This Nuclei Action makes it easy to orchestrate Nuclei with GitHub Action. Integrate all of your Nuclei Templates into powerful continuous security workflows and make it part of your secure software development life cycle.

Warning

Deprecation Notice

The v2* references are deprecated and (main) will be unsupported (replaced by v3) on 1 March 2026. Please update workflows to use projectdiscovery/nuclei-action@v3.

Inputs

name	description	required	default
version	Setup with specific version ("latest" or in format "vX.Y.Z").	true	latest
install-only	Install Nuclei without running scans.	false	false
args	Arguments to pass to Nuclei.	false	""
config	Nuclei configuration file content.	false	""
config-path	Path to Nuclei configuration file.	false	""
cache	Enable caching of Nuclei caches, configs, templates, and browser.	false	true
token	GitHub Token. It is used to fetch Nuclei releases from GitHub.	true	${{ github.token }}

Important

• config and config-path must not be set together.
• args always take precedence over config or config-path.

Note

When debug logging is enabled, this action automatically adds -debug and -verbose flags to Nuclei.

Outputs

name	description
stdout	The standard output from running Nuclei
stderr	The standard error from running Nuclei

Runs

This action is a node24 action.

Usage

- uses: projectdiscovery/nuclei-action@v3
  with:
    version:
    # Setup with specific version ("latest" or in format "vX.Y.Z").
    #
    # Required: true
    # Default: latest

    install-only:
    # Install Nuclei without running scans.
    #
    # Required: false
    # Default: false

    args:
    # Arguments to pass to Nuclei.
    #
    # Required: false
    # Default: ""

    config:
    # Nuclei configuration file content.
    #
    # Required: false
    # Default: ""

    config-path:
    # Path to Nuclei configuration file.
    #
    # Required: false
    # Default: ""

    cache:
    # Enable caching of Nuclei caches, configs, templates, and browser.
    #
    # Required: false
    # Default: true

    token:
    # GitHub Token. It is used to fetch Nuclei releases from GitHub.
    #
    # Required: true
    # Default: ${{ github.token }}

Example

Default setup (latest Nuclei)

- uses: projectdiscovery/nuclei-action@v3
  with:
    args: -u http://scanme.sh

Setup with specific version

- uses: projectdiscovery/nuclei-action@v3
  with:
    version: v3.6.0
    args: -u http://scanme.sh

Setup or install Nuclei without running scans

- uses: projectdiscovery/nuclei-action@v3
  with:
    version: v3.6.0
    install-only: true

- run: nuclei -version

or install only and without cache:

- uses: projectdiscovery/nuclei-action@v3
  with:
    version: v3.6.0
    install-only: true
    cache: false

- run: nuclei -version

Setup with Nuclei configuration

- uses: projectdiscovery/nuclei-action@v3
  with:
    version: latest
    config: |
      target:
        - http://scanme.sh
      sarif-export: results.sarif

or pass it via variables:

- uses: projectdiscovery/nuclei-action@v3
  with:
    version: latest
    config: ${{ vars.NUCLEI_CONFIG }}

or via repo-managed config file:

- uses: projectdiscovery/nuclei-action@v3
  with:
    version: latest
    config-path: path/to/nuclei.yaml

Setup with GitHub code scanning

- uses: projectdiscovery/nuclei-action@v3
  with:
    version: latest
    config: |
      target:
        - http://scanme.sh
      sarif-export: results.sarif

- uses: github/codeql-action/upload-sarif@v3
  if: success()
  with:
    sarif_file: results.sarif
    category: nuclei-results

Setup with reporting

- uses: projectdiscovery/nuclei-action@v3
  with:
    args: -u http://scanme.sh
    config: |
      report-config: issue-tracker-config.yaml
  env:
    GITHUB_BASE_URL: https://localhost:8443/github
    GITHUB_USERNAME: test-username
    GITHUB_OWNER: test-owner
    GITHUB_TOKEN: ${{ secrets.GITHUB_PAT }}
    GITHUB_PROJECT_NAME: test-project

Example issue-tracker-config.yaml (repository file):

github:
 # base-url is the optional self-hosted GitHub application url
 base-url: $GITHUB_BASE_URL # read from environment variable
 # username is the username of the GitHub user
 username: $GITHUB_USERNAME # read from environment variable
 # owner is the owner name of the repository for issues
 owner: $GITHUB_OWNER # read from environment variable
 # token is the token for GitHub account
 token: $GITHUB_TOKEN # read from environment variable
 # project-name is the name of the repository
 project-name: $GITHUB_PROJECT_NAME # read from environment variable

 # issue-label is the label of the created issue type
 issue-label: bug
 # allow-list sets a tracker level filter to only create issues for templates with
 # these severity labels or tags (does not affect exporters. set those globally)
 allow-list:
   severity: high, critical
   tags: network
 # deny-list sets a tracker level filter to never create issues for templates with
 # these severity labels or tags (does not affect exporters. set those globally)
 deny-list:
   severity: low
 # duplicate-issue-check flag to enable duplicate tracking issue check.
 duplicate-issue-check: false

Refer to https://github.com/projectdiscovery/nuclei/blob/dev/cmd/nuclei/issue-tracker-config.yaml.

Contributing

We welcome contributions! Please see our Contributing Guide for details on how to get started.

License

MIT. See LICENSE for more details.