Auto CVE Vulnerability Scanning with Nuclei

Why Automate CVE Scanning—and Why Nuclei?

Every month, thousands of new CVEs (Common Vulnerabilities and Exposures) are published. Manually tracking, testing, and prioritizing them across a growing attack surface is unsustainable—especially when your environment spans cloud, SaaS, shadow IT, and third-party services. Automation is no longer a nice-to-have; it’s essential.

Nuclei, an open-source project from ProjectDiscovery, accelerates vulnerability detection by executing thousands of community-curated templates against your targets. Its secret sauce is a flexible YAML-based template engine that supports multiple protocols (HTTP, DNS, TCP, UDP, headless browser, and more) and a thriving ecosystem that updates quickly as new CVEs drop.

If you want to try a guided experience before running locally, check out: https://www.web-psqc.com/security/nuclei

This article shows you how to use Nuclei for automated CVE scanning, integrate it into your security workflows, reduce noise, and produce actionable results your teams can act on right away.

Note: Always scan only assets you own or have explicit permission to test. Respect laws, terms of service, and organizational policies.

How Nuclei Detects CVEs

Nuclei matches known vulnerability signatures against a target using templates that encode requests and expected responses. Key concepts:

• Templates: YAML files describing checks for vulnerabilities, misconfigurations, exposures, or technologies.
• Tags: Labels like cve, rce, xss, misconfig, tech:wordpress for grouping/filtering.
• Severity: Typically mapped to CVSS context (info, low, medium, high, critical).
• Matchers & extractors: Define conditions (e.g., specific header, body string, regex) and extract values like versions.
• Protocols: HTTP(S), DNS, TCP, UDP, headless (Chromium), file, and more.
• Out-of-band (OOB): Uses an external interaction service to detect SSRF/BLIND-RCE where the server reaches out (e.g., interactsh).

This model makes Nuclei both fast and maintainable. As the community updates templates for new CVEs, your scans stay current with minimal effort.

Getting Started: Install and Update

You can install Nuclei in several ways. Two common approaches:

• macOS (Homebrew):

brew install projectdiscovery/tap/nuclei

• Go (cross-platform):

go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

After installation, update the core engine and templates regularly:

nuclei -update            # updates the nuclei binary if not at latest
nuclei -update-templates  # downloads and updates community templates

You can verify your setup with:

nuclei -version
nuclei -templates-list | head

Quickstart: Scan Your Assets for Known CVEs

The simplest way to run a CVE-focused scan:

nuclei -u https://app.example.com -t cves/ -severity high,critical -rl 50 -bs 25 -o nuclei-cves.txt

What this does:

• -u: Target base URL (use -l urls.txt to scan many).
• -t cves/: Limits to templates in the CVE directory.
• -severity high,critical: Focus on highest impact findings first.
• -rl 50: Rate limit (requests per second).
• -bs 25: Batch size for pipelining.
• -o: Save findings to a file.

To output structured results you can parse:

nuclei -l urls.txt -t cves/ -severity medium,high,critical -jsonl -o nuclei-cves.jsonl

To narrow to a specific vendor or year:

# CVEs published in 2024 only
nuclei -l urls.txt -t cves/2024/ -severity high,critical

# Use tags to focus on categories (e.g., RCE-focused CVE checks)
nuclei -l urls.txt -tags cve,rce -severity high,critical

Pro tip: Use -stats and -stats-json to get real-time metrics for monitoring in CI/CD:

nuclei -l urls.txt -t cves/ -stats -stats-json -o cves.jsonl

Responsible Target Selection and Scope

Scanning beyond your scope is risky and potentially illegal. Establish:

• Authorized domains and subdomains (e.g., *.example.com).
• Known IP ranges and cloud accounts.
• Business apps, APIs, admin interfaces, and staging environments.
• Third-party services where you have permission via contracts or bug bounty rules.

Maintain a living “target inventory” that feeds Nuclei automatically.

Building a Practical Scan Pipeline (Discovery → Enrichment → Scan)

Nuclei shines when paired with discovery tools:

• Subdomain discovery:

subfinder -d example.com -silent

• Resolve and probe for live HTTP services:

subfinder -d example.com -silent | httpx -silent -ports 80,443,8080,8443

• Scan with Nuclei:

subfinder -d example.com -silent \
  | httpx -silent -ports 80,443,8080,8443 \
  | nuclei -t cves/ -severity high,critical -rl 50 -o nuclei-findings.txt

Enhance coverage with port scanning (naabu) and crawling (katana):

# Identify open ports, then probe HTTP(s), then scan
naabu -host example.com -top-ports 1000 -silent \
  | httpx -silent \
  | nuclei -t cves/ -severity high,critical -o ports-cves.txt

# Crawl to find deep paths/endpoints, then scan those URLs
echo https://app.example.com | katana -silent \
  | nuclei -t cves/ -severity high,critical -o app-cves.txt

This pipeline finds more surfaces (subdomains, ports, paths) and applies CVE checks quickly.

Tuning Performance and Reducing Noise

• Concurrency and rate limits:

  • -c 50 controls concurrent requests.
  • -rl 50 caps requests per second.
  • Balance speed with stability to avoid timeouts and WAF throttling.

• Timeouts and retries:

nuclei -l urls.txt -t cves/ -timeout 8 -retries 2 -rate-limit 50

• Template selection:

  • Prefer -t cves/ for CVEs only.
  • Use -tags cve,tech:specific-product to target relevant stacks.
  • Exclude noisy templates with -exclude-templates or -exclude-id.

• Silent and minimal output:

nuclei -l urls.txt -t cves/ -silent -o cves.txt

• Headless checks:
  • Some vulnerabilities require a browser context (e.g., certain client-side issues). Enable with headless templates when needed (ensure resources allow for Chromium execution).

Interpreting Results and Prioritizing Remediation

Not all findings are equal. Prioritize with:

• Severity:
  • Critical/high CVEs that enable RCE, auth bypass, or data exfiltration.
• Exposure:
  • Internet-facing assets and sensitive apps.
• Business context:
  • Crown-jewel systems, regulated data, multi-tenant environments.
• Exploitability:
  • Whether public exploits are known; whether compensating controls exist (WAF, mTLS).

Extracting a quick remediation view from JSONL:

jq -r '. | [.info.severity, .info.name, .host, (.matched-at // ""), (.extracted_results // [])] | @tsv' nuclei-cves.jsonl

Create tickets automatically based on severity and owner mapping.

Example: Weekly CVE Sweep for a SaaS Web App

• Inventory:
  • subfinder + httpx to collect URLs each run.
• Scan:
  • nuclei -t cves/ -severity high,critical -tags cve,web,auth,rce
• Reporting:
  • -jsonl output into S3/GCS or your SIEM.
• Alerting:
  • High/critical findings trigger PagerDuty/Slack.
• Remediation workflow:
  • Auto-create Jira issues with owner based on service registry.
• Verification:
  • Re-run nuclei on patch to ensure closure.
• Trend:
  • Track mean-time-to-remediate (MTTR) and exposure-days.

CI/CD Integration: Shift Left

Add nuclei to pipelines to detect CVEs before deployment or during scheduled scans.

• GitHub Actions (example):

name: Nuclei CVE Scan
on:
  schedule:
    - cron: "0 3 * * *"
  workflow_dispatch:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Install Nuclei
        run: |
          curl -sSfL https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_`uname -s`_`uname -m`.zip -o nuclei.zip
          sudo apt-get update && sudo apt-get install -y unzip
          unzip nuclei.zip -d /usr/local/bin
          nuclei -update-templates
      - name: Discover targets
        run: |
          echo https://app.example.com > urls.txt
          # Or populate urls.txt from your inventory API
      - name: Run CVE scan
        run: |
          nuclei -l urls.txt -t cves/ -severity high,critical -jsonl -o nuclei-cves.jsonl -stats
      - name: Upload results artifact
        uses: actions/upload-artifact@v4
        with:
          name: nuclei-cves
          path: nuclei-cves.jsonl

• GitLab CI (snippet):

nuclei_cve_scan:
  image: alpine:3.20
  script:
    - apk add --no-cache curl unzip
    - curl -sSfL https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_Linux_x86_64.zip -o nuclei.zip
    - unzip nuclei.zip -d /usr/local/bin
    - nuclei -update-templates
    - echo https://app.example.com > urls.txt
    - nuclei -l urls.txt -t cves/ -severity high,critical -jsonl -o nuclei-cves.jsonl
  artifacts:
    when: always
    paths:
      - nuclei-cves.jsonl

• Jenkins:
  • Use a dedicated agent with Nuclei preinstalled.
  • Store templates in a shared cache to avoid repeated downloads.
  • Run jobs nightly or on demand for urgent CVEs.

Producing Actionable Reports (and Less Noise)

• Output formats:
  • -jsonl is best for automation and dashboards.
  • -o text is useful for quick triage.
• Deduplication:
  • Nuclei already dedupes many results; you can further dedupe by template-id + host + path.
• Group by service:
  • Enrich with ownership metadata (e.g., Service: Billing API).
• Severity-based SLAs:
  • Critical: 24–72 hours.
  • High: 7 days.
  • Medium: 30 days.
  • Adjust per your risk tolerance.

Transform JSONL to a team-specific summary:

jq -r 'select(.info.severity=="critical" or .info.severity=="high") | [.templateID, .host, .matched-at, .info.name, .info.severity] | @csv' nuclei-cves.jsonl > high_priority.csv

Writing Custom Templates for Your Stack

Out-of-the-box CVE templates cover a lot, but custom templates let you:

• Check vendor forks or internally patched versions.
• Enforce configuration standards.
• Detect tech stacks unique to your environment.

Here’s a safe fingerprinting-style custom template that flags a vulnerable version without exploitation:

id: cve-2023-99999-example-app-version-detect

info:
  name: ExampleApp Version Disclosure (Check for Vulnerable Range)
  author: sec-team
  severity: medium
  description: Detects ExampleApp versions <= 1.4.2 which are affected by CVE-2023-99999.
  tags: cve,disclosure,exampleapp
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-99999
  metadata:
    cve: CVE-2023-99999
    vendor: ExampleCorp
    product: ExampleApp

http:
  - method: GET
    path:
      - "{{BaseURL}}/status"
      - "{{BaseURL}}/version"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "X-ExampleApp-Version"
      - type: regex
        part: header
        regex:
          - "X-ExampleApp-Version:\\s*([0-9]+\\.[0-9]+\\.[0-9]+)"
    extractors:
      - type: regex
        part: header
        name: version
        regex:
          - "X-ExampleApp-Version:\\s*([0-9]+\\.[0-9]+\\.[0-9]+)"

You can then add post-processing logic (outside Nuclei) to compare the extracted version against a vulnerable range and create targeted tickets.

Tips for safe template authoring:

• Avoid state-changing requests (POST/DELETE) unless absolutely required and safe.
• Use stop-at-first-match to reduce load.
• Include clear descriptions, references, and tags.
• Prefer version detection and non-invasive checks where possible.
• Test templates in a staging environment before production use.

Handling Out-of-Band and Headless Scenarios

Some CVEs require:

• OOB detection (SSRF/BLIND-RCE): Nuclei templates may leverage an interaction service (like interactsh) to confirm callbacks. Ensure your environment permits this and that you handle tokens securely.
• Headless browser checks: For DOM-based issues or client-side routes, use headless templates when relevant. Allocate appropriate compute and consider sandboxing.

Command examples:

# Enable headless checks when needed (templates decide usage)
nuclei -l urls.txt -t cves/ -headless -severity high,critical

# Use a proxy for egress control (e.g., scanning via a bastion)
nuclei -l urls.txt -t cves/ -proxy http://127.0.0.1:8080

Integrating with Asset Inventory and CMDB

To make results actionable, map findings to owners and assets:

• Tag targets with service owner, environment, and data classification before scanning.
• Store results in a central datastore (e.g., Elasticsearch, BigQuery, Postgres).
• Join findings with CMDB or service catalog to assign remediation tasks.
• Update dashboards showing:
  • Open critical/high CVEs by service.
  • Aging (days open).
  • Trends by quarter.

Common Pitfalls (and How to Avoid Them)

• WAF rate limiting:

  • Symptom: Many 429/403 responses and inconsistent results.
  • Fix: Lower -rl and -c, add backoff via -retries and higher -timeout.

• Overbroad scope:

  • Symptom: Noise and unexpected findings on third-party assets.
  • Fix: Maintain strict allowlists and documented scope.

• Template bloat:

  • Symptom: Long scan times and irrelevant results.
  • Fix: Use -t cves/ and filter by tags/severities relevant to your stack.

• Headless resource exhaustion:

  • Symptom: Slow or failed scans when launching many browser contexts.
  • Fix: Limit headless usage; schedule smaller batches.

• False positives:

  • Symptom: Alerts without clear reproduction steps.
  • Fix: Use templates with strong matchers; add manual validation steps; maintain a suppressions list (by template ID and fingerprint).

• Inconsistent environments:

  • Symptom: Staging vs. prod differences lead to mismatched results.
  • Fix: Standardize config, and scan both with clear labeling.

Security and Compliance Considerations

• Authorization:
  • Scan only assets under your control or with written permission.
• Data handling:
  • Treat outputs as sensitive; they might reveal versions, admin paths, or secrets.
• Logging:
  • Log scan commands, time, and targets for auditability.
• Change management:
  • Coordinate with ops to avoid surprises, especially for high-traffic windows.
• Compliance alignment:
  • Map regular CVE scans to frameworks (ISO 27001, SOC 2, PCI-DSS) as evidence of vulnerability management.

Beyond Web: Multi-Protocol CVE Checks

Nuclei supports more than HTTP:

• TCP/UDP:
  • Identify vulnerable services by banner/version or protocol-specific responses.
• DNS:
  • Detect misconfigurations and exposures tying to known CVEs.
• File:
  • Test containers or artifacts for embedded vulnerable components (non-invasive checks).

Example scanning on multiple protocols through httpx/naabu enrichment is a good start; expand with relevant templates as your maturity grows.

Complement, Don’t Replace, Your Existing Stack

Nuclei excels at:

• Rapid CVE coverage using curated templates.
• Catching exposed panels, misconfigurations, and known-bad versions.
• Fast iteration as new threats emerge.

It complements:

• Traditional scanners (OpenVAS, Nessus) for deeper authenticated checks.
• SCA/Dependency scanners for code-level vulnerabilities.
• EDR/WAF for runtime protections.

Use Nuclei to shorten your “time to detect” and feed your remediation process with high-signal findings.

Practical Playbooks You Can Adopt Today

1. Daily Internet-Facing CVE Sweep

• Inputs: Latest inventory of internet-exposed URLs.
• Command:

  nuclei -l external-urls.txt -t cves/ -severity high,critical -rl 40 -jsonl -o external-cves.jsonl
  

• Action: Auto-open tickets for critical/high findings; alert on critical.

2. Pre-Release Scan for New Features

• Inputs: Staging URLs for the release candidate.
• Command:

  nuclei -l staging-urls.txt -t cves/ -tags cve,web -severity high,critical -jsonl -o staging-cves.jsonl
  

• Action: Fix blockers before production deploy.

3. Vendor-Specific Focus

• Inputs: List of services running known stacks (e.g., Grafana, Jenkins).
• Command:

  nuclei -l grafana-urls.txt -tags cve,tech:grafana -severity high,critical -o grafana-cves.txt
  

• Action: Patch or restrict access; consider version upgrades.

4. Quarterly Deep Dive

• Inputs: Full inventory (internal + external).
• Command:

  nuclei -l all-urls.txt -t cves/ -severity medium,high,critical -c 100 -rl 100 -jsonl -o quarterly-cves.jsonl
  

• Action: Broader hygiene; plan maintenance windows for patches.

Configuration Management and Reproducibility

Use a config file to standardize runs:

~/.config/nuclei/config.yaml (example)

templates-directory: "~/.local/nuclei-templates"
rate-limit: 50
bulk-size: 25
timeout: 8
retries: 2
silent: true

Run with:

nuclei -config ~/.config/nuclei/config.yaml -l urls.txt -t cves/ -severity high,critical

Version-control your config (minus secrets) so teams can reproduce results.

Closing the Loop: Verification and Continuous Improvement

• Validate:
  • Reproduce critical/high findings on a test asset to understand root cause.
• Patch:
  • Update the vulnerable component; apply compensating controls if needed.
• Re-test:
  • Run Nuclei again to confirm closure.
• Learn:
  • Add custom templates for recurring issues.
  • Update architectural guardrails (WAF rules, secure defaults).
• Measure:
  • Track KPIs: detection-to-remediation time, number of exposed CVEs over time.

Automation is not just about running scans—it’s about integrating results into a virtuous cycle of improvement.

Try It Now

If you’d like to explore auto CVE vulnerability scanning with Nuclei in a streamlined, practical flow, try it here: https://www.web-psqc.com/security/nuclei

Accelerate your vulnerability management with a toolchain that stays current as new CVEs emerge, fits into your CI/CD, and produces actionable, high-signal findings. With thoughtful scope control, robust reporting, and disciplined remediation, Nuclei can significantly reduce your exposure window and help your teams ship safer, faster.