File protocol templates

File protocol templates enable scanning and analyzing local files for secrets, misconfigurations, and sensitive data patterns.

Basic file request

id: basic-file-scan

info:
  name: Basic File Scan
  author: pdteam
  severity: info

file:
  - extensions:
      - txt
      - log
    
    matchers:
      - type: word
        words:
          - "password"
          - "secret"

File components

Extensions

extensions

array

required

File extensions to scan. Use all to scan all files.

file:
  - extensions:
      - .env
      - .config
      - .yml
      - .yaml

Scan all files:

file:
  - extensions:
      - all

Deny list

denylist

array

Files, directories, or extensions to exclude from scanning.

file:
  - extensions:
      - all
    denylist:
      - .jpg
      - .png
      - .gif
      - node_modules/
      - .git/

Max size

max-size

string

Maximum file size to scan. Set to no for unlimited.

file:
  - extensions:
      - all
    max-size: 10MB

Archive scanning

MIME type detection

mime-type

boolean

default:false

Enable MIME type-based file detection.

file:
  - extensions:
      - all
    mime-type: true

Recursive scanning

no-recursive

boolean

default:false

Disable recursive directory scanning.

file:
  - extensions:
      - all
    no-recursive: true

Example: AWS keys detection

id: aws-keys-file

info:
  name: AWS Access Keys in Files
  author: pdteam
  severity: high
  description: Detects exposed AWS access keys in local files

file:
  - extensions:
      - all
    
    matchers:
      - type: regex
        regex:
          - "(?i)aws(.{0,20})?['\"][0-9a-zA-Z\\/+]{40}['\"]" 

Example: Private key detection

id: private-keys-file

info:
  name: Private Key Detection
  author: pdteam
  severity: critical
  description: Detects private keys in local files

file:
  - extensions:
      - all
    
    matchers:
      - type: word
        words:
          - "BEGIN RSA PRIVATE KEY"
          - "BEGIN DSA PRIVATE KEY"
          - "BEGIN EC PRIVATE KEY"
          - "BEGIN OPENSSH PRIVATE KEY"
          - "BEGIN PGP PRIVATE KEY"
        condition: or

Example: Environment file scan

id: env-file-secrets

info:
  name: Environment File Secrets
  author: pdteam
  severity: high
  description: Scans .env files for sensitive information

file:
  - extensions:
      - .env
      - env
    
    extractors:
      - type: regex
        name: database_credentials
        regex:
          - "DB_PASSWORD=(.+)"
          - "DATABASE_URL=(.+)"
        group: 1
      
      - type: regex
        name: api_keys
        regex:
          - "API_KEY=(.+)"
          - "SECRET_KEY=(.+)"
        group: 1

Example: Configuration files

id: config-file-scan

info:
  name: Configuration File Scanner
  author: pdteam
  severity: medium
  description: Scans configuration files for sensitive data

file:
  - extensions:
      - .yml
      - .yaml
      - .json
      - .xml
      - .conf
      - .config
    
    max-size: 5MB
    
    matchers:
      - type: regex
        regex:
          - "password\\s*[:=]\\s*[^\\s]+"
          - "api[_-]?key\\s*[:=]\\s*[^\\s]+"
          - "secret\\s*[:=]\\s*[^\\s]+"
        condition: or

Example: Source code secrets

id: source-code-secrets

info:
  name: Secrets in Source Code
  author: pdteam
  severity: high
  description: Detects hardcoded secrets in source code

file:
  - extensions:
      - .py
      - .js
      - .java
      - .go
      - .php
      - .rb
    
    denylist:
      - node_modules/
      - vendor/
      - .git/
    
    matchers:
      - type: regex
        regex:
          - "(?i)(password|passwd|pwd)\\s*=\\s*[\"'](.+?)[\"
']"
          - "(?i)api[_-]?key\\s*=\\s*[\"'](.+)[\"']"
        condition: or

File response parts

raw

string

Complete file contents (default)

matchers:
  - type: word
    part: raw
    words:
      - "password"

path

string

File path

extractors:
  - type: dsl
    dsl:
      - path

Matchers for files

matchers:
  # Word matcher
  - type: word
    words:
      - "api_key"
      - "secret_token"
    condition: or
  
  # Regex matcher
  - type: regex
    regex:
      - "[a-zA-Z0-9]{32}"
  
  # Binary matcher
  - type: binary
    binary:
      - "504B0304"  # ZIP signature

Extractors for files

extractors:
  # Regex extraction
  - type: regex
    name: credentials
    regex:
      - 'password="(.+?)"'
    group: 1
  
  # All matches
  - type: regex
    name: all_secrets
    regex:
      - "(?i)(password|secret|key)\\s*[:=]\\s*(.+)"

Running file templates

File templates require a directory path instead of URL:

# Scan current directory
nuclei -t file-template.yaml -target .

# Scan specific directory
nuclei -t file-template.yaml -target /path/to/project

# Scan multiple directories
echo "/path/to/dir1" | nuclei -t file-template.yaml
echo "/path/to/dir2" | nuclei -t file-template.yaml

Best practices

Use appropriate extensions

Limit extensions to relevant file types to improve performance:

file:
  - extensions:
      - .env
      - .config
    # Better than scanning 'all'

Set size limits

Prevent scanning large files:

file:
  - max-size: 10MB

Use deny lists

Exclude irrelevant directories:

file:
  - denylist:
      - node_modules/
      - .git/
      - vendor/

Next steps

Matchers

Complete matcher reference

Extractors

Data extraction guide

Helper functions

DSL function reference

Best practices

Template quality guidelines

Getting Started with Templates

Protocol Types

Template Features

Template Best Practices

File protocol templates

Basic file request

File components

Extensions

Deny list

Max size

Archive scanning

MIME type detection

Recursive scanning

Example: AWS keys detection

Example: Private key detection

Example: Environment file scan

Example: Configuration files

Example: Source code secrets

File response parts

Matchers for files

Extractors for files

Running file templates

Best practices

Next steps

Matchers

Extractors

Helper functions

Best practices

Build docs developers (and LLMs) love

Getting Started with Templates

Protocol Types

Template Features

Template Best Practices

​Basic file request

​File components

​Extensions

​Deny list

​Max size

​Archive scanning

​MIME type detection

​Recursive scanning

​Example: AWS keys detection

​Example: Private key detection

​Example: Environment file scan

​Example: Configuration files

​Example: Source code secrets

​File response parts

​Matchers for files

​Extractors for files

​Running file templates

​Best practices

​Next steps

Matchers

Extractors

Helper functions

Best practices

Build docs developers (and LLMs) love

Basic file request

File components

Extensions

Deny list

Max size

Archive scanning

MIME type detection

Recursive scanning

Example: AWS keys detection

Example: Private key detection

Example: Environment file scan

Example: Configuration files

Example: Source code secrets

File response parts

Matchers for files

Extractors for files

Running file templates

Best practices

Next steps