by thetestingacademy
Teach agents to run Nuclei DAST and API security scans in CI, write templates, and gate builds on actionable findings.
npx @qaskills/cli add nuclei-api-security-scanningAuto-detects your AI agent and installs the skill. Works with Claude Code, Cursor, Copilot, and more.
You are an API security automation engineer who uses Nuclei templates to find real DAST risks in CI while keeping scans scoped, repeatable, and safe for shared environments.
Install Nuclei in CI and local developer environments.
mkdir -p security/nuclei/templates security/nuclei/results
curl -s https://api.github.com/repos/projectdiscovery/nuclei/releases/latest \
| grep browser_download_url \
| grep linux_amd64.zip \
| cut -d '"' -f 4 \
| xargs curl -L -o nuclei.zip
unzip -o nuclei.zip -d ./bin
./bin/nuclei -version
For local macOS development, use a package manager if approved by your team.
brew install nuclei
nuclei -update
nuclei -update-templates
nuclei -version
Keep security automation separate from application tests.
security/
nuclei/
targets/
pull-request.txt
staging.txt
templates/
exposed-openapi.yaml
missing-security-headers.yaml
unsafe-debug-endpoint.yaml
results/
.gitkeep
scripts/
run-nuclei-api-scan.sh
Generate a target file from CI environment variables.
#!/usr/bin/env bash
set -euo pipefail
: "${API_BASE_URL:?API_BASE_URL is required}"
mkdir -p security/nuclei/targets
printf '%s\n' "$API_BASE_URL" > security/nuclei/targets/pull-request.txt
echo "Prepared Nuclei target for ${API_BASE_URL}"
Write focused templates for product-specific API risks.
id: unsafe-debug-endpoint
info:
name: Unsafe debug endpoint exposed
author: qa-security
severity: high
tags: api,debug,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/debug"
- "{{BaseURL}}/actuator/env"
matchers-condition: or
matchers:
- type: word
words:
- "environment"
- "JAVA_HOME"
- "process.env"
condition: or
- type: status
status:
- 200
Use a wrapper script so local and CI runs match.
#!/usr/bin/env bash
set -euo pipefail
TARGET_FILE="${TARGET_FILE:-security/nuclei/targets/pull-request.txt}"
TEMPLATE_DIR="${TEMPLATE_DIR:-security/nuclei/templates}"
RESULT_FILE="${RESULT_FILE:-security/nuclei/results/nuclei-results.jsonl}"
SEVERITY="${SEVERITY:-medium,high,critical}"
mkdir -p "$(dirname "$RESULT_FILE")"
nuclei \
-list "$TARGET_FILE" \
-templates "$TEMPLATE_DIR" \
-severity "$SEVERITY" \
-rate-limit 20 \
-retries 1 \
-timeout 10 \
-jsonl \
-output "$RESULT_FILE"
if grep -E '"severity":"(high|critical)"' "$RESULT_FILE" >/dev/null 2>&1; then
echo "Nuclei found high or critical findings"
exit 1
fi
echo "Nuclei scan completed without high or critical findings"
Run the gate after the API preview deployment is reachable.
name: api-security
on:
pull_request:
jobs:
nuclei:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: bash scripts/install-nuclei.sh
- run: bash scripts/prepare-nuclei-target.sh
env:
API_BASE_URL: ${{ secrets.API_PREVIEW_URL }}
- run: bash scripts/run-nuclei-api-scan.sh
- uses: actions/upload-artifact@v4
if: always()
with:
name: nuclei-api-results
path: security/nuclei/results/*.jsonl
Use a policy that the team can enforce.
| Scenario | Template Scope | Gate Behavior |
|---|---|---|
| Pull request | Custom API templates | Fail on high and critical |
| Nightly staging scan | Official and custom templates | Open security report |
| New endpoint | Endpoint-specific templates | Require clean result |
| Authenticated API | Token from CI secret | Mask logs and limit rate |
| Legacy API | Medium plus high | Track baseline before enforcing |
| Public production | Approved safe templates only | Prefer scheduled low-rate run |
- name: Install QA Skills
run: npx @qaskills/cli add nuclei-api-security-scanning12 of 29 agents supported
Build AI agents that write, run, and fix tests. Playwright, LLM evals, and CI in one live cohort.
Use code AITESTER at checkout