PR
feat: add template profile improvements
projectdiscovery/nuclei#6826

Proposed changes

This PR implements the Template Profile Improvements feature that allows users to maintain a single, comprehensive config file for nuclei scans.

Features Implemented:

1. Profile Metadata Fields

  • Added support for metadata fields: id, name, description, purpose, author, version, profile-tags
  • These fields are parsed and displayed but not passed to goflags (won’t cause errors)
  • Profile name and description are shown during scan startup

2. Embedded Secrets Configuration

  • Added secrets key support directly in profile files
  • Supports both static and dynamic secrets:
    • Static: Header, BasicAuth, Cookie, BearerToken, Query authentication
    • Dynamic: Template-based secret fetching with variables
  • Secrets are automatically loaded and used by the auth provider

Example Profile Format:

name: projectdiscovery-scan

purpose: Config File for Scanning

description: single config file for scanning specific targets



type:

  - http

  - dns

  - ssl



exclude-tags:

  - dos

  - fuzz



concurrency: 5

timeout: 30



secrets:

  static:

    - type: Header

      domains:

        - api.projectdiscovery.io

      headers:

        - key: x-pdcp-key

          value: <api-key-here>

  dynamic:

    - template: custom-oauth-flow.yaml

      variables:

        - key: username

          value: pdteam

      type: Cookie

      domains:

        - api.projectdiscovery.io
image

Proof

1. Profile with metadata fields: Screenshot From 2026-02-04 19-34-05

2. Profile with embedded secrets: image

3. Unit tests passing: image

image

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Fixes #5567

/claim #5567

Summary by CodeRabbit

  • New Features

    • Support for extended profile configurations with metadata (ID, name, description, purpose, author, version, tags).
    • Ability to embed authentication secrets inside profiles and use them during authentication setup, including prefetch and templated secret support.
    • Profiles can expose auxiliary config for integration with existing flag/config flows; verbose profile info logging added.

  • Tests

    • Added comprehensive tests for profile parsing, validation, and embedded authentication provider behavior.

Claim

Total prize pool $152
Total paid $0
Status Pending
Submitted February 04, 2026
Last updated February 04, 2026

Contributors

SA

Saheli Saha

@Sahelisaha04

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$150
ST

starmovie12

@starmovie12

$2