Vulnerability Scanning
Scan Exclusions
Configure target and template exclusions for vulnerability scanning
Overview
Scan Exclusions provide granular control over your vulnerability scanning operations by allowing you to exclude specific targets or templates from scans. This feature helps optimize scan performance, reduce noise, and focus scanning efforts on relevant assets and vulnerabilities. The exclusion system operates at two levels:- Scan Target Exclusions: Prevent specific targets from being scanned
- Scan Template Exclusions: Prevent specific vulnerability templates from being executed
Quick Access: Scan Exclusions are managed in Settings → Scan Exclusions, available on the same page as Discovery Target Exclusions.
How It Works
Scan exclusions are applied during the vulnerability scanning process, filtering targets and templates before scan execution. This ensures excluded patterns are never scanned or tested, optimizing scan performance and reducing irrelevant results.Scan Target Exclusions
Overview
Scan Target Exclusions allow you to exclude specific targets or patterns from vulnerability scanning. These targets will be skipped during all scan operations, including automated scans, manual scans, and scheduled scans.Subdomains
Exclude specific subdomains from vulnerability scanning
IP Addresses
Exclude individual IP addresses or ranges from scans
Wildcard Patterns
Use wildcard patterns to exclude multiple targets
Configuration
Adding Target Exclusions
- Navigate to Settings → Scan Exclusions or visit cloud.projectdiscovery.io/settings/exclusions
- In the Scan Target Exclusions section, click + Add Exclusion
- Enter your exclusion patterns in the text area (one pattern per line)
- Click Add to save your exclusions
Target Exclusion Examples
Basic Target Exclusions
Wildcard Patterns
IP Address Exclusions
Production Systems
Target Exclusion Use Cases
Development Environments
Development Environments
Exclude development and testing environments to focus scans on production systems:
Internal Infrastructure
Internal Infrastructure
Exclude internal-only systems that don’t require external vulnerability assessment:
Third-Party Services
Third-Party Services
Exclude third-party managed services or customer environments:
Scan Template Exclusions
Overview
Scan Template Exclusions allow you to exclude specific vulnerability templates or CVEs from being executed during scans. This is useful for avoiding false positives, excluding low-priority vulnerabilities, or skipping checks that are not relevant to your environment.CVE IDs
Exclude specific CVE vulnerability checks
Template IDs
Exclude specific Nuclei template identifiers
Exact Match Only: Template exclusions require exact template IDs or CVE identifiers. Wildcard patterns are not supported for template exclusions.
Configuration
Adding Template Exclusions
- Navigate to Settings → Scan Exclusions or visit cloud.projectdiscovery.io/settings/exclusions
- In the Scan Template Exclusions section, click + Add Exclusion
- Enter your template exclusion patterns (one pattern per line)
- Click Add to save your exclusions
Template Exclusion Examples
CVE Exclusions
Template ID Exclusions
Template Exclusion Use Cases
False Positive Reduction
False Positive Reduction
Exclude specific templates that consistently produce false positives in your environment:
Low Priority Vulnerabilities
Low Priority Vulnerabilities
Exclude specific low-severity or informational checks to focus on critical issues:
Technology-Specific Exclusions
Technology-Specific Exclusions
Exclude specific templates for technologies not present in your environment:
Legacy CVE Exclusions
Legacy CVE Exclusions
Exclude specific older CVEs that are not applicable to your modern infrastructure:
Pattern Syntax
Target Exclusions - Wildcard Support
Target exclusions support wildcard patterns using the asterisk (*) character:
- Prefix wildcards:
*.staging.company.com - Suffix wildcards:
test-*.company.com - Multiple wildcards:
*.staging.*.company.com
Template Exclusions - Exact Match Only
Template exclusions require exact identifiers:- CVE IDs: Must match exactly (e.g.,
CVE-2021-26855) - Template IDs: Must match the exact template identifier (e.g.,
apache-detect) - No wildcards: Patterns like
CVE-2021-*or*-detectare not supported
Pattern Matching Rules
- Target patterns are case-insensitive and support wildcards
- Template patterns are case-sensitive and require exact matches
- Each line represents a separate exclusion pattern
- Patterns are matched during the scan planning phase
- Once excluded, targets/templates will not be included in any scan operations
Managing Exclusions
Viewing Current Exclusions
All active exclusions are displayed in the respective sections of the Scan Exclusions interface as individual items in a list format. Each exclusion shows:- The exact pattern configured
- A remove button (X icon) for easy deletion
Removing Exclusions
To remove individual exclusions:- Navigate to Settings → Scan Exclusions or visit cloud.projectdiscovery.io/settings/exclusions
- Locate the exclusion you want to remove in the appropriate section
- Click the X icon next to the exclusion pattern
- The exclusion will be immediately removed from your configuration
Removing target exclusions will allow those targets to be scanned in future operations. Removing template exclusions will re-enable those vulnerability checks in upcoming scans.
Best Practices
Strategic Target Exclusions
Strategic Target Exclusions
Focus exclusions on systems that shouldn’t be scanned:
- Development and staging environments
- Internal management interfaces
- Third-party managed services
- Customer-owned infrastructure
Template Exclusion Strategy
Template Exclusion Strategy
Exclude templates that add noise without value:
- Known false positives for your environment
- Informational checks for technologies you don’t use
- Low-priority vulnerabilities that distract from critical issues
- Legacy CVEs not applicable to your infrastructure
Regular Review
Regular Review
Periodically review and update exclusions:
- Remove exclusions for systems that now need scanning
- Add exclusions for new development environments
- Re-evaluate template exclusions as your infrastructure evolves
- Monitor scan results to identify new false positive patterns
Important Considerations
Security Impact: Target exclusions prevent vulnerability scanning of specified assets. Ensure excluded targets are secured through other means or don’t require scanning.
Template Coverage: Template exclusions disable specific vulnerability checks. Make sure excluded templates aren’t critical for your security posture.
Performance Optimization: Use exclusions strategically to improve scan performance by focusing on relevant assets and vulnerabilities while reducing noise.
Integration with Scanning Workflows
Scan exclusions integrate seamlessly with all scanning operations and are applied globally across the platform:- Automated Scans: Exclusions apply to all automated vulnerability scanning processes
- Manual Scans: User-initiated scans respect both target and template exclusions
- Scheduled Scans: All scheduled scan operations honor exclusion patterns
- Retesting: Vulnerability retesting operations also respect exclusion configurations
Global Application: All exclusion patterns apply to every scanning operation across your organization, ensuring consistent filtering regardless of the scan method or who initiates it.
By implementing scan exclusions, you can optimize your vulnerability scanning operations to focus on relevant targets and vulnerabilities while reducing noise and improving scan performance. This targeted approach ensures your security team can concentrate on the most important security issues affecting your infrastructure.