StackHawk HawkScan Extension
The StackHawk HawkScan Azure Extension makes it easy to integrate application security testing into your Azure devops pipeline.
About StackHawk
Here's the rundown:
- 🧪 Modern Application Security Testing: StackHawk is a dynamic application security testing (DAST) tool, helping you catch security bugs before they hit production.
- 💻 Built for Developers: The engineers building software are the best equipped to fix bugs, including security bugs. StackHawk does security, but is built for engineers like you.
- 🤖 Simple to Automate in CI: Application security tests belong in CI, running tests on every PR. Adding StackHawk tests to a DevOps pipeline is easy.
Getting Started
Use the HawkScan Extension
The HawkScan Extension helps software engineers and security teams run HawkScan, the dynamic application security testing tool within their cicd pipeline.
The goal is to run HawkScan as part of the build, against a running web application.
The HawkScanInstall task will download and install a version of HawkScan.
version: The version of HawkScan to be installed. If omitted, the latest version of hawkScan will be installed.installerType: There are 3 options the user can pick from, auto, zip, and msi. For unix auto will default to zip installer. For windows auto will default to msi installer, and zip Installer is also available as option.installPath: The path on the system to install HawkScan. Defaults the install to ~\hawk-VERSION .
trigger:
- main
pool:
vmImage: windows-latest
steps:
- task: HawkScanInstall@1
inputs:
version: latest
installerType: auto
RunHawkScan task will start HawkScan against your running web application application, by default it will run the latest version.
Include the HAWK_API_KEY environment variable set with your StackHawk API Key. This is required.
repoDir: Directory containing your stackhawk.yml files. Config file arguments will be searched for in this directory. By default this will be the current directory.configFile: The default YAML stackhawk.yml configuration file or files used by HawkScan, located in the repoDir. This file can be changed by supplying the file name as an argument. Click here for details on how to configure HawkScan.version: The version of HawkScan to run. If omitted, the latest version of HawkScan will run.installPath: The path on the system to run HawkScan from, if it was set from the install task.
trigger:
- main
pool:
vmImage: ubuntu-latest
- task: RunHawkScan@1
inputs:
configFile: 'stackhawk-test.yml'
version: 'latest'
installPath: /usr/bin/custom/hawk/path
The HAWK_API_KEY environment variable is the StackHawk API Key that needs to be set. This is required.
For more info on how to set env variable in your Azure pipeline please use this link
Java Version HawkScan 4 and above requires Java 17 through 21. To ensure Java is at the correct version in your pipeline you will need to add the Java Tool Installer step to your pipeline.
- task: JavaToolInstaller@0
inputs:
versionSpec: "17"
jdkArchitectureOption: "x64"
jdkSourceOption: "PreInstalled"
The final version of the build file will look a little bit like this:
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
# install hawkscan onto the machine
- task: HawkScanInstall@1
inputs:
version: latest
installerType: auto
# update pipeline to use the correct version of Java
- task: JavaToolInstaller@0
inputs:
versionSpec: "17"
jdkArchitectureOption: "x64"
jdkSourceOption: "PreInstalled"
# download then start your web app in the background
- script: |
curl -Ls https://github.com/kaakaww/javaspringvulny/releases/download/0.1.0/java-spring-vuly-0.1.0.jar -o ./java-spring-vuly-0.1.0.jar
java -jar ./java-spring-vuly-0.1.0.jar &
# run hawkscan on the machine
- task: RunHawkScan@1
inputs:
configFile: stackhawk-test.yml
version: latest
env:
HAWK_API_KEY: $(API_KEY) # the recommended way to map to an env variable
Need Further Assistance?
If you have questions or need help, please email us at support@stackhawk.com.
