StackHawk HawkScan Extension
The StackHawk HawkScan Azure extension makes it easy to integrate application security testing into your CI pipeline.
About StackHawk
Here's the rundown:
- 🧪 Modern Application Security Testing: StackHawk is a dynamic application security testing (DAST) tool, helping you catch security bugs before they hit production.
- 💻 Built for Developers: The engineers building software are the best equipped to fix bugs, including security bugs. StackHawk does security, but is built for engineers like you.
- 🤖 Simple to Automate in CI: Application security tests belong in CI, running tests on every PR. Adding StackHawk tests to a DevOps pipeline is easy.
Getting Started
Use the HawkScan Extension
The HawkScan Extension helps software engineers and security teams run HawkScan, the dynamic application security testing tool within their cicd pipeline.
The goal is to run HawkScan as part of the build, against a running web application.
The HawkScanInstall task will download and install a version of HawkScan.
version
: The version of HawkScan to be installed. If omitted, the latest version of hawkScan will be installed.
installerType
: There are 3 options the user can pick from, auto, zip, and msi. For unix auto will default to zip installer. For windows auto will default to msi installer, but zip Installer is also available as option.
installPath
: The path on the system to install HawkScan. Defaults to ~/hawk-version .
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- task: HawkScanInstall@1
inputs:
version: latest
installerType: auto
RunHawkScan task will run HawkScan against your application, by default it will run the latest version
.
repoDir
: Directory containing your stackhawk.yml files. Config file arguments will be searched for in this directory. By default this will be the current directory.
configFile
: The default YAML stackhawk.yml
configuration file or files used by HawkScan, located in the repoDir
. This file can be changed by supplying the file name as an argument.
version
: The version of HawkScan to run. If omitted, the latest version of hawkScan will run.
trigger:
- main
pool:
vmImage: ubuntu-latest
- task: RunHawkScan@1
inputs:
configFile: 'stackhawk-test.yml'
version: 'latest'
HAWK_API_KEY
is the StackHawk API Key that needs to be set as an env var to be used by RunHawkScan task. This is required.
For more info on how to set env variable in your Azure pipeline please use this link
The final version of the build file will look a little bit like this:
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
# install hawkscan onto the machine
- task: HawkScanInstall@1
inputs:
version: latest
installerType: auto
# download then start your web app in the background
- script: |
curl -Ls https://github.com/kaakaww/javaspringvulny/releases/download/0.1.0/java-spring-vuly-0.1.0.jar -o ./java-spring-vuly-0.1.0.jar
java -jar ./java-spring-vuly-0.1.0.jar &
# run hawkscan on the machine
- task: RunHawkScan@1
inputs:
configFile: "stackhawk-test.yml"
version: "latest"
env:
HAWK_API_KEY: $(API_KEY) # the recommended way to map to an env variable
Need Help?
If you have questions or need some help, please email us at support@stackhawk.com.