Vulnerability Scanner

A systematic security skill for building and operating automated vulnerability scanning pipelines that identify security weaknesses across networks, web applications, and infrastructure.

When to Use

Choose Vulnerability Scanner when:

• Setting up continuous security scanning for infrastructure and applications
• Building automated vulnerability assessment pipelines for CI/CD integration
• Conducting periodic security audits across network ranges
• Combining multiple scanning tools into a unified reporting workflow

Consider alternatives when:

• You need deep manual penetration testing — scanners find surface-level issues only
• Scanning third-party systems without authorization — always get written permission first
• Working with compliance-specific requirements — use specialized compliance scanners

Quick Start

Copy
# Nmap service discovery and vulnerability scan
nmap -sV --script=vulners -oX scan_results.xml 192.168.1.0/24

# Nuclei template-based scanning
nuclei -u https://target.com -t cves/ -severity critical,high -o findings.txt

Copy
import subprocess
import json
import xml.etree.ElementTree as ET
from datetime import datetime

class VulnScanner:
    def __init__(self, target):
        self.target = target
        self.results = []
        self.scan_id = datetime.now().strftime("%Y%m%d_%H%M%S")

    def nmap_scan(self, ports="1-1000"):
        """Run Nmap service detection scan"""
        output_file = f"/tmp/nmap_{self.scan_id}.xml"
        cmd = [
            "nmap", "-sV", "-sC", "--script=vulners",
            "-p", ports, "-oX", output_file, self.target
        ]
        subprocess.run(cmd, capture_output=True, text=True)
        self._parse_nmap(output_file)

    def _parse_nmap(self, xml_file):
        tree = ET.parse(xml_file)
        root = tree.getroot()
        for host in root.findall(".//host"):
            addr = host.find("address").get("addr")
            for port in host.findall(".//port"):
                port_id = port.get("portid")
                service = port.find("service")
                svc_name = service.get("name", "unknown") if service else "unknown"
                state = port.find("state").get("state")
                if state == "open":
                    self.results.append({
                        "host": addr,
                        "port": int(port_id),
                        "service": svc_name,
                        "version": service.get("version", "") if service else "",
                        "type": "open_port"
                    })

    def nuclei_scan(self, severity="critical,high"):
        """Run Nuclei template scan"""
        cmd = [
            "nuclei", "-u", self.target,
            "-severity", severity,
            "-json", "-silent"
        ]
        result = subprocess.run(cmd, capture_output=True, text=True)
        for line in result.stdout.strip().split("\n"):
            if line:
                finding = json.loads(line)
                self.results.append({
                    "template": finding.get("template-id"),
                    "severity": finding.get("info", {}).get("severity"),
                    "matched": finding.get("matched-at"),
                    "type": "nuclei_finding"
                })

    def generate_report(self):
        report = {
            "scan_id": self.scan_id,
            "target": self.target,
            "total_findings": len(self.results),
            "by_severity": {},
            "findings": self.results
        }
        for r in self.results:
            sev = r.get("severity", "info")
            report["by_severity"][sev] = report["by_severity"].get(sev, 0) + 1
        return report

Core Concepts

Scanner Types and Use Cases

Scanner Type	Tool Examples	Best For	Limitations
Network	Nmap, Masscan	Port/service discovery	No app-layer testing
Web Application	OWASP ZAP, Nikto	Web vulnerability detection	High false positive rate
Template-based	Nuclei, Jaeles	Known CVE detection	Misses zero-days
Infrastructure	OpenVAS, Nessus	Comprehensive host scanning	Resource intensive
Container	Trivy, Grype	Image vulnerability scanning	Build-time only
Dependency	Snyk, npm audit	Library CVE detection	No runtime issues

Scan Pipeline Architecture

Copy
# Multi-stage scanning pipeline
class ScanPipeline:
    def __init__(self, targets):
        self.targets = targets
        self.stages = []
        self.all_results = []

    def add_stage(self, name, scanner_func, depends_on=None):
        self.stages.append({
            "name": name,
            "func": scanner_func,
            "depends_on": depends_on
        })

    def execute(self):
        stage_outputs = {}
        for stage in self.stages:
            if stage["depends_on"]:
                input_data = stage_outputs[stage["depends_on"]]
                results = stage["func"](input_data)
            else:
                results = stage["func"](self.targets)
            stage_outputs[stage["name"]] = results
            self.all_results.extend(results)
        return self.deduplicate(self.all_results)

    def deduplicate(self, results):
        seen = set()
        unique = []
        for r in results:
            key = f"{r.get('host','')}-{r.get('port','')}-{r.get('template','')}"
            if key not in seen:
                seen.add(key)
                unique.append(r)
        return unique

Configuration

Option	Description	Default
targets	IP ranges, domains, or CIDR notation	Required
scan_type	Type of scan: network, web, full	"full"
port_range	Ports to scan for network scans	"1-10000"
severity_threshold	Minimum severity to report	"medium"
max_concurrent	Maximum parallel scan threads	10
timeout_per_host	Timeout per host in seconds	300
output_format	Report format: json, html, csv	"json"
exclude_hosts	Hosts to skip during scanning	[]

Best Practices

1. Run discovery scans before vulnerability scans to build a complete asset inventory — you cannot secure what you do not know about, and missing a single exposed service can undermine the entire assessment
2. Schedule scans during maintenance windows for internal networks to minimize impact on production services and reduce the chance of triggering incident response alerts unnecessarily
3. Correlate findings across multiple scanners because each tool has different detection strengths; combining Nmap, Nuclei, and a web scanner gives far better coverage than any single tool alone
4. Maintain a vulnerability database with tracking so you can measure remediation times, identify recurring issues, and demonstrate security posture improvements over time
5. Tune scanner configurations per target rather than using defaults everywhere; aggressive scans on fragile legacy systems can cause outages, while conservative scans on modern infrastructure waste time

Common Issues

Scan timeouts on large networks: Scanning thousands of hosts with full port ranges takes hours and often times out. Break large networks into smaller subnets, scan the most common 1000 ports first, then run targeted full-port scans only on hosts with interesting services discovered in the initial pass.

High false positive rates: Automated scanners frequently flag issues that are not actually exploitable in context. Build a validation workflow where critical and high findings are manually verified before being sent to development teams, and maintain a suppression list for known false positives specific to your environment.

Missing authenticated vulnerabilities: Unauthenticated scans only see the attack surface visible to anonymous users. Configure scanner authentication with valid credentials for each application, including API tokens and session cookies, to discover vulnerabilities that require login access to reach.