StackHawk

StackHawk

Category: DAST
License: Freemium
Visit Website →

StackHawk is a developer-first DAST tool built on the OWASP ZAP engine, designed specifically for modern CI/CD workflows and API-centric applications.

What is StackHawk?

StackHawk brings dynamic application security testing into the development workflow by making it as easy to configure as any other test suite.

Built on the battle-tested OWASP ZAP scanning engine, StackHawk wraps that power in a developer-friendly interface with YAML configuration, CI/CD integrations, and findings designed for engineers rather than security specialists.

The platform focuses on APIs and modern application architectures.

While traditional DAST tools were built for browser-rendered web applications, StackHawk handles REST APIs, GraphQL endpoints, and microservices as first-class citizens.

HawkAI, their API discovery feature, automatically identifies API endpoints from your source code to ensure complete coverage.

StackHawk’s philosophy is that security testing belongs in the development process, not bolted on at the end.

Configuration files live in your repository alongside code, scans run in CI pipelines, and findings include remediation guidance that developers can act on immediately.

Key Features

YAML-Based Configuration

Security tests are configured through stackhawk.yml files that live in your repository:

app:
  applicationId: your-app-id
  env: development
  host: https://localhost:8080

hawk:
  spider:
    maxDurationMinutes: 5

  scanner:
    maxDurationMinutes: 10

  activeScans:
    - crossSiteScripting
    - sqlInjection
    - pathTraversal
    - commandInjection

auth:
  usernamePassword:
    credentials:
      - username: testuser
        password: ${TEST_PASSWORD}
    loginPath: /api/auth/login
    tokenExtraction:
      type: json
      name: accessToken

This approach means security configuration is:

  • Version controlled alongside application code
  • Reviewed in pull requests
  • Consistent across environments
  • Reproducible by any team member

REST and GraphQL API Testing

StackHawk tests APIs using your OpenAPI specifications or through active discovery:

app:
  applicationId: your-app-id
  host: https://api.example.com

hawk:
  openApiFile: openapi/spec.yaml

  graphql:
    introspectionEnabled: true
    introspectionEndpoint: /graphql

For GraphQL, StackHawk uses introspection to understand your schema and generates appropriate test queries.

It tests mutations, queries, and subscriptions for injection vulnerabilities and authorization flaws.

HawkAI API Discovery

HawkAI analyzes your source code to discover API endpoints that may not be documented in OpenAPI specs:

hawk:
  sourceHawk:
    enabled: true
    paths:
      - src/main/java
      - src/routes

The discovery process identifies:

  • Route definitions in frameworks like Express, Spring, Django, Rails
  • Undocumented endpoints that were never added to specs
  • Internal APIs that may have security implications
  • Differences between spec and actual implementation

Developer-Focused Findings

When vulnerabilities are found, StackHawk provides actionable remediation guidance:

  • Code examples showing how to fix the issue
  • Links to relevant documentation
  • Severity based on exploitability, not just category
  • Integration with issue trackers for workflow

Findings avoid security jargon and focus on what developers need to do to fix problems.

Installation

CLI Installation

# macOS with Homebrew
brew tap stackhawk/tap
brew install stackhawk

# Linux
curl -sL https://download.stackhawk.com/hawk/install.sh | bash

# Docker
docker pull stackhawk/hawkscan

Verify Installation

hawk version
# HawkScan CLI v3.x.x

# Authenticate with your API key
hawk auth

Configuration Setup

Create a stackhawk.yml in your project root:

app:
  applicationId: ${STACKHAWK_APP_ID}
  env: ${STACKHAWK_ENV}
  host: ${STACKHAWK_HOST}

hawk:
  spider:
    base: false  # Use API spec instead of spidering

  scanner:
    maxDurationMinutes: 15

Running a Scan

# Run with configuration file
hawk scan

# Override host for local testing
hawk scan --host http://localhost:8080

# Use specific environment
hawk scan --env staging

Integration

GitHub Actions

name: Security Scan

on:
  push:
    branches: [main]
  pull_request:

jobs:
  stackhawk:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Start application
        run: docker-compose up -d

      - name: Wait for application
        run: |
          timeout 60 bash -c 'until curl -s http://localhost:8080/health; do sleep 2; done'

      - name: Run StackHawk scan
        uses: stackhawk/hawkscan-action@v2
        with:
          apiKey: ${{ secrets.STACKHAWK_API_KEY }}
          configurationFiles: stackhawk.yml
          codeScanningAlerts: true  # Upload to GitHub Security tab
          githubToken: ${{ github.token }}

      - name: Upload scan results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: stackhawk-results
          path: stackhawk-results/

GitLab CI

stages:
  - build
  - test
  - security

stackhawk:
  stage: security
  image: stackhawk/hawkscan:latest
  variables:
    STACKHAWK_APP_ID: $STACKHAWK_APP_ID
    STACKHAWK_ENV: staging
  script:
    - |
      hawk scan \
        --api-key $STACKHAWK_API_KEY \
        --host $STAGING_URL
  artifacts:
    reports:
      junit: stackhawk-results/junit.xml
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == "main"

Jenkins Pipeline

pipeline {
    agent any

    environment {
        STACKHAWK_API_KEY = credentials('stackhawk-api-key')
    }

    stages {
        stage('Deploy') {
            steps {
                sh './deploy-staging.sh'
            }
        }

        stage('Security Scan') {
            steps {
                sh '''
                    docker run --rm \
                        -v $(pwd):/hawk \
                        -e STACKHAWK_API_KEY \
                        stackhawk/hawkscan:latest
                '''
            }
        }
    }

    post {
        always {
            archiveArtifacts artifacts: 'stackhawk-results/**/*'
        }
    }
}

Authentication Configuration

Configure authentication for testing protected endpoints:

# Cookie-based authentication
auth:
  cookieAuthorization:
    cookieName: session
    cookieValue: ${SESSION_COOKIE}

# Bearer token authentication
auth:
  headerAuthorization:
    headers:
      - name: Authorization
        value: Bearer ${ACCESS_TOKEN}

# OAuth2 authentication flow
auth:
  oauth2:
    tokenUrl: https://auth.example.com/oauth/token
    clientId: ${CLIENT_ID}
    clientSecret: ${CLIENT_SECRET}
    scopes:
      - read
      - write

Jira Integration

Automatically create Jira tickets for findings:

  1. Configure Jira integration in StackHawk dashboard
  2. Set up project and issue type mapping
  3. Findings above threshold automatically create tickets

When to Use StackHawk

Ideal for teams that:

  • Practice DevSecOps and want security in CI/CD
  • Build API-first applications (REST, GraphQL)
  • Want version-controlled security configuration
  • Need developer-friendly findings and remediation
  • Use modern CI/CD platforms (GitHub Actions, GitLab CI)
  • Prefer configuration-as-code approaches

Consider alternatives if:

  • You need to scan without application source/config access
  • Heavy reliance on traditional browser-rendered applications
  • You require enterprise features without per-seat pricing
  • You need on-premises deployment (StackHawk is SaaS)

StackHawk succeeds by meeting developers where they work.

Its YAML configuration, CI/CD integrations, and API-focused testing make it a natural fit for modern application development, while the underlying ZAP engine provides proven vulnerability detection capabilities.

Other DAST Tools

Acunetix
Acunetix

Multi-Platform Easy-to-Use DAST

AppCheck
AppCheck

Former Internal Pentest Tool

Astra Security
Astra Security

AI-Powered Continuous Pentest Platform

Beagle Security
Beagle Security

AI-Powered Pentesting Platform

See all DAST tools