Agentic DAST Setup Guide
This guide walks you through the complete agentic DAST workflow: install a StackHawk agent skill, run a security scan, fix every finding, and verify with a clean rescan — all within your AI coding agent.
Prerequisites
Before you start, you need:
- A StackHawk account (sign up or log in)
- A StackHawk API key (Settings → API Keys in the StackHawk platform)
- HawkScan CLI installed, or Docker available
- An application running locally that the scanner can reach
Install HawkScan CLI
HawkScan provides signed installers for all major platforms:
| Platform | Method |
|---|---|
| macOS | brew install stackhawk/tap/hawk or download the signed .pkg installer from Downloads |
| Windows | Download the .msi installer from Downloads |
| Linux | Download the .zip package from Downloads |
| Docker | docker pull stackhawk/hawkscan |
macOS and Windows installers bundle Java 17 — no additional dependencies needed. Linux users may need to install Java 17+ separately.
Verify installation:
hawk --versionFor full installation details, platform-specific instructions, and SHA-256 verification hashes, see Install and Run HawkScan.
Enterprise Deployment
For teams rolling out HawkScan across many developer machines:
- macOS (JAMF / Kandji / Mosyle): Deploy the signed
.pkginstaller as a managed package. The installer is notarized and supports silent installation — no user interaction required. - Windows (Intune / SCCM / Group Policy): Deploy the
.msiinstaller via your MDM or software distribution tool. Supports standard MSI silent install flags (/quiet /norestart). - Linux (Ansible / Chef / Puppet): Distribute the
.zippackage and extract to a standard path (e.g.,/opt/stackhawk/). Add to$PATHin your provisioning scripts. - API key distribution: Set
HAWK_API_KEYas a machine-level or user-level environment variable via your configuration management tool. Avoid embedding keys in scripts — use your secrets manager (Vault, AWS Secrets Manager, etc.) to inject at runtime.
Step 1: Install the Agent Skill
Choose your AI coding platform:
| Platform | Install Command |
|---|---|
| Claude Code | /plugin marketplace add stackhawk/agent-skills then /plugin install hawkscan@stackhawk |
| Codex | /plugin marketplace add stackhawk/agent-skills then /plugin install hawkscan@stackhawk |
| Gemini CLI | gemini extensions install https://github.com/stackhawk/agent-skills |
| GitHub Copilot | Copy skills to ~/.copilot/skills/ — see Copilot setup |
| Cursor | Copy rules from agent-skills cursor/ dir to ~/.cursor/rules/ — see Cursor setup |
For detailed setup instructions, see the platform-specific guides.
Step 2: Set Your API Key
export HAWK_API_KEY=hawk.xxxxxxxxxxxxxxxxxxxxNever hardcode your API key in config files or source code. Always use environment variables.
Step 3: Ask Your Agent to Scan
Tell your AI agent to set up and run a security scan:
Set up security scanning for my app and scan it for vulnerabilitiesThe agent handles the rest — it will check if your app is running (and start it if needed), generate a stackhawk.yml configuration, validate it, and kick off the scan. If the app isn’t reachable, the agent will tell you what to do.
Step 4: Fix and Verify
If the scan finds vulnerabilities, tell the agent:
Fix all of these security findingsThe agent reads your code, understands the vulnerability context, and makes idiomatic fixes — parameterized queries for SQL injection, output encoding for XSS, security headers for missing protections, and more.
After fixing, the agent rescans to verify all issues are resolved.
The Autonomous Loop
With the latest agent skills, your AI agent runs this entire workflow automatically. When you finish building a feature:
- The agent announces it’s running a security scan
- It configures HawkScan if needed
- It scans your application
- If it finds vulnerabilities, it fixes all of them
- It rescans to verify the fixes
- It reports the results
You don’t need to ask — “done” means “done and secure.”
Troubleshooting
The agent handles most issues automatically — config errors, unreachable apps, auth failures, low path counts. If something goes wrong during a scan, the agent will diagnose the problem and either fix it or tell you what it needs.
If the agent skill isn’t activating:
- Confirm it’s installed — ask your agent “What StackHawk skills do you have?”
- Check that
HAWK_API_KEYis set in the environment where the agent runs
For deeper HawkScan issues, see the HawkScan Troubleshooting guide.