add maxtime option to limit entire execution time

[dogancanbakir]

Proposed changes

closes #5823

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

• Chores
  • Updated a core CLI-related dependency to a newer compatible version.
  • Registered additional common CLI flags to improve configuration handling and discoverability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 75b5e6c8-8c85-4dd5-bb9d-378e9ea18bf1

📥 Commits

Reviewing files that changed from the base of the PR and between bb112b6 and 6a18349.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• cmd/nuclei/main.go
• go.mod

🚧 Files skipped from review as they are similar to previous changes (2)

• cmd/nuclei/main.go
• go.mod

---

Walkthrough

The PR adds registration of common CLI flags by calling flagSet.AddCommonFlags() inside the configuration reader and updates the goflags dependency to a newer pre-release version that provides the common flag functionality.

Changes

Cohort / File(s)	Summary
CLI Flag Registration cmd/nuclei/main.go	Added flagSet.AddCommonFlags() in the configuration read path to register common CLI flags.
Dependency Update go.mod	Bumped github.com/projectdiscovery/goflags from v0.1.74 to v0.1.75-0.20260128114615-b0f98a3a8e6e to obtain the common-flag API.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 I hopped through flags both old and new,
A common banner stitched in blue,
Version bumped, a tidy tweak,
CLI blossoms, mild and meek. ✨

🚥 Pre-merge checks | ✅ 1 | ❌ 4

❌ Failed checks (4 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions 'maxtime option' which aligns with the feature request, but the actual changes only add a call to flagSet.AddCommonFlags() and update a dependency version - neither implements the maxtime functionality described in the PR objectives.	The title promises a maxtime feature, but the code changes don't implement it. Either implement the maxtime feature or update the title to accurately reflect that this PR only adds common flags registration.
Linked Issues check	⚠️ Warning	Issue #5823 requires implementing a -maxtime option for soft-kill execution time limits and changing -jsonl to stream directly to disk. The actual changes only add flagSet.AddCommonFlags() and update a dependency, implementing neither requirement.	Implement the -maxtime CLI option with host-level execution time limits and update -jsonl behavior to stream findings directly to disk as specified in issue #5823.
Out of Scope Changes check	⚠️ Warning	The changes introduce a new flagSet.AddCommonFlags() call in readConfig that is unrelated to the maxtime feature or jsonl streaming objectives specified in the linked issue.	Review whether flagSet.AddCommonFlags() is necessary for this PR's objectives or if it represents scope creep that should be separated into a different PR.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 5823_add_maxtime_option

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use your project's `golangci-lint` configuration to improve the quality of Go code reviews.

Add a configuration file to your project to customize how CodeRabbit runs golangci-lint.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

pkg/types/context.go (1)

12-30: Consider goroutine lifecycle.

The goroutine spawned on lines 22-27 will remain blocked on execCtx.Done() until the timeout expires or the context is cancelled. This is generally acceptable for a logging goroutine, but be aware that:

1. If the scan completes before the timeout, the goroutine will continue running until timeout or cancellation
2. The goroutine holds a reference to execCtx and logger, preventing GC until it completes

This is a common pattern for timeout logging and should be fine for the use case, but consider documenting this behavior.

internal/runner/runner.go (1)

796-807: Verify if redundant max-time context application is intentional.

The max-time context is applied here at the runner level (lines 797), but automaticscan.NewWithContext also applies it internally. While safe due to the hasDeadline guard in ApplyMaxTimeContext, this redundancy creates ambiguity about ownership and could confuse future maintainers.

Consider clarifying the design:

• Option 1 (recommended): Apply max-time context only at the runner level and remove the internal application from automaticscan.NewWithContext
• Option 2: Remove the application here and let automaticscan.NewWithContext handle it exclusively

Option 1 is preferred for centralized control and consistency with executeTemplatesInput (which must apply the context since ExecuteScanWithOpts doesn't).

Based on relevant code snippets from pkg/protocols/common/automaticscan/automaticscan.go.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cc0f1e9 and 7f51789.

📒 Files selected for processing (9)

• README.md (1 hunks)
• cmd/nuclei/main.go (1 hunks)
• internal/runner/runner.go (2 hunks)
• internal/server/nuclei_sdk.go (1 hunks)
• lib/multi.go (1 hunks)
• lib/sdk.go (1 hunks)
• pkg/protocols/common/automaticscan/automaticscan.go (5 hunks)
• pkg/types/context.go (1 hunks)
• pkg/types/types.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.go: Format Go code using go fmt
Run static analysis with go vet

Files:

• pkg/types/types.go
• lib/multi.go
• internal/server/nuclei_sdk.go
• lib/sdk.go
• cmd/nuclei/main.go
• pkg/types/context.go
• pkg/protocols/common/automaticscan/automaticscan.go
• internal/runner/runner.go

pkg/protocols/**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

Each protocol implementation must provide a Request interface with methods Compile(), ExecuteWithResults(), Match(), and Extract()

Files:

• pkg/protocols/common/automaticscan/automaticscan.go

🧬 Code graph analysis (6)

lib/multi.go (1)

pkg/types/context.go (1)

• ApplyMaxTimeContext (12-30)

internal/server/nuclei_sdk.go (2)

pkg/types/context.go (1)

• ApplyMaxTimeContext (12-30)

pkg/types/types.go (1)

• Options (34-474)

lib/sdk.go (1)

pkg/types/context.go (1)

• ApplyMaxTimeContext (12-30)

pkg/types/context.go (2)

pkg/protocols/common/contextargs/contextargs.go (1)

• Context (22-33)

pkg/types/types.go (1)

• Options (34-474)

pkg/protocols/common/automaticscan/automaticscan.go (4)

pkg/protocols/common/contextargs/contextargs.go (2)

• Context (22-33)
• New (36-38)

pkg/types/types.go (1)

• Options (34-474)

pkg/types/context.go (1)

• ApplyMaxTimeContext (12-30)

pkg/input/provider/simple.go (1)

• NewSimpleInputProviderWithUrls (22-28)

internal/runner/runner.go (3)

pkg/types/context.go (1)

• ApplyMaxTimeContext (12-30)

pkg/protocols/common/automaticscan/automaticscan.go (2)

• NewWithContext (78-137)
• Options (47-52)

pkg/types/types.go (1)

• Options (34-474)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Lint

🔇 Additional comments (13)

README.md (1)

302-302: LGTM!

The documentation clearly describes the new max-time option with an appropriate example.

pkg/types/types.go (2)

316-317: LGTM!

The MaxTime field addition is straightforward and properly documented.

---

615-615: LGTM!

The Copy method correctly propagates the MaxTime field to the new instance.

internal/server/nuclei_sdk.go (1)

184-192: Verify context source.

The code creates a fresh context.Background() each time. Consider if there's an existing context (e.g., from the HTTP request or the nucleiExecutor struct) that should be used instead to propagate cancellation signals from upstream callers.

cmd/nuclei/main.go (1)

433-433: LGTM!

The CLI flag is correctly defined with appropriate names, type, default value, and description. The example in the description helps users understand the expected format.

lib/multi.go (1)

168-173: LGTM!

The max-time context is correctly applied and the derived context is used for scan execution. The cancel function is properly deferred for cleanup.

lib/sdk.go (1)

268-284: LGTM!

The max-time context is correctly applied and consistently used throughout the method. The completion/timeout handling in the select statement properly uses execCtx.Done() and execCtx.Err().

pkg/protocols/common/automaticscan/automaticscan.go (4)

73-85: LGTM!

The context-aware constructor is well-implemented:

• Properly defaults to context.Background() if nil
• Applies max-time context when options are available
• Stores the cancel function for lifecycle management

---

141-143: LGTM!

The Close method correctly invokes the cancel function for proper context cleanup.

---

156-160: LGTM!

The context cancellation check enables graceful early termination when the max-time is reached.

---

217-217: LGTM!

Using s.ctx instead of context.Background() correctly propagates the max-time context through the execution path.

internal/runner/runner.go (2)

843-849: Correct implementation of max-time context for template execution.

The context handling pattern is properly implemented:

• Context is created and bounded with max-time
• Cancel function is deferred with nil check to prevent panic
• Context is correctly passed to ExecuteScanWithOpts

This is necessary at the runner level since the engine doesn't apply max-time internally.

---

796-807: Consider adding tests and documentation for max-time feature.

The PR checklist indicates that tests and documentation haven't been added yet. Given that this is a new user-facing feature (-mt/--max-time flag), please ensure:

1. Tests: Add unit tests covering:

   • Context timeout triggers graceful shutdown
   • Cancel function is properly called
   • Behavior when MaxTime <= 0 (feature disabled)
   • Behavior when context already has a deadline

2. Documentation: Update relevant docs to explain:

   • The -mt/--max-time flag usage and format
   • Expected behavior when timeout is reached
   • Impact on scan results (graceful stop vs hard kill)

Per PR objectives and coding guidelines.

Also applies to: 843-849

[Mzack9999]

I think the functionality can be already obtained by using nuclei as SDK and providing a context with max deadline execution for example. What do you think?

[dogancanbakir]

I think the functionality can be already obtained by using nuclei as SDK and providing a context with max deadline execution for example. What do you think?

@Mzack9999, however, this is aimed explicitly at CLI users, as it won't be possible for them.

[Mzack9999]

This request already came in for subfinder. System tools like timeout already allow control of global timing, but unfortunately not in a graceful way. I'd suggest a different strategy to plug the functionality transparently in all the tools, what do you think of adding something like CommonFlags to goflags so that in all tools it's enough to add one-line to the flagset with something like:

var opts Options
flagSet := goflags.NewFlagSet()
flagSet.AddCommonFlags(&opts)

Then we can simply send a system OS kill from the goflags library, that will be intercepted and handled by the grafecul exit already embedded in the tools.
Would this make sense?