Vulnerability Scanning
Identify and prioritize security vulnerabilities across infrastructure and applications.
When to Use This Skill
Use this skill when:
-
Performing security assessments
-
Implementing vulnerability management programs
-
Meeting compliance requirements
-
Triaging and prioritizing remediation
-
Scanning infrastructure for known CVEs
Prerequisites
-
Access to scanning tools
-
Network access to targets
-
Appropriate authorization
Vulnerability Scanning Tools
Tool Type Best For
Nessus Commercial Enterprise scanning
OpenVAS Open Source Free alternative
Qualys Cloud SaaS Large scale
Nexpose/InsightVM Commercial Asset management
Nuclei Open Source Template-based
OpenVAS Setup
Docker Deployment
Run OpenVAS container
docker run -d --name openvas
-p 443:443
-v openvas-data:/data
greenbone/openvas-scanner
Access web UI at https://localhost
Default credentials: admin/admin
Scanning Commands
Create target
omp -u admin -w admin --xml='<create_target> <name>Web Servers</name> <hosts>192.168.1.0/24</hosts> </create_target>'
Create task
omp -u admin -w admin --xml='<create_task> <name>Weekly Scan</name> <target id="target-uuid"/> <config id="daba56c8-73ec-11df-a475-002264764cea"/> </create_task>'
Start task
omp -u admin -w admin --xml='<start_task task_id="task-uuid"/>'
Get results
omp -u admin -w admin --xml='<get_results task_id="task-uuid"/>'
Nessus
API Usage
import requests
class NessusScanner: def init(self, url, access_key, secret_key): self.url = url self.headers = { 'X-ApiKeys': f'accessKey={access_key}; secretKey={secret_key}', 'Content-Type': 'application/json' }
def create_scan(self, name, targets, template='basic'):
"""Create a new scan."""
templates = self.get('/editor/scan/templates')
template_uuid = next(
t['uuid'] for t in templates['templates']
if t['name'] == template
)
payload = {
'uuid': template_uuid,
'settings': {
'name': name,
'text_targets': targets,
'enabled': True
}
}
return self.post('/scans', payload)
def launch_scan(self, scan_id):
"""Start a scan."""
return self.post(f'/scans/{scan_id}/launch')
def get_results(self, scan_id):
"""Get scan results."""
return self.get(f'/scans/{scan_id}')
def export_report(self, scan_id, format='pdf'):
"""Export scan report."""
payload = {'format': format}
response = self.post(f'/scans/{scan_id}/export', payload)
file_id = response['file']
# Wait for export
while True:
status = self.get(f'/scans/{scan_id}/export/{file_id}/status')
if status['status'] == 'ready':
break
time.sleep(5)
return self.get(f'/scans/{scan_id}/export/{file_id}/download')
def get(self, path):
response = requests.get(f'{self.url}{path}', headers=self.headers, verify=False)
return response.json()
def post(self, path, data=None):
response = requests.post(f'{self.url}{path}', json=data, headers=self.headers, verify=False)
return response.json()
Usage
scanner = NessusScanner('https://nessus:8834', 'access-key', 'secret-key') scan = scanner.create_scan('Weekly Infrastructure Scan', '10.0.0.0/24') scanner.launch_scan(scan['scan']['id'])
Nuclei
Installation
Install nuclei
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
Or download binary
wget https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_linux_amd64.zip unzip nuclei_linux_amd64.zip
Basic Scanning
Update templates
nuclei -update-templates
Scan single target
nuclei -u https://example.com
Scan multiple targets
nuclei -l targets.txt
Scan with specific templates
nuclei -u https://example.com -t cves/ nuclei -u https://example.com -t vulnerabilities/
Scan with severity filter
nuclei -u https://example.com -s critical,high
Output formats
nuclei -u https://example.com -o results.txt nuclei -u https://example.com -json -o results.json
Custom Templates
custom-check.yaml
id: custom-admin-panel
info: name: Admin Panel Detection author: security-team severity: info tags: recon,panel
requests:
-
method: GET path:
- "{{BaseURL}}/admin"
- "{{BaseURL}}/administrator"
- "{{BaseURL}}/wp-admin"
matchers-condition: or matchers:
-
type: word words:
- "admin"
- "login" condition: and
-
type: status status:
- 200
- 301
- 302
CVSS Scoring
Severity Levels
Score Rating Response Time
9.0-10.0 Critical 24 hours
7.0-8.9 High 7 days
4.0-6.9 Medium 30 days
0.1-3.9 Low 90 days
Prioritization Factors
prioritization_criteria: critical_factors: - Internet-facing systems - Systems with sensitive data - Active exploitation in the wild - Authentication bypass
high_factors: - Remote code execution - Privilege escalation - Data exfiltration risk
context_adjustments: - Compensating controls in place (-1) - No direct exposure (-1) - Critical business system (+1) - Compliance requirement (+1)
Vulnerability Management Process
Workflow
vulnerability_workflow: discovery: - Run scheduled scans - Import third-party findings - Correlate with asset inventory
analysis: - Validate findings - Remove false positives - Assess business impact - Prioritize by risk score
remediation: - Assign to owners - Track SLA compliance - Verify fixes - Document exceptions
reporting: - Executive summaries - Technical details - Trend analysis - Compliance metrics
Tracking Template
Vulnerability Ticket
ID: VULN-2024-001 CVE: CVE-2024-12345 CVSS: 9.8 (Critical) Affected System: web-server-01
Description
Remote code execution vulnerability in Apache Struts.
Impact
Attacker can execute arbitrary code on the server.
Remediation
- Update Apache Struts to version 2.5.33
- Apply WAF rule as temporary mitigation
Timeline
- Discovered: 2024-01-15
- SLA Due: 2024-01-16
- Remediated: 2024-01-15
Evidence
- Scan report: [link]
- Screenshot: [link]
CI/CD Integration
GitHub Actions
name: Vulnerability Scan
on: schedule: - cron: '0 2 * * *' push: branches: [main]
jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- name: Run Nuclei
uses: projectdiscovery/nuclei-action@main
with:
target: https://example.com
templates: cves/
output: nuclei-results.txt
- name: Check for critical findings
run: |
if grep -q "critical" nuclei-results.txt; then
echo "Critical vulnerabilities found!"
exit 1
fi
- name: Upload results
uses: actions/upload-artifact@v4
with:
name: vulnerability-report
path: nuclei-results.txt
Compliance Scanning
CIS Benchmark Scan
Using OpenSCAP
oscap xccdf eval
--profile xccdf_org.ssgproject.content_profile_cis
--results results.xml
--report report.html
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
PCI DSS Scanning
pci_scan_requirements: quarterly: - External vulnerability scan (ASV) - Internal vulnerability scan
after_changes: - Significant infrastructure changes - New system deployments
passing_criteria: - No vulnerabilities rated 4.0+ (CVSS) - False positives documented - Scan completed within 90 days
Common Issues
Issue: False Positives
Problem: Scanner reports non-existent vulnerabilities Solution: Validate manually, tune scanner, maintain exception list
Issue: Incomplete Coverage
Problem: Not all assets scanned Solution: Update asset inventory, verify credentials, check network access
Issue: Scan Impact
Problem: Scans affecting production systems Solution: Schedule during maintenance windows, use authenticated scans
Best Practices
-
Maintain accurate asset inventory
-
Schedule regular scan cadence
-
Validate findings before remediation
-
Track metrics (MTTR, aging)
-
Integrate with ticketing systems
-
Document exceptions properly
-
Use risk-based prioritization
-
Automate where possible
Related Skills
-
sast-scanning - Code analysis
-
container-scanning - Container security
-
cis-benchmarks - Compliance benchmarks