Nuclei with openapi specs scan only location and only few templates

[RunFox]

Hello, dear community!

I try to use nuclei in Gitlab CI\CD for dynamic scan microservice's in pipeline.
Command to execute in script section of ci/cd-template:
nuclei -l openapi.json -im openapi -timeout 1 -retries 0 -mhe 2 -spm -irt 5s -prc 5 -rl 50 -stats -debug -var "ClientId=49ccc3a1-b44e-42e3-ab64-9ce5df3227ff" -var "ItemId=1" -srd ./result.txt -skip-format-validation

openapi.json include 3 different host with two endpoint for each

So, nuclei start and show me, that for scan loaded 6 targets, that seems normally
But also nuclei show loaded only 24 templates for scan
In logs i see checks only for reflected xss

My questions:

1. Why it use only few templates? How i can start scan with all templates? Whet i try -t /nuclei-templates/http/exposures (it's example) - i see error "No templates found for scan"
   I can use all templates when load url to scan with txt-file without any problems
2. As i see in such configuration nuclei scan only endpoints. May i configure nuclei to scan root host too?
   For example, in swagger host: example.com and endpoint: GET /test
   Now it test only example.com/test
   I need scan also example.com

Thank you in advance

[GeorginaReeder]

Hey @RunFox ! Thanks so much for your questions. We'll check this out for you - @dwisiswant0 , is there anything we can do to help here?

[RunFox]

Hey @RunFox ! Thanks so much for your questions. We'll check this out for you - @dwisiswant0 , is there anything we can do to help here?

Hi!
@GeorginaReeder @dwisiswant0 any updates? I try to understand this mechanism)

[dwisiswant0]

This might be happening because you are using the -skip-format-validation flag, and that is why Nuclei isn't generating requests for the missing required parameters.

[tarunKoyalwar]

@RunFox

• But also nuclei show loaded only 24 templates for scan - this is expected while nuclei-templates repo has more than 8k templates , fuzzing ones are limited and only these are run https://github.com/projectdiscovery/nuclei-templates/tree/main/dast
• Why it use only few templates? - there are many different types of template in nuclei-templates ( osint,cves,panel-detection,dast and much more) as of now openapi schema based scanning is limited to and is only intended to be run with dast templates
• As i see in such configuration nuclei scan only endpoints. May i configure nuclei to scan root host too? - this is supported for normal templates in dast we already know what endpoints are available so it will only scan / fuzz those endpoints

I would recommend checking out docs at docs.projectdiscovery.io and our blogs on dast , basically dast templates have different use case and usage mode