Template Profile Improvements

This feature allows users to maintain a single, comprehensive configuration file for Nuclei scans.

Features Implemented

1. Profile Metadata Fields

Added support for the following metadata fields: id, name, description, purpose, author, version, and profile-tags.

• These fields are parsed and displayed but are not passed to goflags (and therefore won’t cause errors).
• The profile name and description are shown during scan startup.

2. Embedded Secrets Configuration

Added secrets key support directly in profile files. Supports both static and dynamic secrets:

• Static: Header, BasicAuth, Cookie, BearerToken, Query authentication
• Dynamic: Template-based secret fetching with variables. Secrets are automatically loaded and used by the auth provider.

Example Profile Format

name: projectdiscovery-scan
purpose: Config File for Scanning
description: single config file for scanning specific targets

type:
  - http
  - dns
  - ssl

exclude-tags:
  - dos
  - fuzz

concurrency: 5
timeout: 30

secrets:
  static:
    - type: Header
      domains:
        - api.projectdiscovery.io
      headers:
        - key: x-pdcp-key
          value: <api-key-here>
  dynamic:
    - template: custom-oauth-flow.yaml
      variables:
        - key: username
          value: pdteam
      type: Cookie
      domains:
        - api.projectdiscovery.io

Summary by CodeRabbit

• New Features

  • Profiles can include embedded secrets that are validated and loaded automatically.
  • Extended profile support with metadata (name, description, tags) and logging for better visibility.
  • Profiles now produce a temporary goflags-compatible config so non-metadata fields are preserved.

• Bug Fixes

  • Execution now respects embedded secrets when initializing authentication.

• Tests

  • Added comprehensive tests for profile parsing and embedded-secret auth provider.

Fixes https://github.com/projectdiscovery/nuclei/issues/5567

/claim https://github.com/projectdiscovery/nuclei/issues/5567