Skip to content

Nuclei Custom Templates

Purpose

nuclei_custom_templates runs Nuclei using only project-maintained templates from hxresearch/nuclei.

It exists for internal hxEASM detections and expert research content. It does not run the default ProjectDiscovery template set.

Plugin Information

Plugin ID: nuclei_custom_templates

Category: Vulnerability Discovery / Expert Detection

Plugin Type: vulnerability_scan

Execution: active CLI vulnerability scan

Default State: registered, not included in built-in scan profiles

Default Profiles:

  • None

Input Scope

Accepted asset types:

  • url
  • domain
  • subdomain
  • ip
  • service

Required metadata:

  • None

Produces targets:

  • URL assets are passed as-is.
  • Domains, subdomains, and IPs are expanded to https:// and http:// targets.
  • Service assets such as 192.0.2.10:8443/tcp are converted to https://192.0.2.10:8443 and http://192.0.2.10:8443.
  • Targets are written to a temporary file passed with -list.

Output

Creates assets:

  • None directly.

Creates vulnerabilities:

  • Vulnerability entities with AssetType set to vulnerability.

Metadata:

  • template_id: Nuclei template ID.
  • template_path: path reported by Nuclei when available.
  • title: finding name.
  • severity: finding severity.
  • description: finding description.
  • remediation: remediation text.
  • matched_url: matched URL.
  • host: affected host from Nuclei.
  • tags: template tags.
  • evidence: extracted results.
  • matcher_name: matcher name when available.
  • request_excerpt: truncated request excerpt when available.
  • response_excerpt: truncated response excerpt when available.
  • source: nuclei_custom_templates.

Graph Relations

The vulnerability persistence path associates findings with affected assets. The wrapper itself does not create asset graph edges directly.

Files / Artifacts

Produces:

  • None

Dependencies

Required binary: nuclei

Required installer entry: tools.nuclei

Required research mount:

/opt/hxeasm/hxresearch

Required custom template path:

/opt/hxeasm/hxresearch/nuclei

Docker Compose mounts this path read-only from the repository:

./hxresearch:/opt/hxeasm/hxresearch:ro

Command model:

nuclei -jsonl -no-color -duc -c 10 -t /opt/hxeasm/hxresearch/nuclei -list <target-file> [-rate-limit <n>]

Template Path Behavior

  • If the templates path is missing, the plugin fails with a clear error.
  • If the templates path exists but contains no .yaml or .yml templates, the plugin returns a successful skip.
  • If there are no matching targets, the plugin returns a successful skip.

Example Flow

url/service/domain
  -> nuclei_custom_templates
vulnerability

Enabling In A Custom Profile

The plugin is not included in built-in profiles. To use it, add it to a custom scan profile in backend/configs/config.yaml:

scan_profiles:
  expert_assessment:
    name: Expert Assessment
    description: Run internal hxEASM custom detections
    plugins:
      - subfinder
      - dnsx
      - httpx
      - nuclei_custom_templates

If scan_profile_order is configured, add expert_assessment to that list too. Restart both API and worker after editing the config.

Safety Notes

  • hxresearch/ is mounted read-only inside worker containers.
  • Templates must respect approved organization scope.
  • Do not include destructive payloads in automated templates.
  • No arbitrary user-uploaded templates are supported.
  • Review templates before enabling this plugin in a scan profile.
  • Research files outside hxresearch/nuclei are not executed by this plugin.

Notes

Use the standard nuclei plugin for ProjectDiscovery template coverage. Use this plugin only when you want hxEASM custom templates from hxresearch/nuclei and no default Nuclei template set.