afrog

afrog is a fast, low-false-positive vulnerability scanner with a growing library of community-contributed proof-of-concept templates. Written in Go for speed and portability, afrog focuses on practical vulnerability detection — CVEs, default credentials, misconfigurations, and command injection — with templates that verify exploitability rather than just fingerprinting potentially vulnerable versions. The template format is YAML-based (similar to Nuclei) and supports HTTP request/response matching, variable extraction, and multi-step workflows. afrog includes built-in rate limiting, proxy support, and multiple output formats including JSON and HTML reports. What differentiates afrog from Nuclei is its emphasis on reducing false positives through more precise matching conditions and its curated default template set. With over 4,000 GitHub stars and active Chinese and international security community contributions, afrog is gaining adoption as a complementary scanner alongside Nuclei for web vulnerability assessments.