ci: integrate typos spell checker into CI

.github/workflows/typos.yaml

@@ -0,0 +1,21 @@
+name: 🔤 Typo Check
+
+on:
+  push:
+    branches: ["dev"]
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  typos:
+    name: Spell Check with Typos
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: crate-ci/typos@v1.43.3
+        with:
+          files: .

_typos.toml

@@ -0,0 +1,50 @@
+# Configuration for the typos spell checker
+# https://github.com/crate-ci/typos
+
+[files]
+# Skip non-English translated README files (contain legitimate non-English words)
+extend-exclude = [
+    "README_CN.md",
+    "README_ES.md",
+    "README_ID.md",
+    "README_JP.md",
+    "README_KR.md",
+    "README_PT-BR.md",
+    "README_TR.md",
+    # Test data and fixtures
+    "pkg/input/formats/testdata/*",
+    "pkg/protocols/common/helpers/deserialization/testdata/*",
+    # WAF regex patterns (contain intentional fragments)
+    "pkg/output/stats/waf/regexes.json",
+]
+
+[default.extend-words]
+# CLI flag abbreviations used in help text and code
+ines = "ines"  # JSONL(ines)
+ine = "ine"    # -ine flag suffix
+hae = "hae"    # -hae (http-api-endpoint)
+ue = "ue"      # -ue (uncover-engine)
+ot = "ot"      # -ot flag
+# Variable/identifier names
+fo = "fo"      # variable name in request_generator.go
+# Type from external dependency (projectdiscovery/goflags)
+Allowd = "Allowd"
+# NooP is a standard abbreviation for No-Operation
+Noo = "Noo"
+# MisMatched is used as a struct field name
+Mis = "Mis"
+
+# SQL keywords in error messages (legitimate SQL keywords)
+SELEC = "SELEC"  # Part of "SELECTs" in SQL error messages
+
+# Base64/certificate data fragments and test data values
+# These appear in PEM-encoded certificates and test fixtures - typos flags them
+# as potential misspellings but they are legitimate base64 alphabet sequences
+alo = "alo"    # XML test data (Croatian word "dijete>alo")
+Iif = "Iif"    # Base64 encoded test data
+BA = "BA"      # Base64 sequence in PEM certificates (cmd/integration-test/generic.go:36)
+Iy = "Iy"      # Base64 sequence in PEM certificates (pkg/testutils/integration.go:274)
+Iz = "Iz"      # Base64 sequence in PEM certificates
+inFo = "inFo"  # Test payload in pkg/model/types/severity/severity_test.go (case-sensitive severity test)
+# Test data content
+algoritmos = "algoritmos"  # Spanish word in fuzz playground test data

cmd/tmc/main.go

@@ -196,14 +196,14 @@ func process(opts options) error {
 		}
 
 		if opts.format {
-			formatedTemplateData, isFormated, err := formatTemplate(dataString)
+			formattedTemplateData, isFormatted, err := formatTemplate(dataString)
 			if err != nil {
 				gologger.Info().Label("format").Msg(logErrMsg(path, err, opts.debug, errFile))
 			} else {
-				if isFormated {
-					_ = os.WriteFile(path, []byte(formatedTemplateData), 0644)
-					dataString = formatedTemplateData
-					gologger.Info().Label("format").Msgf("✅ formated template: %s\n", path)
+				if isFormatted {
+					_ = os.WriteFile(path, []byte(formattedTemplateData), 0644)
+					dataString = formattedTemplateData
+					gologger.Info().Label("format").Msgf("✅ formatted template: %s\n", path)
 				}
 			}
 		}

integration_tests/protocols/http/matcher-status.yaml

@@ -14,7 +14,7 @@ http:
   - method: GET
     path:
       - "{{RootURL}}/login?username={{username}}&password={{password}}"
-      - "{{BaseURL}}/admin-pannel"
+      - "{{BaseURL}}/admin-panel"
 
   - method: GET
     path:

integration_tests/protocols/network/net-https-timeout.yaml

@@ -12,7 +12,7 @@ tcp:
       - "tls://{{Hostname}}"
     port: 443
     inputs:
-      # noticable difference between this and net-https.yaml is that here we don't send the Connection: close header
+      # noticeable difference between this and net-https.yaml is that here we don't send the Connection: close header
       # and hence connection will remain open until server closes it. This can be a DOS vector in nuclei
       # as it waits for server to close the connection. now we have set a default timeout of 5 seconds and if server responds but doesn't close the connection
       # then nuclei will close connection but doesn't fail the request since we already have response data from server

internal/runner/runner.go

@@ -854,7 +854,7 @@ func (r *Runner) displayExecutionInfo(store *loader.Store) {
 		// only print these stats in verbose mode
 		stats.ForceDisplayWarning(templates.ExcludedHeadlessTmplStats)
 		stats.ForceDisplayWarning(templates.ExcludedCodeTmplStats)
-		stats.ForceDisplayWarning(templates.ExludedDastTmplStats)
+		stats.ForceDisplayWarning(templates.ExcludedDastTmplStats)
 		stats.ForceDisplayWarning(templates.TemplatesExcludedStats)
 		stats.ForceDisplayWarning(templates.ExcludedFileStats)
 		stats.ForceDisplayWarning(templates.ExcludedSelfContainedStats)

internal/server/server.go

@@ -185,7 +185,7 @@ func (s *DASTServer) Start() error {
 	return nil
 }
 
-// PostReuestsHandlerRequest is the request body for the /fuzz POST handler.
+// PostRequestsHandlerRequest is the request body for the /fuzz POST handler.
 type PostRequestsHandlerRequest struct {
 	RawHTTP string `json:"raw_http"`
 	URL     string `json:"url"`
@@ -224,7 +224,7 @@ type DASTServerInfo struct {
 	NucleiVersion         string `json:"nuclei_version"`
 	NucleiTemplateVersion string `json:"nuclei_template_version"`
 	NucleiDastServerAPI   string `json:"nuclei_dast_server_api"`
-	ServerAuthEnabled     bool   `json:"sever_auth_enabled"`
+	ServerAuthEnabled     bool   `json:"server_auth_enabled"`
 }
 
 type DASTScanStatistics struct {

lib/config.go

@@ -52,7 +52,7 @@ type TemplateFilters struct {
 	ExcludeSeverities    string   // filter by excluding severities (accepts CSV values of info, low, medium, high, critical)
 	ProtocolTypes        string   // filter by protocol types
 	ExcludeProtocolTypes string   // filter by excluding protocol types
-	Authors              []string // fiter by author
+	Authors              []string // filter by author
 	Tags                 []string // filter by tags present in template
 	ExcludeTags          []string // filter by excluding tags present in template
 	IncludeTags          []string // filter by including tags present in template

lib/tests/sdk_test.go

@@ -42,7 +42,7 @@ func TestSimpleNuclei(t *testing.T) {
 		defer ne.Close()
 	}
 
-	// this is shared test so needs to be run as seperate process
+	// this is shared test so needs to be run as separate process
 	if env.GetEnvOrDefault("TestSimpleNuclei", false) {
 		// run as new process
 		cmd := exec.Command(os.Args[0], "-test.run=TestSimpleNuclei")
@@ -81,7 +81,7 @@ func TestSimpleNucleiRemote(t *testing.T) {
 		require.Nil(t, err)
 		defer ne.Close()
 	}
-	// this is shared test so needs to be run as seperate process
+	// this is shared test so needs to be run as separate process
 	if env.GetEnvOrDefault("TestSimpleNucleiRemote", false) {
 		cmd := exec.Command(os.Args[0], "-test.run=TestSimpleNucleiRemote")
 		cmd.Env = append(os.Environ(), "TestSimpleNucleiRemote=true")
@@ -155,7 +155,7 @@ func TestWithVarsNuclei(t *testing.T) {
 		require.Nil(t, err)
 		defer ne.Close()
 	}
-	// this is shared test so needs to be run as seperate process
+	// this is shared test so needs to be run as separate process
 	if env.GetEnvOrDefault("TestWithVarsNuclei", false) {
 		cmd := exec.Command(os.Args[0], "-test.run=TestWithVarsNuclei")
 		cmd.Env = append(os.Environ(), "TestWithVarsNuclei=true")

pkg/catalog/loader/loader.go

@@ -824,7 +824,7 @@ func (store *Store) LoadTemplatesWithTags(templatesList, tags []string) []*templ
 							store.logger.Print().Msgf("[%v] Tampered/Unsigned template at %v.\n", aurora.Yellow("WRN").String(), templatePath)
 						}
 					} else if parsed.IsFuzzableRequest() && !typesOpts.DAST {
-						stats.Increment(templates.ExludedDastTmplStats)
+						stats.Increment(templates.ExcludedDastTmplStats)
 						if config.DefaultConfig.LogAllEvents {
 							store.logger.Print().Msgf("[%v] -dast flag is required for DAST template '%s'.\n", aurora.Yellow("WRN").String(), templatePath)
 						}

pkg/fuzz/component/path.go

@@ -35,9 +35,9 @@ func (q *Path) Parse(req *retryablehttp.Request) (bool, error) {
 	q.req = req
 	q.value = NewValue("")
 
-	splitted := strings.Split(req.Path, "/")
+	parts := strings.Split(req.Path, "/")
 	values := make(map[string]interface{})
-	for i, segment := range splitted {
+	for i, segment := range parts {
 		if segment == "" && i == 0 {
 			// Skip the first empty segment from leading "/"
 			continue
@@ -88,20 +88,20 @@ func (q *Path) Delete(key string) error {
 // component rebuilt
 func (q *Path) Rebuild() (*retryablehttp.Request, error) {
 	// Get the original path segments
-	originalSplitted := strings.Split(q.req.Path, "/")
+	originalParts := strings.Split(q.req.Path, "/")
 
 	// Create a new slice to hold the rebuilt segments
-	rebuiltSegments := make([]string, 0, len(originalSplitted))
+	rebuiltSegments := make([]string, 0, len(originalParts))
 
 	// Add the first empty segment (from leading "/")
-	if len(originalSplitted) > 0 && originalSplitted[0] == "" {
+	if len(originalParts) > 0 && originalParts[0] == "" {
 		rebuiltSegments = append(rebuiltSegments, "")
 	}
 
 	// Process each segment
 	segmentIndex := 1 // 1-based indexing for our stored values
-	for i := 1; i < len(originalSplitted); i++ {
-		originalSegment := originalSplitted[i]
+	for i := 1; i < len(originalParts); i++ {
+		originalSegment := originalParts[i]
 		if originalSegment == "" {
 			// Skip empty segments
 			continue

pkg/templates/parser_stats.go

@@ -8,7 +8,7 @@ const (
 	ExcludedHeadlessTmplStats    = "headless-flag-missing-warnings"
 	TemplatesExcludedStats       = "templates-executed"
 	ExcludedCodeTmplStats        = "code-flag-missing-warnings"
-	ExludedDastTmplStats         = "fuzz-flag-missing-warnings"
+	ExcludedDastTmplStats        = "fuzz-flag-missing-warnings"
 	SkippedUnsignedStats         = "skipped-unsigned-stats" // tracks loading of unsigned templates
 	ExcludedSelfContainedStats   = "excluded-self-contained-stats"
 	ExcludedFileStats            = "excluded-file-stats"

pkg/templates/stats.go

@@ -12,7 +12,7 @@ func init() {
 	stats.NewEntry(ExcludedSelfContainedStats, "Excluded %d self-contained template[s] (disabled as default), use -esc option to run self-contained templates.")
 	stats.NewEntry(ExcludedFileStats, "Excluded %d file template[s] (disabled as default), use -file option to run file templates.")
 	stats.NewEntry(TemplatesExcludedStats, "Excluded %d template[s] with known weak matchers / tags excluded from default run using .nuclei-ignore")
-	stats.NewEntry(ExludedDastTmplStats, "Excluded %d dast template[s] (disabled as default), use -dast option to run dast templates.")
+	stats.NewEntry(ExcludedDastTmplStats, "Excluded %d dast template[s] (disabled as default), use -dast option to run dast templates.")
 	stats.NewEntry(SkippedUnsignedStats, "Skipping %d unsigned template[s]")
 	stats.NewEntry(SkippedRequestSignatureStats, "Skipping %d templates, HTTP Request signatures can only be used in Signed & Verified templates.")
 }

pkg/tmplexec/flow/flow_executor_test.go

@@ -118,7 +118,7 @@ func TestFlowWithConditionNegative(t *testing.T) {
 
 	input := contextargs.NewWithInput(context.Background(), "scanme.sh")
 	ctx := scan.NewScanContext(context.Background(), input)
-	// expect no results and verify thant dns request is executed and http is not
+	// expect no results and verify that dns request is executed and http is not
 	gotresults, err := Template.Executer.Execute(ctx)
 	require.Nil(t, err, "could not execute template")
 	require.False(t, gotresults)