Skip to main content
Complete reference for template variables.

Core Variables

VariableDescriptionExample Value
{{Target}}Current scan targetexample.com
{{TargetSpace}}Sanitized target (filesystem safe)example_com
{{Output}}Workspace output directory/home/user/osmedeus-base/workspaces/example.com
{{BaseFolder}}Osmedeus base directory/home/user/osmedeus-base
{{TaskID}}Unique task/run identifierrun-abc123

Path Variables

VariableDescriptionExample Value
{{Binaries}}Path to tool binaries/home/user/osmedeus-base/binaries
{{Data}}Path to data files/home/user/osmedeus-base/data
{{Workflows}}Path to workflows/home/user/osmedeus-base/workflows
{{Workspaces}}Path to workspaces/home/user/osmedeus-base/workspaces
{{Storages}}Path to storage/snapshots/home/user/osmedeus-base/storages

Thread Variables

VariableDescriptionExample Value
{{threads}}Thread count (based on tactic)50
{{baseThreads}}Base thread count25
Affected by tactic (-B flag):
  • aggressive: threads=100, baseThreads=50
  • default: threads=50, baseThreads=25
  • gently: threads=10, baseThreads=5

Time Variables

VariableDescriptionExample Value
{{Today}}Current date (YYYY-MM-DD)2024-01-15
{{TimeStamp}}Unix timestamp1705312000
{{RandomString}}Random 8-character stringxK9mPq2r

Step Export Variables

Available after step execution:
VariableSourceDescription
{{stdout}}bashCommand standard output
{{stderr}}bashCommand standard error
{{exit_code}}bashCommand exit code
{{result}}functionFunction return value
{{http_status_code}}httpHTTP response status
{{http_response_body}}httpHTTP response body
{{http_response_headers}}httpHTTP headers (JSON)
{{llm_response}}llmLLM chat response
{{llm_tool_calls}}llmLLM tool calls (JSON)
{{llm_embeddings}}llmLLM embeddings (JSON)

Generator Functions

Use in parameter defaults:
FunctionDescriptionExample
{{uuid()}}Generate UUID v4a1b2c3d4-e5f6-...
{{currentDate()}}Current date2024-01-15
{{currentDate("format")}}Formatted datecurrentDate("02-Jan-2006")
{{currentTimestamp()}}Unix timestamp1705312000
{{randomInt(min, max)}}Random integerrandomInt(1, 100)
{{randomString(len)}}Random stringrandomString(8)
{{getEnvVar("key")}}Environment variablegetEnvVar("HOME")
{{getEnvVar("key", "default")}}With defaultgetEnvVar("API_KEY", "none")
{{concat(a, b, ...)}}Concatenate stringsconcat("a", "b")
{{toLower(s)}}LowercasetoLower("ABC")abc
{{toUpper(s)}}UppercasetoUpper("abc")ABC
{{trim(s)}}Trim whitespacetrim(" a ")a
{{replace(s, old, new)}}Replace stringreplace("a.b", ".", "_")
{{split(s, sep)}}Split stringsplit("a,b", ",")
{{join(arr, sep)}}Join arrayjoin(["a","b"], "-")
{{execCmd(cmd)}}Execute commandexecCmd("whoami")

Foreach Variables

Inside foreach loops, use double brackets:
VariableDescription
[[variable]]Current iteration value
Example: 
- name: process
  type: foreach
  input: "{{Output}}/hosts.txt"
  variable: host
  step:
    command: scan [[host]] -o {{Output}}/[[host]].txt

Variable Resolution Order

  1. Exports from previous steps (highest priority)
  2. Parameters from user input (-p key=value)
  3. Built-in variables (Target, Output, etc.)
  4. Environment variables (lowest priority)

Usage Examples

In Commands

command: nuclei -u {{Target}} -o {{Output}}/nuclei.txt -t {{Data}}/templates/

In Parameters

params:
  - name: output_dir
    default: "{{Output}}/scans/{{Today}}"

  - name: threads
    default: "{{threads}}"

In Conditions

pre_condition: 'fileLength("{{Output}}/hosts.txt") > 0'

In Exports

exports:
  scan_output: "{{Output}}/scan-{{Target}}-{{TimeStamp}}.txt"

Nested Variables

params:
  - name: scan_dir
    default: "{{Output}}/{{scan_type}}"

# Resolves: {{Output}}/vulnerability -> /home/.../workspaces/target/vulnerability

With Generators

params:
  - name: scan_id
    default: "{{uuid()}}"

  - name: report_date
    default: "{{currentDate()}}"

  - name: api_key
    default: "{{getEnvVar('API_KEY', 'not-set')}}"

Common Patterns

Output Organization

# Per-module output
command: subfinder -d {{Target}} -o {{Output}}/subdomain-enum/subs.txt

# Timestamped output
command: nmap {{Target}} -o {{Output}}/nmap-{{TimeStamp}}.txt

# Target-safe filenames
command: scan -o {{Output}}/{{TargetSpace}}-results.txt

Tool Paths

# Use installed binaries
command: "{{Binaries}}/nuclei -u {{Target}}"

# Use data files
command: "ffuf -w {{Data}}/wordlists/common.txt -u {{Target}}/FUZZ"

Dynamic Configuration

params:
  - name: scan_profile
    default: "{{getEnvVar('SCAN_PROFILE', 'default')}}"

steps:
  - name: scan
    type: bash
    command: nuclei -t {{Data}}/profiles/{{scan_profile}}/ -u {{Target}}

Environment Variable Access

# Direct access
command: curl -H "Authorization: Bearer $API_KEY" {{Target}}

# Via template
params:
  - name: api_key
    default: "{{getEnvVar('API_KEY')}}"

Best Practices

  1. Use built-in paths instead of hardcoded values
  2. Use TargetSpace for filenames to avoid special characters
  3. Organize output with meaningful directory structure
  4. Provide defaults for optional parameters
  5. Document custom variables in workflow description

Next Steps