Documentation Index Fetch the complete documentation index at: https://mintlify.com/projectdiscovery/nuclei/llms.txt
Use this file to discover all available pages before exploring further.
Output basics Nuclei provides flexible output options to save, format, and export scan results for analysis, reporting, and integration with other tools.
File output Save to file Write findings to a text file:
nuclei -target https://example.com -output results.txt
Short flag:
nuclei -u https://example.com -o findings.txt
The output file contains one finding per line in Nuclei’s default format:
[CVE-2021-44228] [http] [critical] https://example.com/api [self-signed-ssl] [ssl] [info] example.com:443
Output files are appended to by default. Delete or rename old output files before new scans to avoid mixing results.
JSON export Export detailed results in JSON format:
JSON Lines (JSONL) Export in JSON Lines format (one JSON object per line):
nuclei -target https://example.com -jsonl-export output.jsonl
Short flag:
nuclei -u https://example.com -jle output.jsonl
Or use the -jsonl flag to output to stdout:
nuclei -target https://example.com -jsonl
Short flag:
nuclei -u https://example.com -j
JSON array Export as a single JSON array:
nuclei -target https://example.com -json-export output.json
Short flag:
nuclei -u https://example.com -je output.json
JSONL format is better for streaming and processing large result sets, while JSON array format is better for one-time analysis.
JSON structure Nuclei’s JSON output includes:
{ "template-id" : "CVE-2021-44228" , "info" : { "name" : "Apache Log4j RCE" , "author" : [ "pdteam" ], "severity" : "critical" , "description" : "Apache Log4j2 remote code execution" , "tags" : [ "cve" , "rce" , "log4j" ] }, "type" : "http" , "host" : "https://example.com" , "matched-at" : "https://example.com/api" , "timestamp" : "2024-03-01T12:00:00Z" , "curl-command" : "curl -X GET https://example.com/api" , "matcher-name" : "log4j-detection" , "request" : "GET /api HTTP/1.1..." , "response" : "HTTP/1.1 200 OK..." }
JSON customization Omit raw requests/responses Reduce output size by omitting HTTP request/response pairs:
nuclei -target https://example.com -jsonl-export output.jsonl -omit-raw
Short flag:
nuclei -u https://example.com -jle output.jsonl -or
Omit template encoding Exclude encoded template from JSON output:
nuclei -target https://example.com -jsonl-export output.jsonl -omit-template
Short flag:
nuclei -u https://example.com -jle output.jsonl -ot
Omitting raw data and templates significantly reduces output file size for large scans.
Markdown export Generate organized Markdown reports:
nuclei -target https://example.com -markdown-export reports/
Short flag:
nuclei -u https://example.com -me reports/
This creates a directory structure:
reports/ ├── example.com/ │ ├── CVE-2021-44228.md │ ├── self-signed-ssl.md │ └── index.md
Markdown sorting Control how Markdown reports are organized:
By template
By host
By severity
No sorting
Sort by template ID (default): MARKDOWN_EXPORT_SORT_MODE = template nuclei -u example.com -me reports/
Sort by target host: MARKDOWN_EXPORT_SORT_MODE = host nuclei -u example.com -me reports/
Sort by severity level: MARKDOWN_EXPORT_SORT_MODE = severity nuclei -u example.com -me reports/
No sorting (faster): MARKDOWN_EXPORT_SORT_MODE = none nuclei -u example.com -me reports/
SARIF export Export in SARIF format for integration with code analysis platforms:
nuclei -target https://example.com -sarif-export output.sarif
Short flag:
nuclei -u https://example.com -se output.sarif
SARIF (Static Analysis Results Interchange Format) is widely supported by GitHub, GitLab, Azure DevOps, and other platforms.
Response storage Store all HTTP requests and responses:
Store responses # Store in default directory (./output) nuclei -target https://example.com -store-resp # Store in custom directory nuclei -target https://example.com -store-resp -store-resp-dir responses/
Short flags:
nuclei -u https://example.com -sresp -srd responses/
This creates files like:
output/ ├── https_example.com_443/ │ ├── request_1.txt │ ├── response_1.txt │ ├── request_2.txt │ └── response_2.txt
Storing all responses can generate large amounts of data. Use disk space wisely.
Display options Silent mode Display only findings, no progress or banner:
nuclei -target https://example.com -silent
Perfect for piping to other tools:
nuclei -u https://example.com -silent | grep critical
Disable printing result metadata:
nuclei -target https://example.com -no-meta
Short flag:
nuclei -u https://example.com -nm
Timestamps Enable timestamps in output:
nuclei -target https://example.com -timestamp
Short flag:
nuclei -u https://example.com -ts
Output includes timestamps:
[2024-03-01 12:00:00] [CVE-2021-44228] [http] [critical] https://example.com
Matcher status Show match failure status for debugging:
nuclei -target https://example.com -matcher-status
Short flag:
nuclei -u https://example.com -ms
Matcher status helps debug template logic by showing why certain conditions failed.
No color Disable colored output:
nuclei -target https://example.com -no-color
Short flag:
nuclei -u https://example.com -nc
Useful for log files and CI/CD pipelines.
Statistics Enable statistics Display scan statistics:
nuclei -target https://example.com -stats
Shows periodic updates:
Templates: 3500 | Hosts: 1 | RPS: 150 | Errors: 0 | Matches: 5
Statistics interval Control update frequency (in seconds):
nuclei -target https://example.com -stats -stats-interval 10
Short flag:
nuclei -u https://example.com -stats -si 10
JSON statistics Output statistics in JSON format:
nuclei -target https://example.com -stats -stats-json
Short flag:
nuclei -u https://example.com -stats -sj
HTTP statistics Enable HTTP status code tracking:
nuclei -target https://example.com -http-stats
Short flag:
nuclei -u https://example.com -hps
Tracks request/response statistics for analysis.
Metrics endpoint Expose metrics via HTTP endpoint:
nuclei -target https://example.com -metrics-port 9092
Short flag:
nuclei -u https://example.com -mp 9092
Access metrics at http://localhost:9092/metrics.
Metrics are exposed in Prometheus format for monitoring integration.
Reporting database Persist results to a database for deduplication:
nuclei -target https://example.com -report-db results.db
Short flag:
nuclei -u https://example.com -rdb results.db
Benefits:
Automatic deduplication
Historical tracking
Persistent storage
Reporting integrations Configure external reporting systems:
nuclei -target https://example.com -report-config reporting-config.yaml
Short flag:
nuclei -u https://example.com -rc reporting-config.yaml
Supported integrations:
Jira
Slack
GitHub Issues
Elasticsearch
Splunk
Custom webhooks
Data redaction Redact sensitive data from output:
# Redact specific keys nuclei -target https://example.com \ -jsonl-export output.jsonl \ -redact Authorization,Cookie,api-key # Redact from file nuclei -target https://example.com \ -jsonl-export output.jsonl \ -redact redact-keys.txt
Short flag:
nuclei -u https://example.com -jle output.jsonl -rd Authorization,Cookie
Redaction removes sensitive data from query parameters, request headers, and request body.
Verbose output Verbose mode Show additional details:
nuclei -target https://example.com -verbose
Short flag:
nuclei -u https://example.com -v
Very verbose mode Show template loading and detailed execution:
nuclei -target https://example.com -vv
Shows:
Templates being loaded
Request/response pairs
Matcher evaluation
Workflow execution
Variable dump Display variable values for debugging:
nuclei -target https://example.com -show-var-dump
Short flag:
nuclei -u https://example.com -svd
Limit displayed characters:
nuclei -u https://example.com -svd -var-dump-limit 500
Short flag:
nuclei -u https://example.com -svd -vdl 500
Debug output Debug mode Show all requests and responses:
nuclei -target https://example.com -debug
Debug requests only nuclei -target https://example.com -debug-req
Short flag:
nuclei -u https://example.com -dreq
Debug responses only nuclei -target https://example.com -debug-resp
Short flag:
nuclei -u https://example.com -dresp
Debug mode generates extensive output. Use with single targets for troubleshooting.
Trace and error logs Trace log Log all requests to a file:
nuclei -target https://example.com -trace-log trace.log
Short flag:
nuclei -u https://example.com -tlog trace.log
Error log Log errors to a separate file:
nuclei -target https://example.com -error-log errors.log
Short flag:
nuclei -u https://example.com -elog errors.log
Practical examples Example 1: Comprehensive reporting nuclei -list targets.txt \ -output findings.txt \ -json-export findings.json \ -markdown-export reports/ \ -sarif-export findings.sarif \ -report-db scan-results.db \ -stats
Example 2: Silent pipeline cat targets.txt | \ nuclei -silent -jsonl | \ jq -r 'select(.info.severity=="critical") | .host'
Example 3: Detailed debugging nuclei -u https://example.com \ -t custom-template.yaml \ -debug \ -verbose \ -matcher-status \ -trace-log trace.log
Example 4: Production scan nuclei -list production.txt \ -severity critical,high \ -silent \ -jsonl-export findings.jsonl \ -omit-raw \ -no-color \ -report-db production-scan.db
Example 5: CI/CD integration nuclei -target $CI_TARGET \ -silent \ -no-color \ -sarif-export nuclei-results.sarif \ -severity critical,high \ -exclude-tags dos,intrusive
Example 6: Research and analysis nuclei -list research-targets.txt \ -jsonl-export full-results.jsonl \ -store-resp \ -store-resp-dir responses/ \ -stats \ -stats-json \ -report-db research.db
Format Use Case Size Streaming Machine Readable Text Quick review Small Yes No JSONL Processing Medium Yes Yes JSON Analysis Medium No Yes Markdown Reports Large No No SARIF CI/CD Integration Large No Yes
Best practices
Choose appropriate formats
Select output formats based on your workflow: # Development: verbose + debug nuclei -u example.com -v -debug-req # Production: silent + JSON + database nuclei -list targets.txt -silent -jle results.jsonl -rdb scan.db # Reporting: Markdown + SARIF nuclei -u example.com -me reports/ -se results.sarif
Use deduplication
Always use report database for recurring scans: nuclei -list targets.txt -report-db scan.db
Optimize output size
Omit unnecessary data for large scans: nuclei -list large-targets.txt -jle results.jsonl -or -ot
Enable statistics
Monitor long-running scans: nuclei -list targets.txt -stats -si 30
Next steps
Rate limiting Control scan speed and performance
Cloud integration Upload results to ProjectDiscovery Cloud
Filtering templates Filter what gets scanned and reported
Running scans Back to scanning fundamentals