Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/projectdiscovery/nuclei/llms.txt

Use this file to discover all available pages before exploring further.

File protocol templates enable scanning and analyzing local files for secrets, misconfigurations, and sensitive data patterns.

Basic file request

id: basic-file-scan

info:
  name: Basic File Scan
  author: pdteam
  severity: info

file:
  - extensions:
      - txt
      - log
    
    matchers:
      - type: word
        words:
          - "password"
          - "secret"

File components

Extensions

extensions
array
required
File extensions to scan. Use all to scan all files.
file:
  - extensions:
      - .env
      - .config
      - .yml
      - .yaml
Scan all files:
file:
  - extensions:
      - all

Deny list

denylist
array
Files, directories, or extensions to exclude from scanning.
file:
  - extensions:
      - all
    denylist:
      - .jpg
      - .png
      - .gif
      - node_modules/
      - .git/

Max size

max-size
string
Maximum file size to scan. Set to no for unlimited.
file:
  - extensions:
      - all
    max-size: 10MB

Archive scanning

archive
boolean
default:false
Enable scanning inside archive files (zip, tar, etc.).
file:
  - extensions:
      - all
    archive: true

MIME type detection

mime-type
boolean
default:false
Enable MIME type-based file detection.
file:
  - extensions:
      - all
    mime-type: true

Recursive scanning

no-recursive
boolean
default:false
Disable recursive directory scanning.
file:
  - extensions:
      - all
    no-recursive: true

Example: AWS keys detection

id: aws-keys-file

info:
  name: AWS Access Keys in Files
  author: pdteam
  severity: high
  description: Detects exposed AWS access keys in local files

file:
  - extensions:
      - all
    
    matchers:
      - type: regex
        regex:
          - "(?i)aws(.{0,20})?['\"][0-9a-zA-Z\\/+]{40}['\"]"

Example: Private key detection

id: private-keys-file

info:
  name: Private Key Detection
  author: pdteam
  severity: critical
  description: Detects private keys in local files

file:
  - extensions:
      - all
    
    matchers:
      - type: word
        words:
          - "BEGIN RSA PRIVATE KEY"
          - "BEGIN DSA PRIVATE KEY"
          - "BEGIN EC PRIVATE KEY"
          - "BEGIN OPENSSH PRIVATE KEY"
          - "BEGIN PGP PRIVATE KEY"
        condition: or

Example: Environment file scan

id: env-file-secrets

info:
  name: Environment File Secrets
  author: pdteam
  severity: high
  description: Scans .env files for sensitive information

file:
  - extensions:
      - .env
      - env
    
    extractors:
      - type: regex
        name: database_credentials
        regex:
          - "DB_PASSWORD=(.+)"
          - "DATABASE_URL=(.+)"
        group: 1
      
      - type: regex
        name: api_keys
        regex:
          - "API_KEY=(.+)"
          - "SECRET_KEY=(.+)"
        group: 1

Example: Configuration files

id: config-file-scan

info:
  name: Configuration File Scanner
  author: pdteam
  severity: medium
  description: Scans configuration files for sensitive data

file:
  - extensions:
      - .yml
      - .yaml
      - .json
      - .xml
      - .conf
      - .config
    
    max-size: 5MB
    
    matchers:
      - type: regex
        regex:
          - "password\\s*[:=]\\s*[^\\s]+"
          - "api[_-]?key\\s*[:=]\\s*[^\\s]+"
          - "secret\\s*[:=]\\s*[^\\s]+"
        condition: or

Example: Source code secrets

id: source-code-secrets

info:
  name: Secrets in Source Code
  author: pdteam
  severity: high
  description: Detects hardcoded secrets in source code

file:
  - extensions:
      - .py
      - .js
      - .java
      - .go
      - .php
      - .rb
    
    denylist:
      - node_modules/
      - vendor/
      - .git/
    
    matchers:
      - type: regex
        regex:
          - "(?i)(password|passwd|pwd)\\s*=\\s*[\"'](.+?)[\"
']"
          - "(?i)api[_-]?key\\s*=\\s*[\"'](.+)[\"']"
        condition: or

File response parts

raw
string
Complete file contents (default)
matchers:
  - type: word
    part: raw
    words:
      - "password"
path
string
File path
extractors:
  - type: dsl
    dsl:
      - path

Matchers for files

matchers:
  # Word matcher
  - type: word
    words:
      - "api_key"
      - "secret_token"
    condition: or
  
  # Regex matcher
  - type: regex
    regex:
      - "[a-zA-Z0-9]{32}"
  
  # Binary matcher
  - type: binary
    binary:
      - "504B0304"  # ZIP signature

Extractors for files

extractors:
  # Regex extraction
  - type: regex
    name: credentials
    regex:
      - 'password="(.+?)"'
    group: 1
  
  # All matches
  - type: regex
    name: all_secrets
    regex:
      - "(?i)(password|secret|key)\\s*[:=]\\s*(.+)"

Running file templates

File templates require a directory path instead of URL: 
# Scan current directory
nuclei -t file-template.yaml -target .

# Scan specific directory
nuclei -t file-template.yaml -target /path/to/project

# Scan multiple directories
echo "/path/to/dir1" | nuclei -t file-template.yaml
echo "/path/to/dir2" | nuclei -t file-template.yaml

Best practices

Limit extensions to relevant file types to improve performance:
file:
  - extensions:
      - .env
      - .config
    # Better than scanning 'all'
Prevent scanning large files:
file:
  - max-size: 10MB
Exclude irrelevant directories:
file:
  - denylist:
      - node_modules/
      - .git/
      - vendor/

Next steps

Matchers

Complete matcher reference

Extractors

Data extraction guide

Helper functions

DSL function reference

Best practices

Template quality guidelines

Build docs developers (and LLMs) love

Get started for freeTalk to us