Feature Request: Support for Target-Specific Tag Routing (Pre-defined Fingerprint Mapping) via Input

[di-ao]

Is your feature request related to a problem? Please describe.
I am building an automated scanning system where I use a specialized fingerprinting tool (like ObserverWard or TideFinger) before running Nuclei. This external tool identifies technologies more accurately for my specific targets (e.g., identifying localized CMS or specific middleware) than the built-in Wappalyzer engine used by the -as flag.

I have a list of 1000+ targets, and for each target, I already know exactly which tags need to be scanned.
For example:

• http://target-A.com -> identified as ThinkPHP -> should only run templates with tags: thinkphp
• http://target-B.com -> identified as Tomcat -> should only run templates with tags: tomcat

Current Limitations:

1. Running multiple instances: If I group targets by tags and run nuclei multiple times (e.g., once for ThinkPHP targets, once for Tomcat targets), the overhead of engine initialization is high, and I end up with fragmented report files that are hard to merge.
2. Using -as: This forces Nuclei to re-fingerprint the targets using its internal engine, ignoring my external fingerprint results. It wastes time and might miss the specific tech I already identified.
3. Using Workflows: I tried creating a "Routing Workflow" using javascript protocol triggers or DSL matchers to route targets based on string matching (e.g., contains(BaseURL, ':8080')). However, this is complex to generate dynamically for thousands of targets, and passing the context correctly without sending redundant requests is difficult.

Solution
I would like to support a JSONL input format (or a config file) where I can specify the tags (or template IDs) for each specific target within a single Nuclei execution.

Proposed Input Format (e.g., targets.jsonl):

{"url": "http://127.0.0.1:88", "tags": ["thinkphp", "rce"]}
{"url": "http://127.0.0.1:89", "tags": ["tomcat"]}
{"url": "http://example.com", "tags": ["shiro", "cve"]}

Proposed Command:

nuclei -l targets.jsonl -target-config

Expected Behavior:

1. Nuclei reads the JSONL input.
2. For http://127.0.0.1:88, it only loads and executes templates matching thinkphp and rce.
3. For http://127.0.0.1:89, it only loads and executes templates matching tomcat.
4. It runs in a single process, efficiently managing connections.
5. It produces a single, consolidated JSON report at the end.

Why is this important?
This would allow users to integrate Nuclei into complex scanning pipelines (External Fingerprint -> Nuclei) much more efficiently, avoiding the "spray and pray" approach and enabling precise, asset-driven scanning without the overhead of multiple process executions.

---