loading
loading
Scanners
Run a Nuclei scan and export the results in Markdown format.
overview
nuclei-markdown runs the nuclei vulnerability scanner and writes every finding as Markdown, so a scan ends in a report a person can read instead of a JSONL file a script has to parse. The engine is the standard template-driven nuclei: each check is a small YAML file, community coverage keeps growing, and runs stay fast with a low false-positive rate.
The Markdown output is the reason to pick this node over plain nuclei. Each finding becomes its own formatted file, so the result drops straight into a pull request, an issue, a wiki, or a writeup with no rendering step. Severity and tag filters keep the report scoped to findings that deserve a reviewer's attention.
Reach for it as the scanning-and-reporting stage of a recon pipeline. Feed it live hosts from httpx, narrow the run with -tags, -severity, or a curated -templates folder, and it writes a Markdown folder the rest of the workflow can archive, publish, or attach to an alert.
use cases
Run curated templates against probed hosts and export Markdown so the findings land as formatted files ready to read or publish.
Generate per-finding Markdown that drops straight into a pull request, an issue tracker, or a wiki without a rendering step.
Filter to high and critical, or to a technology's tags, so the Markdown carries only the findings worth a reviewer's time.
Run behind discovery on a schedule and keep each run's Markdown folder as a dated record of what the scanner found.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | -target | Target URLs or hosts to scan. |
| list | FILE | -list | List of target URLs or hosts, the usual pipeline input. |
| severity | STRING | -severity | Run templates by severity (info, low, medium, high, critical, unknown). |
| tags | STRING | -tags | Run templates by tag (comma-separated). |
| templates | FOLDER | -templates | A folder of templates to run. |
| type | STRING | -type | Run templates by protocol type (dns, http, ssl, tcp, and more). |
| rate-limit | STRING | -rate-limit | Maximum requests to send per second (default 150). |
| exclude-tags | STRING | -exclude-tags | Exclude templates by tag (comma-separated). |
Showing key inputs. nuclei-markdown exposes 156 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| sni | STRING | -sni | tls sni hostname to use (default: input domain name) |
| var | STRING | -var | custom vars in key=value format |
| code | BOOLEAN | -code | enable loading code protocol-based templates |
| dast | BOOLEAN | -dast | only run DAST templates |
| list | FILE | -list | List of target URLs/hosts to scan |
| tags | STRING | -tags | templates to run based on tags (comma-separated) |
| type | STRING | -type | templates to run based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascript |
| ztls | BOOLEAN | -ztls | use ztls library with autofallback to standard one for tls13 |
| debug | BOOLEAN | -debug | show all requests and responses |
| jsonl | BOOLEAN | -jsonl | write output in JSONL(ines) format |
| proxy | STRING | -proxy | list of http/socks5 proxy to use (comma separated) |
| reset | BOOLEAN | -reset | reset removes all nuclei configuration and data files (including nuclei-templates) |
| stats | BOOLEAN | -stats | Display stats of the running scan. |
| author | STRING | -author | templates to run based on authors (comma-separated) |
| config | FILE | -config | path to the nuclei configuration file |
| header | STRING | -header | custom header/cookie to include in all http requests in header:value format |
| no-mhe | BOOLEAN | -no-mhe | disable skipping host from scan based on errors |
| redact | STRING | -redact | redact given list of keys from query parameter, request header and body |
| resume | FILE | -resume | Resume scan using resume.cfg (clustering will be disabled) |
| silent | STRING | -silent | display findings only |
| stream | BOOLEAN | -stream | stream mode - start elaborating without sorting the input |
| target | STRING | -target | target URLs/hosts to scan |
| no-meta | BOOLEAN | -no-meta | disable printing result metadata in cli output |
| passive | BOOLEAN | -passive | enable passive HTTP response processing mode |
| profile | STRING | -profile | template profile config file to run |
| project | BOOLEAN | -project | Use a project folder to avoid sending same request multiple times. |
| retries | STRING | -retries | number of times to retry a failed request (default 1) |
| timeout | STRING | -timeout | time to wait in seconds before timeout (default 10) |
| uncover | BOOLEAN | -uncover | enable uncover engine |
| verbose | BOOLEAN | -verbose | show verbose output |
| env-vars | BOOLEAN | -env-vars | enable environment variables to be used in template |
| headless | BOOLEAN | -headless | enable templates that require headless browser support (root user on linux will disable sandbox) |
| no-color | BOOLEAN | -no-color | disable output content coloring (ANSI escape codes) |
| no-httpx | BOOLEAN | -no-httpx | disable httpx probing for non-url input |
| no-stdin | BOOLEAN | -no-stdin | disable stdin processing |
| omit-raw | BOOLEAN | -omit-raw | omit request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only) |
| severity | STRING | -severity | templates to run based on severity. Possible values: info, low, medium, high, critical, unknown |
| template | FILE | -templates | template file to run |
| validate | BOOLEAN | -validate | validate the passed templates to nuclei |
| bulk-size | STRING | -bulk-size | maximum number of hosts to be analyzed in parallel per template (default 25) |
| client-ca | FILE | -client-ca | client certificate authority file (PEM-encoded) used for authenticating against scanned hosts |
| debug-req | BOOLEAN | -debug-req | show all sent requests |
| interface | STRING | -interface | network interface to use for network scan |
| list-tags | BOOLEAN | -tgl | list all available tags |
| resolvers | FILE | -resolvers | file containing resolver list for nuclei |
| source-ip | STRING | -source-ip | source ip address to use for network scan |
| tags-list | FILE | -tags | templates to run based on tags |
| templates | FOLDER | -templates | folder of templates to run |
| timestamp | BOOLEAN | -timestamp | enables printing timestamp in cli output |
| vars-list | FILE | -var | custom vars in key=value format |
| workflows | STRING | -workflows | list of workflow or workflow directory to run (comma-separated) |
| client-key | FILE | -client-key | client key file (PEM-encoded) used for authenticating against scanned hosts |
| debug-resp | BOOLEAN | -debug-resp | show all received responses |
| exclude-id | STRING | -exclude-id | templates to exclude based on template ids (comma-separated) |
| ip-version | STRING | -ip-version | IP version to scan of hostname (4,6) - (default 4) |
| proxy-list | FILE | -proxy | list of http/socks5 proxy to use |
| rate-limit | STRING | -rate-limit | maximum number of requests to send per second (default 150) |
| stats-json | BOOLEAN | -stats-json | Write statistics data to stdout in JSONL(ines) format |
| attack-type | STRING | -attack-type | type of payload combinations to perform (batteringram,pitchfork,clusterbomb) |
| author-list | FILE | -author | templates to run based on authors |
| client-cert | FILE | -client-cert | client certificate file (PEM-encoded) used for authenticating against scanned hosts |
| concurrency | STRING | -concurrency | maximum number of templates to be executed in parallel (default 25) |
| force-http2 | BOOLEAN | -force-http2 | force http2 connection on requests |
| secret-file | FILE | -secret-file | path to config file containing secrets for nuclei authenticated scan |
| template-id | STRING | -template-id | templates to run based on template ids (comma-separated) |
| enable-pprof | BOOLEAN | -enable-pprof | enable pprof debugging server |
| exclude-tags | STRING | -exclude-tags | templates to exclude based on tags (comma-separated) |
| exclude-type | STRING | -exclude-type | templates to exclude based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascript |
| fuzzing-mode | STRING | -fuzzing-mode | overrides fuzzing mode set in template (multiple, single) |
| fuzzing-type | STRING | -fuzzing-type | overrides fuzzing type set in template (replace, prefix, postfix, infix) |
| hang-monitor | BOOLEAN | -hang-monitor | enable nuclei hang monitoring |
| headers-list | FILE | -header | custom list of headers/cookies to include in all http requests in header:value |
| health-check | BOOLEAN | -health-check | run diagnostic check up |
| include-tags | STRING | -include-tags | tags to be executed even if they are excluded either by default or configuration |
| metrics-port | STRING | -metrics-port | port to expose nuclei metrics on (default 9092) |
| page-timeout | STRING | -page-timeout | seconds to wait for each page in headless mode (default 20) |
| profile-list | BOOLEAN | -profile-list | list community template profiles |
| project-path | FOLDER | -project-path | Use a user defined project folder. Temporary folder is used if not specified but enabled. |
| scan-all-ips | BOOLEAN | -scan-all-ips | scan all the IP's associated with dns record |
| template-url | STRING | -template-url | template urls to run (comma-separated) |
| workflow-url | STRING | -workflow-url | workflow urls to run (comma-separated) |
| exclude-hosts | FILE | -exclude-hosts | hosts to exclude to scan from the input list (ip, cidr, hostname) |
| max-redirects | STRING | -max-redirects | max number of redirects to follow for http templates (default 10) |
| new-templates | BOOLEAN | -new-templates | run only new templates added in latest nuclei-templates release |
| no-interactsh | BOOLEAN | -no-interactsh | disable interactsh server for OAST testing, exclude OAST based templates |
| omit-template | BOOLEAN | -omit-template | omit encoded template in the JSON, JSONL output |
| report-config | FILE | -report-config | nuclei reporting module configuration file |
| scan-strategy | STRING | -scan-strategy | strategy to use while scanning(auto/host-spray/template-spray) (default auto) |
| show-var-dump | BOOLEAN | -show-var-dump | show variables dump for debugging |
| system-chrome | BOOLEAN | -system-chrome | use local installed Chrome browser instead of nuclei installed |
| target-folder | FOLDER | -target | folder containing files to execute file templates on |
| template-urls | FILE | -template-url | list of template urls to run |
| uncover-delay | STRING | -uncover-delay | delay between uncover query requests in seconds (0 to disable) (default 1) |
| uncover-field | STRING | -uncover-field | uncover fields to return (ip,port,host) (default "ip:port") |
| uncover-limit | STRING | -uncover-limit | uncover results to return (default 100) |
| uncover-query | STRING | -uncover-query | uncover search query |
| workflow-urls | FILE | -workflow-url | list of workflow urls to run |
| automatic-scan | BOOLEAN | -automatic-scan | automatic web scan using wappalyzer technology detection to tags mapping |
| js-concurrency | STRING | -js-concurrency | maximum number of javascript runtimes to be executed in parallel (default 120) |
| list-templates | BOOLEAN | -tl | list all available templates |
| matcher-status | BOOLEAN | -matcher-status | display match failure status |
| max-host-error | STRING | -max-host-error | max errors for a host before skipping from scan (default 30) |
| proxy-internal | BOOLEAN | -proxy-internal | proxy all internal requests |
| stats-interval | STRING | -stats-interval | number of seconds to wait between showing a statistics update (default 5) |
| templates-list | FILE | -templates | list of template to run |
| uncover-engine | STRING | -uncover-engine | uncover search engine (shodan,shodan-idb,fofa,censys,quake,hunter,zoomeye,netlas) (default shodan) |
| workflows-list | FILE | -workflows | list of workflow or workflow directory to run |
| exclude-id-list | FILE | -exclude-id | templates to exclude based on template ids |
| show-match-line | BOOLEAN | -show-match-line | show match lines for file templates, works with extractors only |
| tls-impersonate | BOOLEAN | -tls-impersonate | enable experimental client hello (ja3) tls randomization |
| exclude-matchers | STRING | -exclude-matchers | template matchers to exclude in result |
| exclude-severity | STRING | -exclude-severity | templates to exclude based on severity. Possible values: info, low, medium, high, critical, unknown |
| follow-redirects | BOOLEAN | -follow-redirects | enable following redirects for http templates |
| headless-options | STRING | -headless-options | start headless chrome with additional options |
| interactsh-token | STRING | -interactsh-token | authentication token for self-hosted interactsh server |
| no-strict-syntax | BOOLEAN | -no-strict-syntax | Disable strict syntax check on templates |
| prefetch-secrets | BOOLEAN | -prefetch-secrets | prefetch secrets from the secrets file |
| system-resolvers | BOOLEAN | -system-resolvers | use system DNS resolving as error fallback |
| template-id-list | FILE | -template-id | templates to run based on template ids |
| track-error-file | FILE | -track-error | adds given error to max-host-error watchlist |
| dialer-keep-alive | STRING | -dialer-keep-alive | keep-alive duration for network requests. |
| disable-redirects | BOOLEAN | -disable-redirects | disable redirects for http templates |
| display-templates | BOOLEAN | -vv | display templates loaded for scan |
| exclude-tags-list | FILE | -exclude-tags | templates to exclude based on tags |
| exclude-templates | STRING | -exclude-templates | template or template directory to exclude (comma-separated) |
| include-tags-list | FILE | -include-tags | tags to be executed even if they are excluded either by default or configuration |
| include-templates | STRING | -include-templates | templates to be executed even if they are excluded either by default or configuration |
| interactsh-server | STRING | -interactsh-server | interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me) |
| list-dsl-function | BOOLEAN | -list-dsl-function | list all supported DSL function signatures |
| rate-limit-minute | STRING | -rate-limit-minute | maximum number of requests to send per minute |
| templates-version | BOOLEAN | -templates-version | shows the version of the installed nuclei-templates |
| uncover-ratelimit | STRING | -uncover-ratelimit | override ratelimit of engines with unknown ratelimit (default 60 req/min) (default 60) |
| disable-clustering | BOOLEAN | -disable-clustering | disable clustering of requests |
| headless-bulk-size | STRING | -headless-bulk-size | maximum number of headless hosts to be analyzed in parallel per template (default 10) |
| input-read-timeout | STRING | -input-read-timeout | timeout on input read (default 3m0s) |
| response-size-read | STRING | -response-size-read | max response size to read in bytes (default 10485760) |
| response-size-save | STRING | -response-size-save | max response size to read in bytes (default 1048576) |
| template-condition | STRING | -template-condition | templates to run based on expression condition |
| template-directory | STRING | -templates | template directory to run |
| leave-default-ports | BOOLEAN | -leave-default-ports | leave default HTTP/HTTPS ports (eg. host:80,host:443 |
| payload-concurrency | STRING | -payload-concurrency | max payload concurrency for each template (default 25) |
| stop-at-first-match | BOOLEAN | -stop-at-first-match | stop processing HTTP requests after the first match (may break template/workflow logic) |
| disable-update-check | BOOLEAN | -disable-update-check | disable automatic nuclei/templates update check |
| headless-concurrency | STRING | -headless-concurrency | maximum number of headless templates to be executed in parallel (default 10) |
| list-headless-action | BOOLEAN | -list-headless-action | list available headless actions |
| exclude-matchers-list | FILE | -exclude-matchers | template matchers to exclude in result |
| follow-host-redirects | BOOLEAN | -follow-host-redirects | follow redirects on the same host |
| interactions-eviction | STRING | -interactions-eviction | number of seconds to wait before evicting requests from cache (default 60) |
| new-templates-version | STRING | -new-templates-version | run new templates added in specific version |
| exclude-templates-list | FILE | -exclude-templates | template or template directory to exclude |
| include-templates-list | FILE | -include-templates | templates to be executed even if they are excluded either by default or configuration |
| allow-local-file-access | BOOLEAN | -allow-local-file-access | allows file (payload) access anywhere on the system |
| interactions-cache-size | STRING | -interactions-cache-size | number of requests to keep in the interactions cache (default 5000) |
| interactions-poll-duration | STRING | -interactions-poll-duration | number of seconds to wait before each interaction poll request (default 5) |
| interactions-cooldown-period | STRING | -interactions-cooldown-period | extra time for interaction polling before exiting (default 5) |
| restrict-local-network-access | BOOLEAN | -restrict-local-network-access | blocks connections to the local / private network |
example
# scan probed hosts, keep high/critical, export a Markdown reportnuclei -list live-hosts.txt -severity high,critical -tags cve,exposures -markdown-export reports/### CVE-2021-44228 (critical) at http://198.51.100.23:8080 | Field | Value || -------- | ------------------------------------ || Template | CVE-2021-44228 || Severity | critical || Type | http || Author | pdteam || Matched | http://198.51.100.23:8080/?x=${jndi} |guidance
Use nuclei-markdown when you want a readable report out of a scan, not raw machine output. It runs nuclei on known live hosts, so feed it httpx output and scope with tags or severity. For JSONL findings to query rather than read, use plain nuclei.
The same scanner with JSONL and file output. Use it when you want queryable findings instead of a Markdown report.
Builds a structured report from prior results. nuclei-markdown both scans and writes the report in one node.
Classic web scanner with its own output. nuclei-markdown is template-driven and exports formatted Markdown.
faq
related
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
Targets are probed by httpx, then nuclei-markdown tests the live hosts and writes the findings as a folder of readable Markdown reports.
Facts on this page come from the live Trickest tool library.