list -tags cve2023
# Run a specific template
nuclei -u https://yourdomain.com \
-t ~/nuclei-templates/cves/2023/CVE-2023-XXXX.yaml
Custom Template Creation
Write custom templates for your specific applications:
# custom-templates/myapp-admin-exposed.yaml
id: myapp-admin-panel-exposed
info:
name: MyApp Admin Panel Exposed
author: security-team
severity: medium
description: Detects exposed admin panel on MyApp instances
tags: myapp,admin,panel
http:
- method: GET
path:
- "{{BaseURL}}/admin"
- "{{BaseURL}}/admin/login"
- "{{BaseURL}}/_admin"
matchers-condition: or
matchers:
- type: word
words:
- "MyApp Administration"
- "Admin Dashboard"
part: body
- type: status
status:
- 200
extractors:
- type: regex
name: title
regex:
- "<title>(.*?)</title>"
part: body
A template checking for a specific vulnerability:
# custom-templates/sqli-detection.yaml
id: custom-sqli-detection
info:
name: Basic SQL Injection Detection
author: security-team
severity: high
description: Checks for SQL injection error messages in responses
http:
- method: GET
path:
- "{{BaseURL}}/search?q='"
- "{{BaseURL}}/user?id=1'"
matchers-condition: and
matchers:
- type: word
words:
- "SQL syntax"
- "mysql_fetch"
- "Warning: mysql"
- "PostgreSQL ERROR"
- "ORA-01756"
part: body
condition: or
- type: status
status:
- 200
- 500
Network/TCP template:
# custom-templates/redis-unauth.yaml
id: redis-unauthenticated
info:
name: Unauthenticated Redis Access
severity: critical
description: Redis server accessible without authentication
network:
- inputs:
- data: "PING\r\n"
host:
- "{{Hostname}}"
port: "6379"
read-size: 100
matchers:
- type: word
words:
- "+PONG"
# Run your custom template
nuclei -u https://yourdomain.com -t custom-templates/
# Validate template syntax
nuclei -validate -t custom-templates/myapp-admin-exposed.yaml
Scanning Strategies
Reconnaissance scan (fast):
nuclei -u https://yourdomain.com \
-tags tech,fingerprint \
-rate-limit 150 \
-timeout 3 \
-silent \
-o recon-results.txt
CVE-focused scan:
# Scan for known CVEs from the past year
nuclei -u https://yourdomain.com \
-tags cve \
-severity medium,high,critical \
-rate-limit 30 \
-o cve-results.json \
-j # JSON output
Subdomain scan from list:
# First, enumerate subdomains with subfinder
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
subfinder -d yourdomain.com -silent -o subdomains.txt
# Then scan all subdomains
cat subdomains.txt | httpx -silent -o live-subdomains.txt
nuclei -l live-subdomains.txt -severity high,critical -o subdomain-vulns.txt
Network infrastructure scan:
# Scan IP ranges for network-level issues
nuclei -l ip-ranges.txt \
-t ~/nuclei-templates/network/ \
-t ~/nuclei-templates/exposed-services/ \
-rate-limit 100 \
-o network-scan.txt
CI/CD Integration
Add Nuclei scans to your deployment pipeline:
# GitHub Actions workflow
name: Security Scan
on:
push:
branches: [main]
schedule:
- cron: '0 2 * * 1' # Weekly Monday 2AM
jobs:
nuclei-scan:
runs-on: ubuntu-latest
steps:
- name: Install Nuclei
run: |
VERSION=$(curl -s https://api.github.com/repos/projectdiscovery/nuclei/releases/latest \
| grep '"tag_name"' | cut -d'"' -f4)
wget -q "https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION#v}_linux_amd64.zip"
unzip -q nuclei_*.zip
chmod +x nuclei
sudo mv nuclei /usr/local/bin/
- name: Update Templates
run: nuclei -update-templates
- name: Scan Production
run: |
nuclei \
-u ${{ secrets.PROD_URL }} \
-severity high,critical \
-rate-limit 20 \
-j \
-o nuclei-results.json
continue-on-error: true
- name: Upload Results
uses: actions/upload-artifact@v3
with:
name: nuclei-scan-results
path: nuclei-results.json
- name: Fail on Critical Findings
run: |
CRITICAL=$(jq '[.[] | select(.info.severity == "critical")] | length' nuclei-results.json)
if [ "$CRITICAL" -gt 0 ]; then
echo "Found $CRITICAL critical vulnerabilities!"
exit 1
fi
Output and Reporting
# JSON output for programmatic processing
nuclei -u https://yourdomain.com -j -o results.json
# JSONL (one JSON per line) for streaming
nuclei -u https://yourdomain.com -jsonl -o results.jsonl
# Markdown report
nuclei -u https://yourdomain.com -markdown-export ./report/
# Filter results to critical only
cat results.json | jq '.[] | select(.info.severity == "critical")'
# Count by severity
cat results.json | jq 'group_by(.info.severity) | map({severity: .[0].info.severity, count: length})'
# Generate HTML report (requires nuclei-ng or custom script)
cat results.json | python3 << 'EOF'
import json, sys
data = json.load(sys.stdin) if isinstance(json.load(sys.stdin), list) else []
# Custom HTML generation
EOF
Responsible Disclosure
When using Nuclei for security assessments:
- Always have written authorization before scanning any system you don't own
- Scope the scan to authorized IP ranges and domains only
- Use rate limiting to avoid disrupting services
# Safe scanning practices
nuclei -u https://yourdomain.com \
-rate-limit 10 \ # 10 requests/second maximum
-bulk-size 5 \ # 5 concurrent templates
-timeout 5 \ # 5 second timeout
-retries 1 # Only 1 retry
Disclosure template when you find vulnerabilities:
Subject: Security Vulnerability Report - [Your Domain]
I performed an authorized security assessment of [domain] and found the following issues:
1. CVE-XXXX-YYYY: [Brief description]
- Severity: Critical
- Affected URL: https://domain.com/path
- Steps to reproduce: ...
- Evidence: [screenshot or response excerpt]
- Recommended fix: Patch to version X.Y.Z
Please acknowledge receipt within 5 business days.
Troubleshooting
Nuclei running very slowly:
# Increase concurrency for large scans
nuclei -u https://yourdomain.com \
-c 25 \ # 25 concurrent templates
-bulk-size 50 # 50 hosts per template
# Use headless mode sparingly (much slower)
# Only add -headless for templates that require it
False positives in results:
# Verify findings manually
curl -v "https://yourdomain.com/path/shown-in-finding"
# Exclude false-positive templates
nuclei -u https://yourdomain.com -exclude-templates false-positive-template.yaml
# Report false positives to the Nuclei team
# https://github.com/projectdiscovery/nuclei-templates/issues
Templates not downloading:
# Check GitHub connectivity
curl -I https://api.github.com
# Manual template download
git clone https://github.com/projectdiscovery/nuclei-templates ~/nuclei-templates
nuclei -update-templates-dir ~/nuclei-templates
Conclusion
Nuclei's template-based approach makes it versatile for both broad vulnerability scanning and targeted application-specific tests. Starting with community templates for CVEs and misconfigurations provides immediate coverage of known issues, while custom templates extend coverage to proprietary applications. Integrating Nuclei into CI/CD pipelines ensures new deployments are checked for regressions in security posture. Always pair automated scanning with manual testing for comprehensive coverage.