PR

Proposed changes

addresses #5567

i looked at the other PRs on this issue before starting and saw things like forking goflags, adding hundreds of lines for something that already works, yaml tag collisions on list, etc. so i went through the actual goflags source and the authx pipeline myself to understand what actually needs to change vs what is already handled.

the implementation might not be perfect since i figured this out on my own. open to feedback on any of this.

1. extra metadata fields (name, purpose, description) in profiles

goflags MergeConfigFile already ignores unknown YAML keys. it decodes into a map but only iterates registered flags via VisitAll(), so unregistered keys just get skipped. no code changes needed for this.

2. inline target lists in profiles

two ways to specify targets inline:

  • targets-inline key with multiline content (new dedicated flag)
  • multiline content in the existing list key (detected via newline check, parsed as targets instead of treating as file path)

both skip comments (#) and blank lines.

3. inline secrets in profiles

parses the secrets: section from the profile YAML, writes it to a temp file in os.TempDir()/nuclei-secrets/, and appends it to SecretsFile. temp files get removed when nuclei exits via a defer in main(). the YAML output matches what authx.GetAuthDataFromYAML expects (static/dynamic at root level).

open questions:

  • should targets-inline be a separate flag or is the multiline list detection enough on its own?
  • the issue mentions updating goflags to handle secrets internally. i did it at the nuclei level instead to avoid modifying goflags. is that fine?
  • temp file approach vs something else for passing inline secrets to the auth pipeline?

/claim #5567

Proof

image

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Summary by CodeRabbit

  • New Features

    • Added support for inline secrets in profile YAML files with automatic temporary file cleanup.
    • Added inline targets option enabling users to specify targets directly or via the new targets-inline flag.
    • Improved profile processing flow to handle inline secrets and targets seamlessly.

  • Tests

    • Added comprehensive test coverage for inline secret processing and inline target parsing functionality.

Claim

Total prize pool $152
Total paid $0
Status Pending
Submitted February 09, 2026
Last updated February 09, 2026

Contributors

SA

saurabh

@SaurabhCodesAI

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$150
ST

starmovie12

@starmovie12

$2