ci: integrate typos spell checker into CI pipeline

.github/workflows/typos.yaml

@@ -0,0 +1,20 @@
+# Typos CI — catches spelling mistakes in code, comments, and docs.
+# See: https://github.com/crate-ci/typos
+# Ref: https://github.com/projectdiscovery/nuclei/issues/6532
+name: Typos
+
+on:
+  pull_request:
+  push:
+    branches: [dev, main]
+
+permissions:
+  contents: read
+
+jobs:
+  typos:
+    name: Spell Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: crate-ci/typos@db35ee91e80fbb447f33b0e5fbddb24d2a1a884f # v1.29.10

_typos.toml

@@ -0,0 +1,47 @@
+# Typos configuration for nuclei
+# See: https://github.com/crate-ci/typos/blob/master/docs/reference.md
+
+[files]
+# Exclude non-English README translations (contain valid foreign words)
+extend-exclude = [
+    "README_CN.md",
+    "README_ES.md",
+    "README_ID.md",
+    "README_JP.md",
+    "README_KR.md",
+    "README_PT-BR.md",
+    "README_TR.md",
+    # Test data / fixtures contain intentional payloads
+    "pkg/input/formats/testdata/**",
+    "pkg/protocols/common/helpers/deserialization/testdata/**",
+    # WAF regex patterns contain partial words by design
+    "pkg/output/stats/waf/regexes.json",
+    # Integration test fuzzing payloads (intentionally malformed SQL etc.)
+    "integration_tests/fuzz/**",
+    # Test integration data with encoded/obfuscated strings
+    "pkg/testutils/integration.go",
+]
+
+[default.extend-words]
+# CLI help output uses abbreviated forms (appear in prose/help text)
+ines = "ines"     # JSONL(ines) in CLI help text
+ine = "ine"       # JSONL(ine) in CLI help text
+ot = "ot"         # flag abbreviation in CLI help
+ue = "ue"         # flag abbreviation in CLI help
+hae = "hae"       # appears in CLI output
+algoritmos = "algoritmos"  # Spanish word in fuzz playground test data
+
+[default.extend-identifiers]
+# Code identifiers that cannot be renamed without breaking changes
+splitted = "splitted"
+Splitted = "Splitted"
+# goflags library exports this misspelled type name — cannot be changed here
+AllowdTypes = "AllowdTypes"
+# Test fixture / constant identifiers
+Noo = "Noo"
+Iif = "Iif"       # expression test data
+alo = "alo"        # matcher test data
+fo = "fo"          # comment abbreviation in request_generator.go
+Fo = "Fo"          # severity test data
+BA = "BA"          # integration test constant
+Mis = "Mis"        # SSL field prefix (MisMatched)

cmd/tmc/main.go

@@ -196,14 +196,14 @@ func process(opts options) error {
 		}
 
 		if opts.format {
-			formatedTemplateData, isFormated, err := formatTemplate(dataString)
+			formattedTemplateData, isFormatted, err := formatTemplate(dataString)
 			if err != nil {
 				gologger.Info().Label("format").Msg(logErrMsg(path, err, opts.debug, errFile))
 			} else {
-				if isFormated {
-					_ = os.WriteFile(path, []byte(formatedTemplateData), 0644)
-					dataString = formatedTemplateData
-					gologger.Info().Label("format").Msgf("✅ formated template: %s\n", path)
+				if isFormatted {
+					_ = os.WriteFile(path, []byte(formattedTemplateData), 0644)
+					dataString = formattedTemplateData
+					gologger.Info().Label("format").Msgf("✅ formatted template: %s\n", path)
 				}
 			}
 		}

integration_tests/protocols/http/matcher-status.yaml

@@ -14,7 +14,7 @@ http:
   - method: GET
     path:
       - "{{RootURL}}/login?username={{username}}&password={{password}}"
-      - "{{BaseURL}}/admin-pannel"
+      - "{{BaseURL}}/admin-panel"
 
   - method: GET
     path:

integration_tests/protocols/network/net-https-timeout.yaml

@@ -12,7 +12,7 @@ tcp:
       - "tls://{{Hostname}}"
     port: 443
     inputs:
-      # noticable difference between this and net-https.yaml is that here we don't send the Connection: close header
+      # noticeable difference between this and net-https.yaml is that here we don't send the Connection: close header
       # and hence connection will remain open until server closes it. This can be a DOS vector in nuclei
       # as it waits for server to close the connection. now we have set a default timeout of 5 seconds and if server responds but doesn't close the connection
       # then nuclei will close connection but doesn't fail the request since we already have response data from server

internal/runner/runner.go

@@ -854,7 +854,7 @@ func (r *Runner) displayExecutionInfo(store *loader.Store) {
 		// only print these stats in verbose mode
 		stats.ForceDisplayWarning(templates.ExcludedHeadlessTmplStats)
 		stats.ForceDisplayWarning(templates.ExcludedCodeTmplStats)
-		stats.ForceDisplayWarning(templates.ExludedDastTmplStats)
+		stats.ForceDisplayWarning(templates.ExcludedDastTmplStats)
 		stats.ForceDisplayWarning(templates.TemplatesExcludedStats)
 		stats.ForceDisplayWarning(templates.ExcludedFileStats)
 		stats.ForceDisplayWarning(templates.ExcludedSelfContainedStats)

internal/server/server.go

@@ -185,7 +185,7 @@ func (s *DASTServer) Start() error {
 	return nil
 }
 
-// PostReuestsHandlerRequest is the request body for the /fuzz POST handler.
+// PostRequestsHandlerRequest is the request body for the /fuzz POST handler.
 type PostRequestsHandlerRequest struct {
 	RawHTTP string `json:"raw_http"`
 	URL     string `json:"url"`

lib/config.go

@@ -52,7 +52,7 @@ type TemplateFilters struct {
 	ExcludeSeverities    string   // filter by excluding severities (accepts CSV values of info, low, medium, high, critical)
 	ProtocolTypes        string   // filter by protocol types
 	ExcludeProtocolTypes string   // filter by excluding protocol types
-	Authors              []string // fiter by author
+	Authors              []string // filter by author
 	Tags                 []string // filter by tags present in template
 	ExcludeTags          []string // filter by excluding tags present in template
 	IncludeTags          []string // filter by including tags present in template

lib/tests/sdk_test.go

@@ -42,7 +42,7 @@ func TestSimpleNuclei(t *testing.T) {
 		defer ne.Close()
 	}
 
-	// this is shared test so needs to be run as seperate process
+	// this is shared test so needs to be run as separate process
 	if env.GetEnvOrDefault("TestSimpleNuclei", false) {
 		// run as new process
 		cmd := exec.Command(os.Args[0], "-test.run=TestSimpleNuclei")
@@ -81,7 +81,7 @@ func TestSimpleNucleiRemote(t *testing.T) {
 		require.Nil(t, err)
 		defer ne.Close()
 	}
-	// this is shared test so needs to be run as seperate process
+	// this is shared test so needs to be run as separate process
 	if env.GetEnvOrDefault("TestSimpleNucleiRemote", false) {
 		cmd := exec.Command(os.Args[0], "-test.run=TestSimpleNucleiRemote")
 		cmd.Env = append(os.Environ(), "TestSimpleNucleiRemote=true")
@@ -155,7 +155,7 @@ func TestWithVarsNuclei(t *testing.T) {
 		require.Nil(t, err)
 		defer ne.Close()
 	}
-	// this is shared test so needs to be run as seperate process
+	// this is shared test so needs to be run as separate process
 	if env.GetEnvOrDefault("TestWithVarsNuclei", false) {
 		cmd := exec.Command(os.Args[0], "-test.run=TestWithVarsNuclei")
 		cmd.Env = append(os.Environ(), "TestWithVarsNuclei=true")

pkg/catalog/loader/loader.go

@@ -824,7 +824,7 @@ func (store *Store) LoadTemplatesWithTags(templatesList, tags []string) []*templ
 							store.logger.Print().Msgf("[%v] Tampered/Unsigned template at %v.\n", aurora.Yellow("WRN").String(), templatePath)
 						}
 					} else if parsed.IsFuzzableRequest() && !typesOpts.DAST {
-						stats.Increment(templates.ExludedDastTmplStats)
+						stats.Increment(templates.ExcludedDastTmplStats)
 						if config.DefaultConfig.LogAllEvents {
 							store.logger.Print().Msgf("[%v] -dast flag is required for DAST template '%s'.\n", aurora.Yellow("WRN").String(), templatePath)
 						}

pkg/templates/parser_stats.go

@@ -8,7 +8,7 @@ const (
 	ExcludedHeadlessTmplStats    = "headless-flag-missing-warnings"
 	TemplatesExcludedStats       = "templates-executed"
 	ExcludedCodeTmplStats        = "code-flag-missing-warnings"
-	ExludedDastTmplStats         = "fuzz-flag-missing-warnings"
+	ExcludedDastTmplStats         = "fuzz-flag-missing-warnings"
 	SkippedUnsignedStats         = "skipped-unsigned-stats" // tracks loading of unsigned templates
 	ExcludedSelfContainedStats   = "excluded-self-contained-stats"
 	ExcludedFileStats            = "excluded-file-stats"

pkg/templates/stats.go

@@ -12,7 +12,7 @@ func init() {
 	stats.NewEntry(ExcludedSelfContainedStats, "Excluded %d self-contained template[s] (disabled as default), use -esc option to run self-contained templates.")
 	stats.NewEntry(ExcludedFileStats, "Excluded %d file template[s] (disabled as default), use -file option to run file templates.")
 	stats.NewEntry(TemplatesExcludedStats, "Excluded %d template[s] with known weak matchers / tags excluded from default run using .nuclei-ignore")
-	stats.NewEntry(ExludedDastTmplStats, "Excluded %d dast template[s] (disabled as default), use -dast option to run dast templates.")
+	stats.NewEntry(ExcludedDastTmplStats, "Excluded %d dast template[s] (disabled as default), use -dast option to run dast templates.")
 	stats.NewEntry(SkippedUnsignedStats, "Skipping %d unsigned template[s]")
 	stats.NewEntry(SkippedRequestSignatureStats, "Skipping %d templates, HTTP Request signatures can only be used in Signed & Verified templates.")
 }

pkg/tmplexec/flow/flow_executor_test.go

@@ -118,7 +118,7 @@ func TestFlowWithConditionNegative(t *testing.T) {
 
 	input := contextargs.NewWithInput(context.Background(), "scanme.sh")
 	ctx := scan.NewScanContext(context.Background(), input)
-	// expect no results and verify thant dns request is executed and http is not
+	// expect no results and verify than dns request is executed and http is not
 	gotresults, err := Template.Executer.Execute(ctx)
 	require.Nil(t, err, "could not execute template")
 	require.False(t, gotresults)