Agentic StackHawk Setup Guide

This guide walks you through the complete agentic security testing workflow: install a StackHawk agent skill, run a security scan, fix every finding, and verify with a clean rescan — all within your AI coding agent.

Prerequisites

Before you start, you need:

A StackHawk account (sign up or log in)
A StackHawk API key (Settings → API Keys in the StackHawk platform)
HawkScan and HawkOp CLIs installed
An application running locally that the scanner can reach with it’s associated source code.

Install hawk and hawkop

brew tap stackhawk/cli && brew install hawk hawkop
hawk init
hawkop init

Download and run the installers from docs.stackhawk.com/downloads:

hawk — Windows MSI (includes bundled Java)
hawkop — Windows MSI

Then authenticate:

hawk init
hawkop init

CMD users: use PowerShell (built into Windows 10+) or WSL.

hawk init prompts for your API key (hawk.xxxxxxxxxx.xxxxxxxxxx) — get one at app.stackhawk.com → Settings → API Keys. hawkop init picks up the key automatically and prompts for your default organization.

Step 1: Install the Agent Skill

Choose your AI coding platform:

Platform	Install Command
Claude Code	`/plugin marketplace add stackhawk/agent-skills-marketplace` then `/plugin install hawkscan@stackhawk` then `/plugin install stackhawk-api@stackhawk`
Codex	`codex plugin marketplace add stackhawk/agent-skills` then `codex plugin add hawkscan@stackhawk`
Antigravity (agy)	`agy plugin install https://github.com/stackhawk/agent-skills`
GitHub Copilot	`copilot plugin marketplace add stackhawk/agent-skills` then `copilot plugin install hawkscan@stackhawk`
Cursor	Copy rules from agent-skills `cursor/` dir to `~/.cursor/rules/` — see Cursor setup

For detailed setup instructions, see the platform-specific guides.

Model recommendation: Claude Sonnet 4.5+ and Opus perform well with multi-step security scanning workflows — app creation, auth configuration, and fix loops. GPT-4o and GPT-4.1 have shown less reliable results in our testing. If you're using GitHub Copilot or another multi-model platform, select Claude when running security scanning tasks.

Step 2: Ask Your Agent to Scan

Tell your AI agent to set up and run a security scan:

Set up security scanning for my app and scan it for vulnerabilities

The agent handles the rest — it will check if your app is running (and start it if needed), generate a stackhawk.yml configuration, validate it, and kick off the scan. If the app isn’t reachable, the agent will tell you what to do.

Step 3: Fix and Verify

If the scan finds vulnerabilities, tell the agent:

Fix all of these security findings

The agent reads your code, understands the vulnerability context, and makes idiomatic fixes — parameterized queries for SQL injection, output encoding for XSS, security headers for missing protections, and more.

After fixing, the agent rescans to verify all issues are resolved.

The Autonomous Loop

With the latest agent skills, your AI agent runs this entire workflow automatically. When you finish building a feature:

The agent announces it’s running a security scan
It configures HawkScan if needed
It scans your application
If it finds vulnerabilities, it fixes all of them
It rescans to verify the fixes
It reports the results

You don’t need to ask — “done” means “done and secure.”

Troubleshooting

The agent handles most issues automatically — config errors, unreachable apps, auth failures, low path counts. If something goes wrong during a scan, the agent will diagnose the problem and either fix it or tell you what it needs.

If the agent skill isn’t activating:

Confirm it’s installed — ask your agent “What StackHawk skills do you have?”
Check that hawk init was run and ~/.hawk/hawk.properties exists

For deeper HawkScan issues, see the HawkScan Troubleshooting guide.