How I automated our vulnerability scanning pipeline

Sharing our automated vulnerability scanning pipeline that runs daily and integrates with our ticketing system. Uses a combination of Nuclei, Nmap, and custom scripts.

#!/bin/bash
# Daily vulnerability scan pipeline
TARGETS="targets.txt"
DATE=$(date +%Y-%m-%d)
OUTPUT_DIR="/opt/scans/$DATE"

mkdir -p $OUTPUT_DIR

# Network discovery
nmap -sn -iL $TARGETS -oG $OUTPUT_DIR/alive.gnmap

# Service enumeration
nmap -sV -sC -iL $TARGETS -oX $OUTPUT_DIR/services.xml

# Vulnerability scanning with Nuclei
nuclei -l $TARGETS -t nuclei-templates/ -severity critical,high 
    -o $OUTPUT_DIR/vulns.txt -json

# Generate report and create tickets
python3 /opt/scripts/generate_report.py $OUTPUT_DIR
python3 /opt/scripts/create_jira_tickets.py $OUTPUT_DIR/vulns.txt

Nice pipeline! How do you handle false positives? We found that Nuclei generates a lot of noise, especially with the community templates. We ended up creating a whitelist system that suppresses known false positives per host.