PR

/claim #5567

Summary

Implements the template profile improvements requested in #5567:

  1. Metadata field support: Template profiles now accept informational fields (id, name, purpose, description) without errors. These are stripped before merging with goflags, so users can annotate profiles with context.

  2. Inline secrets: Secrets can be embedded directly in the profile YAML under a secrets key instead of requiring a separate secrets file. The runner creates an auth provider from the inline data via NewAuthProviderFromData() — no temp file workaround needed.

  3. Inline target lists: Targets can be specified under a list key (multiline string or YAML array), materialized to a temp file and wired to the target input path. CLI -l flag takes precedence.

Example profile with all features

id: my-scan-profile

name: Production API Scan

description: Weekly scan of production API endpoints

purpose: security-audit



# Nuclei flags (merged normally by goflags)

templates:

  - cves/

  - exposures/

severity: critical,high

rate-limit: 100



# Inline secrets (passed to auth provider)

secrets:

  static:

    - type: BearerToken

      domains:

        - api.example.com

      token: my-api-key



# Inline targets

list: |

  api.example.com

  staging.example.com

Changes

File Change
cmd/nuclei/main.go Added processTemplateProfile() to sanitize profile YAML — extracts secrets, targets, and metadata before writing a clean copy for goflags. Added materializeInlineTargets() for temp file creation.
pkg/types/types.go Added InlineSecrets interface{} field to Options struct + Copy() method.
pkg/authprovider/interface.go Added NewAuthProviderFromData() to create an auth provider directly from parsed *authx.Authx data without going through a file.
pkg/authprovider/interface_test.go 9 test cases covering nil/empty data, static secrets, multiple secrets, invalid secrets, dynamic secrets without callback, regex domain matching, and inline marker path.
internal/runner/runner.go Extended auth provider initialization to handle both file-based and inline secrets, combining them via NewMultiAuthProvider.

Design decisions

  • Profile sanitization via temp file: The profile is parsed, special keys are extracted, and a sanitized copy is written for goflags to merge. This keeps the existing goflags merge path intact and avoids forking or patching goflags.
  • NewAuthProviderFromData(): Direct construction from *authx.Authx avoids the temp-file approach that was rejected in PR #6804 review. Validates all secrets and wires lazy fetch callbacks for dynamic secrets.
  • interface{} for InlineSecrets: Avoids import cycles between pkg/types and pkg/authprovider/authx. The raw YAML map is marshaled back to bytes in the runner and parsed via authx.GetAuthDataFromYAML().

Test plan

  • go build ./cmd/nuclei/ passes
  • go vet ./cmd/nuclei/ ./internal/runner/ ./pkg/authprovider/ ./pkg/types/ passes
  • All 9 TestNewAuthProviderFromData subtests pass
  • Existing TestSecretsUnmarshal and TestDynamicUnmarshalJSON still pass
  • Manual test: profile with only metadata fields (no flags) loads without error
  • Manual test: profile with inline secrets authenticates requests correctly
  • Manual test: profile with inline target list scans specified targets

Summary by CodeRabbit

  • New Features

    • Template profiles can include inline secrets and inline targets; these are processed automatically.
    • Authentication now supports multiple providers (file-based and inline) for flexible credential use.

  • Bug Fixes

    • Inline-target temporary files are cleaned up on exit and handled properly across resume/crash paths.
    • Template profiles are preprocessed to remove non-app metadata before merging.

  • Tests

    • Added tests covering inline-auth provider creation and lookup behavior.

Claim

Total prize pool $152
Total paid $0
Status Pending
Submitted February 27, 2026
Last updated February 27, 2026

Contributors

TE

Tereda_Developer

@teredasites

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$150
ST

starmovie12

@starmovie12

$2