StackHawk


Scanning with StackHawk

Application Security Testing with HawkScan Github Action

April Conger   |   Jan 25, 2021

LinkedIn
X (Twitter)
Facebook
Reddit
Subscribe To StackHawk Posts

StackHawk is always searching for ways to make application security testing easier for developers. That’s why we have created a new GitHub Action that integrates AppSec testing directly into your GitHub CI/CD pipeline.

If you aren’t familiar, GitHub Actions is a powerful platform for continuous integration and deployment. Using simple YAML workflow configuration files, you can trigger software builds, tests, and deployments from a variety of events such as merging code. With a free GitHub account, you have access to thousands of minutes of compute time per month for building, testing, and deploying your applications.

Our scanner, HawkScan , works by scanning your running application, finding all of its available API routes, and probing them with security tests. In the StackHawk web app, you can analyze the results of your scans and track the security profile of your application over time. StackHawk alerts you whenever new security bugs are found, and you can assign bugs to developers to track them to resolution.

The HawkScan Action makes it easy to add dynamic application security testing (DAST) to your GitHub Actions workflow. This means that every time a developer checks in code, you can automatically test your application and discover any new security issues as soon as they are introduced. Run those automated tests in a pre-production environment, and you can catch and resolve those bugs before they ever get exposed to your customers and the world.

Using the HawkScan Action

The HawkScan Action can run most scans with just a single parameter – your StackHawk API key. For example, to scan a Node.js app, your GitHub Actions workflow would be as simple as this:

# .github/workflows/hawkscan.yml

name: HawkScan

on:
  push:

jobs:
  hawkscan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - run: npm install
      - run: nohup node bin/www &
      - uses: stackhawk/[email protected]
        with:
          apiKey: ${{ secrets.HAWK_API_KEY }}

This workflow has 4 steps:

  • Checks out your code with theactions/checkout@v2 action
  • Installs your Node.js app and its dependencies withnpm install
  • Runs your app in the background withnohup node bin/www &
  • Scans your app with ourstackhawk/[email protected] action using your StackHawk API key from GitHub secrets .
The rest of the configuration for HawkScan lives in your code repository in astackhawk.yml
file.

# stackhawk.yml

app:
  applicationId: xxxxxxxx-XXXX-xxxx-XXXX-xxxxxxxxxxxx
  env: Development
  host: http://localhost:3000

Other Configuration Options

The HawkScan Action exposes all of the features of HawkScan, so there are no limits to how you can run it in your pipeline.

Multiple Configuration Files

To support multiple HawkScan configurations in different environments, you can use multiple configuration files to override a base configuration. Just supply your configuration files in order using theconfigurationFiles
input, like so.
# .github/workflows/hawkscan.yml

name: HawkScan

on:
  push:

jobs:
  hawkscan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: stackhawk/[email protected]
        with:
          apiKey: ${{ secrets.HAWK_API_KEY }}
          configurationFiles: |
            stackhawk.yml
            stackhawk-overrides.yml

Environment Variables

The HawkScan configuration file supports environment variable interpolation , so you can dynamically set configuration options at runtime. For instance, you could set the value of yourapp.host
parameter at run time using theAPP_HOST
environment variable. Your HawkScan configuration file would look like this.

# stackhawk.yml

app:
  applicationId: xxxxxxxx-XXXX-xxxx-XXXX-xxxxxxxxxxxx
  env: Development
  host: ${APP_HOST}

And to set your host entry tohttp://example.com
at runtime, your GitHub Actions workflow would look like this:
# .github/workflows/hawkscan.yml

name: HawkScan

on:
  push:

jobs:
  hawkscan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: stackhawk/[email protected]
        env:
          APP_HOST: http://example.com
        with:
          apiKey: ${{ secrets.HAWK_API_KEY }}
          environmentVariables: APP_HOST

Get Started with the HawkScan Action!

The HawkScan Action makes it easy to add DAST scanning to your build pipeline, so you can catch new security bugs before they end up in production. Even if you are brand new to StackHawk, you can be up and running inside of an hour. Here’s how:

FEATURED POSTS

Security Testing for the Modern Dev Team

See how StackHawk makes web application and API security part of software delivery.

Watch a Demo

StackHawk provides DAST & API Security Testing

Get Omdia analyst’s point-of-view on StackHawk for DAST.

"*" indicates required fields

More Hawksome Posts