Get application config

A list of strings that are the names of cookies used for maintaining a session. Typically this is one value like `jsessionid` or `PHPSESS`. When used in combination with authentication HawkScan will use this value to persist authenticated session state with your application.

Specifies the type of token being supplied. If `COOKIE` is specified the .external.value should be in the form of a cookie value <cookie-name>=<cookie-value> . Defaults to `TOKEN`.

**Required**. The value containing the token that will authorize requests. How the token is passed to your application is determined by the assigned `type`. Use value or values but not both. The value containing the token that will authorize requests. How the token is passed to your application is determined by the assigned `type`.

The value pairs containing the token that will authorize requests. How the token is passed to your application is determined by the assigned `type`.

The command to start the process e.g. `bash`, `python`

Parameters required to run the script e.g. `-c`, `--verbose`

Maximum time in seconds to wait for the process to complete. Defaults to 60 seconds.

Use this for parameters for individual users that can't be discovered by smart crawling.

Indicates whether this user profile has elevated privileges (true for admin/privileged users, false for standard users).

**Required**. A unique identifier name for this user profile to distinguish between different users during multi-user scans.

The credentials required for the authentication script. These values will be redacted.

The name of the authentication script, as specified in the `hawkAddOn.scripts.name`.

The parameters required for the authentication script.

*Required* The name of the session script defined in `hawkAddons.scripts`. The script `type` must be `session`, and match the `hawkAddOn.scripts.name` field.

A map of key/value pairs that will be passed to your session script, which can be accessed via `sessionWrapper.getParam()` function.

A regex that will match against the response header or body, specified by `type`, of the GET request to the `path`. A match of the regex supplied will indicate that scanning should halt and enter an error state. HawkScan requires that either `success` OR `fail` be configured (do not configure both).

The gRPC method path to call for authentication validation (e.g., "/auth.AuthService/ValidateToken"). Only used when authentication type is GRPC.

**Required**. The path to a protected route in your application that requires authorization. For example `/mysettings`. A `GET` request will be made to this path using the configured authentication.

The request content to send along with POST or PUT requests for authentication verification.

List of key/value pairs to be included as headers in the request to the `path`. Headers that match the following pattern are unable to be added or modified `'^(Host|Origin|Proxy-.*|Sec-.*|Content-Length)'`.

Request method to use for queries. Will generate GraphQL queries as either POST payloads or GET uri strings.

A regex that will match against the response header or body, specified by `type`, of the GET request to the `path`. A match of the regex supplied will indicate that scanning should proceed with the specified authentication. HawkScan requires that either `success` OR `fail` be configured (do not configure both).

An enum value representing what to match against in the response from issuing a request to the `testPath.path`. The supported values are `HEADER` and `BODY`.

If the token is a JWT, mark this field as true

If isJWT is set to true, this field will determine the time in milliseconds before expiration to auto renew the JWT.

TokenType will be prepended the header value e.g. tokenType: TOKEN -> "TOKEN xxxxxxxxx"

An enum value representing how to pass the authorization token to your application. `HEADER` indicates that each request should have the authorization token header added to the requests. `QUERY_PARAM` indicates that the token should be passed as a query parameter.

**Required**. The name of the `HEADER` or `QUERY_PARAM` the token should be passed as.

Specifying `TOKEN_PATH` tells HawkScan to extract the token from the JSON payload of the response from authentication. `HEADER` tells HawkScan to extract the token from a header in the response from authentication. defaults to `TOKEN_PATH`.

*Required**. String containing the path to the token in the JSON payload authentication response or the name of the response header containing the token. Example: if the authentication response JSON payload looks like `{"auth" : {"token": "<my-auth-token>"}}` the value would be `auth.token`. If the authentication response has a header named `AuthToken: <my-token>`, then the value should be `AuthToken`.

The gRPC method path for authentication (e.g., "/auth.AuthService/Login"). Required when type is GRPC. Uses grpcConf for descriptor.

The JSON-RPC method name to call for authentication (e.g., "auth.login"). Required when type is JSON_RPC.

The path to your login form, if applicable. This is an optional path but is often required if the `POST` to the loginPath requires an anti csrf token to be passed as part of the `POST`. The `app.antiCsrfParam` will be extracted from the response body of a GET request to this page.

**Required**. login route to `POST` credentials for a user in the application (ex. `/login`). An http `POST` request using the type specified will be made to this path.

Other request parameters required by your login payload, provided as an array of objects with `name` and `value` string keys. This setting is helpful if your authentication process requires other parameters included in the form POST besides the username and password parameters. If in doubt, this setting can be safely left unconfigured.

**Required**. The password html field used in your application form or json, provided as a string.

Realm for NTLM authentication

*Required**. The password credentials provided to authentication when attempting to login to the web application, provided as a string. HawkScan best practices recommend using [environment variable runtime overrides](https://docs.stackhawk.com/hawkscan/configuration/#environment-variable-runtime-overrides) for this value (ex. "${SCAN_PASSWORD}" will use the $SCAN_PASSWORD environment variable as the scanPassword).

*Required**. The username credentials provided to authentication when attempting to login to the web application, provided as a string. HawkScan best practices recommend using [environment variable runtime overrides](https://docs.stackhawk.com/hawkscan/configuration/#environment-variable-runtime-overrides) for this value (ex. "${SCAN_USERNAME:admin}" will use the $SCAN_USERNAME environment variable as the scanUsername, or fallback to admin).

An enum value describing the type of `POST` data expected by the `loginPath`

**Required**. the username html field used in your application form or json, provided as a string.

A list of strings that are the names of cookies used for maintaining a session. Typically this is one value like `jsessionid` or `PHPSESS`. When used in combination with authentication HawkScan will use this value to persist authenticated session state with your application.

Specifies the type of token being supplied. If `COOKIE` is specified the .external.value should be in the form of a cookie value <cookie-name>=<cookie-value> . Defaults to `TOKEN`.

**Required**. The value containing the token that will authorize requests. How the token is passed to your application is determined by the assigned `type`. Use value or values but not both. The value containing the token that will authorize requests. How the token is passed to your application is determined by the assigned `type`.

The value pairs containing the token that will authorize requests. How the token is passed to your application is determined by the assigned `type`.

The command to start the process e.g. `bash`, `python`

Parameters required to run the script e.g. `-c`, `--verbose`

Maximum time in seconds to wait for the process to complete. Defaults to 60 seconds.

Use this for parameters for individual users that can't be discovered by smart crawling.

Indicates whether this user profile has elevated privileges (true for admin/privileged users, false for standard users).

**Required**. A unique identifier name for this user profile to distinguish between different users during multi-user scans.

The credentials required for the authentication script. These values will be redacted.

The name of the authentication script, as specified in the `hawkAddOn.scripts.name`.

The parameters required for the authentication script.

*Required* The name of the session script defined in `hawkAddons.scripts`. The script `type` must be `session`, and match the `hawkAddOn.scripts.name` field.

A map of key/value pairs that will be passed to your session script, which can be accessed via `sessionWrapper.getParam()` function.

A regex that will match against the response header or body, specified by `type`, of the GET request to the `path`. A match of the regex supplied will indicate that scanning should halt and enter an error state. HawkScan requires that either `success` OR `fail` be configured (do not configure both).

The gRPC method path to call for authentication validation (e.g., "/auth.AuthService/ValidateToken"). Only used when authentication type is GRPC.

**Required**. The path to a protected route in your application that requires authorization. For example `/mysettings`. A `GET` request will be made to this path using the configured authentication.

The request content to send along with POST or PUT requests for authentication verification.

List of key/value pairs to be included as headers in the request to the `path`. Headers that match the following pattern are unable to be added or modified `'^(Host|Origin|Proxy-.*|Sec-.*|Content-Length)'`.

Request method to use for queries. Will generate GraphQL queries as either POST payloads or GET uri strings.

A regex that will match against the response header or body, specified by `type`, of the GET request to the `path`. A match of the regex supplied will indicate that scanning should proceed with the specified authentication. HawkScan requires that either `success` OR `fail` be configured (do not configure both).

An enum value representing what to match against in the response from issuing a request to the `testPath.path`. The supported values are `HEADER` and `BODY`.

If the token is a JWT, mark this field as true

If isJWT is set to true, this field will determine the time in milliseconds before expiration to auto renew the JWT.

TokenType will be prepended the header value e.g. tokenType: TOKEN -> "TOKEN xxxxxxxxx"

An enum value representing how to pass the authorization token to your application. `HEADER` indicates that each request should have the authorization token header added to the requests. `QUERY_PARAM` indicates that the token should be passed as a query parameter.

**Required**. The name of the `HEADER` or `QUERY_PARAM` the token should be passed as.

Specifying `TOKEN_PATH` tells HawkScan to extract the token from the JSON payload of the response from authentication. `HEADER` tells HawkScan to extract the token from a header in the response from authentication. defaults to `TOKEN_PATH`.

*Required**. String containing the path to the token in the JSON payload authentication response or the name of the response header containing the token. Example: if the authentication response JSON payload looks like `{"auth" : {"token": "<my-auth-token>"}}` the value would be `auth.token`. If the authentication response has a header named `AuthToken: <my-token>`, then the value should be `AuthToken`.

The gRPC method path for authentication (e.g., "/auth.AuthService/Login"). Required when type is GRPC. Uses grpcConf for descriptor.

The JSON-RPC method name to call for authentication (e.g., "auth.login"). Required when type is JSON_RPC.

The path to your login form, if applicable. This is an optional path but is often required if the `POST` to the loginPath requires an anti csrf token to be passed as part of the `POST`. The `app.antiCsrfParam` will be extracted from the response body of a GET request to this page.

**Required**. login route to `POST` credentials for a user in the application (ex. `/login`). An http `POST` request using the type specified will be made to this path.

Other request parameters required by your login payload, provided as an array of objects with `name` and `value` string keys. This setting is helpful if your authentication process requires other parameters included in the form POST besides the username and password parameters. If in doubt, this setting can be safely left unconfigured.

**Required**. The password html field used in your application form or json, provided as a string.

Realm for NTLM authentication

*Required**. The password credentials provided to authentication when attempting to login to the web application, provided as a string. HawkScan best practices recommend using [environment variable runtime overrides](https://docs.stackhawk.com/hawkscan/configuration/#environment-variable-runtime-overrides) for this value (ex. "${SCAN_PASSWORD}" will use the $SCAN_PASSWORD environment variable as the scanPassword).

*Required**. The username credentials provided to authentication when attempting to login to the web application, provided as a string. HawkScan best practices recommend using [environment variable runtime overrides](https://docs.stackhawk.com/hawkscan/configuration/#environment-variable-runtime-overrides) for this value (ex. "${SCAN_USERNAME:admin}" will use the $SCAN_USERNAME environment variable as the scanUsername, or fallback to admin).

An enum value describing the type of `POST` data expected by the `loginPath`

**Required**. the username html field used in your application form or json, provided as a string.

The field name of the param to inject values into.

An optional operationName that will only inject custom values if the name of the operation on the request matches.

An optional GraphQL operation type (MUTATION or QUERY) that will inject custom values only when the request matches the operation type.

A list of possible values to be randomly selected for the given field.

The field name of the param to inject values into. Using object notation will resolve nested objects for request bodies e.g. myobject.id

Optional path for the endpoint or gRPC service to hit e.g. /myservice/myfunction

A list of possible values to be randomly selected for the given field.

GraphQL operation name.

Graphql operation type. Options are `All`, `QUERY` and `MUTATION`.

The field name of the param to inject values into. Using object notation will resolve nested objects for request bodies e.g. myobject.id

Optional path for the endpoint or gRPC service to hit e.g. /myservice/myfunction

A list of possible values to be randomly selected for the given field.

Support for direct web remoting request bodies. Deprecated.

Support for GWT request bodies. Deprecated.

Support for json request bodies.

Support for `multipart/form-data` request bodies.

Support for Odata request bodies. Deprecated.

Support for xml request bodies.

Allow injection of testable inputs for cookie data.

Allow injection of testable inputs for http headers.

Allow injection of testable inputs request body inputs on POST requests.

Allow injection of testable inputs url paths.

Allow injections of testable inputs url query parameter names.

Allow injection of testable inputs url query parameter values.

The field name of the param to inject values into. Using dot notation will resolve nested objects for request bodies (e.g., `user.address.id`).

An optional regex pattern that will only inject custom values if the JSON-RPC method name matches.

A list of possible values to be randomly selected for the given field.

Define custom variables and values for use in MCP tool scanning.

MCP server endpoint path relative to target host. Defaults to `/mcp`.

MCP tool names to exclude from scanning.

The field name of the param to inject values into.

An optional path regex that will only inject custom values if the path of the request matches.

A list of optional HTTP request methods that will inject custom values only when the request matches one of those methods.

A list of possible values to be randomly selected for the given field.

The field name of the param to inject values into. Using object notation will resolve nested objects for request bodies e.g. myobject.id

Optional path for the endpoint or gRPC service to hit e.g. /myservice/myfunction

A list of possible values to be randomly selected for the given field.

The field name of the param to inject values into.

An optional path regex that will only inject custom values if the path of the request matches.

A list of optional HTTP request methods that will inject custom values only when the request matches one of those methods.

A list of possible values to be randomly selected for the given field.

**Required**. The password for proxy credentials.

Realm for proxy credentials.

Scheme of proxy authentication. Currently `BASIC`, `NTLM` are supported.

**Required**. The username for proxy credentials.

Command arguments provided as an array of strings. These arguments can be used in addition to or instead of the command. This should be used if the command is sufficiently complex or is exceptionally whitespace sensitive.

Provide a command to run as part of the scan discovery phase. This command will be split from its arguments and execute on its own thread in a context with additional environment variables set with the proxy configuration for HawkScan to intercept http traffic.

Key-Value map of additional environment variables or secrets to pass along into the execution of the command. These values will be redacted from the logs.

Key-Value map of environment variable names and values to pass along into the execution of the command.

Only provide the environment variables and credentials as configured. By default also includes the environment from the parent process environment for convenience.

This command prints the stdout and stderr of the command to the foreground.

The absolute path working directory these commands are run from.

The hostname of URLs in the HAR file that will be replaced with the host defined in `app.host`. Leave blank if the `app.host` is then same hostname in the HAR file.

API key to authenticated the user with Postman.

Id of the collection to be pulled from Postman.

File path of the Postman collection.

Content types to exclude from response body uploads. If specified, adds to the default exclude list. Exclusions take precedence over inclusions. Supports wildcards (e.g., `image/*`).

Content types to include in response body uploads. If specified, replaces the default include list. Supports wildcards (e.g., `application/*+json`, `image/*`).

Replacer rule initiators.

Enable regex search for `matchString`. Useful when `replaceOnly` is true (e.g. `Referer:.*` will replace the entire `Referer:` header line).

If `replaceOnly` is false, only match the header name. If `replaceOnly` is true, matches the exact string on the header line.

If false, replace existing header value or add the missing header using replacement as the value. If true, only replace the matchString of an existing header line.

If false, replace existing header value or add the missing header using replacement as the value. If true, only replace the matchString of an existing header line.

Param name.

Param value.

A list of strings that are the names of cookies used for maintaining a session. Typically this is one value like `jsessionid` or `PHPSESS`. When used in combination with authentication HawkScan will use this value to persist authenticated session state with your application.

Specifies the type of token being supplied. If `COOKIE` is specified the .external.value should be in the form of a cookie value <cookie-name>=<cookie-value> . Defaults to `TOKEN`.

**Required**. The value containing the token that will authorize requests. How the token is passed to your application is determined by the assigned `type`. Use value or values but not both. The value containing the token that will authorize requests. How the token is passed to your application is determined by the assigned `type`.

The value pairs containing the token that will authorize requests. How the token is passed to your application is determined by the assigned `type`.

The command to start the process e.g. `bash`, `python`

Parameters required to run the script e.g. `-c`, `--verbose`

Maximum time in seconds to wait for the process to complete. Defaults to 60 seconds.

Use this for parameters for individual users that can't be discovered by smart crawling.

Indicates whether this user profile has elevated privileges (true for admin/privileged users, false for standard users).

**Required**. A unique identifier name for this user profile to distinguish between different users during multi-user scans.

The credentials required for the authentication script. These values will be redacted.

The name of the authentication script, as specified in the `hawkAddOn.scripts.name`.

The parameters required for the authentication script.

*Required* The name of the session script defined in `hawkAddons.scripts`. The script `type` must be `session`, and match the `hawkAddOn.scripts.name` field.

A map of key/value pairs that will be passed to your session script, which can be accessed via `sessionWrapper.getParam()` function.

A regex that will match against the response header or body, specified by `type`, of the GET request to the `path`. A match of the regex supplied will indicate that scanning should halt and enter an error state. HawkScan requires that either `success` OR `fail` be configured (do not configure both).

The gRPC method path to call for authentication validation (e.g., "/auth.AuthService/ValidateToken"). Only used when authentication type is GRPC.

**Required**. The path to a protected route in your application that requires authorization. For example `/mysettings`. A `GET` request will be made to this path using the configured authentication.

The request content to send along with POST or PUT requests for authentication verification.

List of key/value pairs to be included as headers in the request to the `path`. Headers that match the following pattern are unable to be added or modified `'^(Host|Origin|Proxy-.*|Sec-.*|Content-Length)'`.

Request method to use for queries. Will generate GraphQL queries as either POST payloads or GET uri strings.

A regex that will match against the response header or body, specified by `type`, of the GET request to the `path`. A match of the regex supplied will indicate that scanning should proceed with the specified authentication. HawkScan requires that either `success` OR `fail` be configured (do not configure both).

An enum value representing what to match against in the response from issuing a request to the `testPath.path`. The supported values are `HEADER` and `BODY`.

If the token is a JWT, mark this field as true

If isJWT is set to true, this field will determine the time in milliseconds before expiration to auto renew the JWT.

TokenType will be prepended the header value e.g. tokenType: TOKEN -> "TOKEN xxxxxxxxx"

An enum value representing how to pass the authorization token to your application. `HEADER` indicates that each request should have the authorization token header added to the requests. `QUERY_PARAM` indicates that the token should be passed as a query parameter.

**Required**. The name of the `HEADER` or `QUERY_PARAM` the token should be passed as.

Specifying `TOKEN_PATH` tells HawkScan to extract the token from the JSON payload of the response from authentication. `HEADER` tells HawkScan to extract the token from a header in the response from authentication. defaults to `TOKEN_PATH`.

*Required**. String containing the path to the token in the JSON payload authentication response or the name of the response header containing the token. Example: if the authentication response JSON payload looks like `{"auth" : {"token": "<my-auth-token>"}}` the value would be `auth.token`. If the authentication response has a header named `AuthToken: <my-token>`, then the value should be `AuthToken`.

The gRPC method path for authentication (e.g., "/auth.AuthService/Login"). Required when type is GRPC. Uses grpcConf for descriptor.

The JSON-RPC method name to call for authentication (e.g., "auth.login"). Required when type is JSON_RPC.

The path to your login form, if applicable. This is an optional path but is often required if the `POST` to the loginPath requires an anti csrf token to be passed as part of the `POST`. The `app.antiCsrfParam` will be extracted from the response body of a GET request to this page.

**Required**. login route to `POST` credentials for a user in the application (ex. `/login`). An http `POST` request using the type specified will be made to this path.

Other request parameters required by your login payload, provided as an array of objects with `name` and `value` string keys. This setting is helpful if your authentication process requires other parameters included in the form POST besides the username and password parameters. If in doubt, this setting can be safely left unconfigured.

**Required**. The password html field used in your application form or json, provided as a string.

Realm for NTLM authentication

*Required**. The password credentials provided to authentication when attempting to login to the web application, provided as a string. HawkScan best practices recommend using [environment variable runtime overrides](https://docs.stackhawk.com/hawkscan/configuration/#environment-variable-runtime-overrides) for this value (ex. "${SCAN_PASSWORD}" will use the $SCAN_PASSWORD environment variable as the scanPassword).

*Required**. The username credentials provided to authentication when attempting to login to the web application, provided as a string. HawkScan best practices recommend using [environment variable runtime overrides](https://docs.stackhawk.com/hawkscan/configuration/#environment-variable-runtime-overrides) for this value (ex. "${SCAN_USERNAME:admin}" will use the $SCAN_USERNAME environment variable as the scanUsername, or fallback to admin).

An enum value describing the type of `POST` data expected by the `loginPath`

**Required**. the username html field used in your application form or json, provided as a string.

A list of strings that are the names of cookies used for maintaining a session. Typically this is one value like `jsessionid` or `PHPSESS`. When used in combination with authentication HawkScan will use this value to persist authenticated session state with your application.

Specifies the type of token being supplied. If `COOKIE` is specified the .external.value should be in the form of a cookie value <cookie-name>=<cookie-value> . Defaults to `TOKEN`.

**Required**. The value containing the token that will authorize requests. How the token is passed to your application is determined by the assigned `type`. Use value or values but not both. The value containing the token that will authorize requests. How the token is passed to your application is determined by the assigned `type`.

The value pairs containing the token that will authorize requests. How the token is passed to your application is determined by the assigned `type`.

The command to start the process e.g. `bash`, `python`

Parameters required to run the script e.g. `-c`, `--verbose`

Maximum time in seconds to wait for the process to complete. Defaults to 60 seconds.

Use this for parameters for individual users that can't be discovered by smart crawling.

Indicates whether this user profile has elevated privileges (true for admin/privileged users, false for standard users).

**Required**. A unique identifier name for this user profile to distinguish between different users during multi-user scans.

The credentials required for the authentication script. These values will be redacted.

The name of the authentication script, as specified in the `hawkAddOn.scripts.name`.

The parameters required for the authentication script.

*Required* The name of the session script defined in `hawkAddons.scripts`. The script `type` must be `session`, and match the `hawkAddOn.scripts.name` field.

A map of key/value pairs that will be passed to your session script, which can be accessed via `sessionWrapper.getParam()` function.

A regex that will match against the response header or body, specified by `type`, of the GET request to the `path`. A match of the regex supplied will indicate that scanning should halt and enter an error state. HawkScan requires that either `success` OR `fail` be configured (do not configure both).

The gRPC method path to call for authentication validation (e.g., "/auth.AuthService/ValidateToken"). Only used when authentication type is GRPC.

**Required**. The path to a protected route in your application that requires authorization. For example `/mysettings`. A `GET` request will be made to this path using the configured authentication.

The request content to send along with POST or PUT requests for authentication verification.

List of key/value pairs to be included as headers in the request to the `path`. Headers that match the following pattern are unable to be added or modified `'^(Host|Origin|Proxy-.*|Sec-.*|Content-Length)'`.

Request method to use for queries. Will generate GraphQL queries as either POST payloads or GET uri strings.

A regex that will match against the response header or body, specified by `type`, of the GET request to the `path`. A match of the regex supplied will indicate that scanning should proceed with the specified authentication. HawkScan requires that either `success` OR `fail` be configured (do not configure both).

An enum value representing what to match against in the response from issuing a request to the `testPath.path`. The supported values are `HEADER` and `BODY`.

If the token is a JWT, mark this field as true

If isJWT is set to true, this field will determine the time in milliseconds before expiration to auto renew the JWT.

TokenType will be prepended the header value e.g. tokenType: TOKEN -> "TOKEN xxxxxxxxx"

An enum value representing how to pass the authorization token to your application. `HEADER` indicates that each request should have the authorization token header added to the requests. `QUERY_PARAM` indicates that the token should be passed as a query parameter.

**Required**. The name of the `HEADER` or `QUERY_PARAM` the token should be passed as.

Specifying `TOKEN_PATH` tells HawkScan to extract the token from the JSON payload of the response from authentication. `HEADER` tells HawkScan to extract the token from a header in the response from authentication. defaults to `TOKEN_PATH`.

*Required**. String containing the path to the token in the JSON payload authentication response or the name of the response header containing the token. Example: if the authentication response JSON payload looks like `{"auth" : {"token": "<my-auth-token>"}}` the value would be `auth.token`. If the authentication response has a header named `AuthToken: <my-token>`, then the value should be `AuthToken`.

The gRPC method path for authentication (e.g., "/auth.AuthService/Login"). Required when type is GRPC. Uses grpcConf for descriptor.

The JSON-RPC method name to call for authentication (e.g., "auth.login"). Required when type is JSON_RPC.

The path to your login form, if applicable. This is an optional path but is often required if the `POST` to the loginPath requires an anti csrf token to be passed as part of the `POST`. The `app.antiCsrfParam` will be extracted from the response body of a GET request to this page.

**Required**. login route to `POST` credentials for a user in the application (ex. `/login`). An http `POST` request using the type specified will be made to this path.

Other request parameters required by your login payload, provided as an array of objects with `name` and `value` string keys. This setting is helpful if your authentication process requires other parameters included in the form POST besides the username and password parameters. If in doubt, this setting can be safely left unconfigured.

**Required**. The password html field used in your application form or json, provided as a string.

Realm for NTLM authentication

*Required**. The password credentials provided to authentication when attempting to login to the web application, provided as a string. HawkScan best practices recommend using [environment variable runtime overrides](https://docs.stackhawk.com/hawkscan/configuration/#environment-variable-runtime-overrides) for this value (ex. "${SCAN_PASSWORD}" will use the $SCAN_PASSWORD environment variable as the scanPassword).

*Required**. The username credentials provided to authentication when attempting to login to the web application, provided as a string. HawkScan best practices recommend using [environment variable runtime overrides](https://docs.stackhawk.com/hawkscan/configuration/#environment-variable-runtime-overrides) for this value (ex. "${SCAN_USERNAME:admin}" will use the $SCAN_USERNAME environment variable as the scanUsername, or fallback to admin).

An enum value describing the type of `POST` data expected by the `loginPath`

**Required**. the username html field used in your application form or json, provided as a string.

The field name of the param to inject values into.

An optional operationName that will only inject custom values if the name of the operation on the request matches.

An optional GraphQL operation type (MUTATION or QUERY) that will inject custom values only when the request matches the operation type.

A list of possible values to be randomly selected for the given field.

The field name of the param to inject values into. Using object notation will resolve nested objects for request bodies e.g. myobject.id

Optional path for the endpoint or gRPC service to hit e.g. /myservice/myfunction

A list of possible values to be randomly selected for the given field.

GraphQL operation name.

Graphql operation type. Options are `All`, `QUERY` and `MUTATION`.

The field name of the param to inject values into. Using object notation will resolve nested objects for request bodies e.g. myobject.id

Optional path for the endpoint or gRPC service to hit e.g. /myservice/myfunction

A list of possible values to be randomly selected for the given field.

Support for direct web remoting request bodies. Deprecated.

Support for GWT request bodies. Deprecated.

Support for json request bodies.

Support for `multipart/form-data` request bodies.

Support for Odata request bodies. Deprecated.

Support for xml request bodies.

Allow injection of testable inputs for cookie data.

Allow injection of testable inputs for http headers.

Allow injection of testable inputs request body inputs on POST requests.

Allow injection of testable inputs url paths.

Allow injections of testable inputs url query parameter names.

Allow injection of testable inputs url query parameter values.

The field name of the param to inject values into. Using dot notation will resolve nested objects for request bodies (e.g., `user.address.id`).

An optional regex pattern that will only inject custom values if the JSON-RPC method name matches.

A list of possible values to be randomly selected for the given field.

Define custom variables and values for use in MCP tool scanning.

MCP server endpoint path relative to target host. Defaults to `/mcp`.

MCP tool names to exclude from scanning.

The field name of the param to inject values into.

An optional path regex that will only inject custom values if the path of the request matches.

A list of optional HTTP request methods that will inject custom values only when the request matches one of those methods.

A list of possible values to be randomly selected for the given field.

The field name of the param to inject values into. Using object notation will resolve nested objects for request bodies e.g. myobject.id

Optional path for the endpoint or gRPC service to hit e.g. /myservice/myfunction

A list of possible values to be randomly selected for the given field.

The field name of the param to inject values into.

An optional path regex that will only inject custom values if the path of the request matches.

A list of optional HTTP request methods that will inject custom values only when the request matches one of those methods.

A list of possible values to be randomly selected for the given field.

**Required**. The password for proxy credentials.

Realm for proxy credentials.

Scheme of proxy authentication. Currently `BASIC`, `NTLM` are supported.

**Required**. The username for proxy credentials.

Command arguments provided as an array of strings. These arguments can be used in addition to or instead of the command. This should be used if the command is sufficiently complex or is exceptionally whitespace sensitive.

Provide a command to run as part of the scan discovery phase. This command will be split from its arguments and execute on its own thread in a context with additional environment variables set with the proxy configuration for HawkScan to intercept http traffic.

Key-Value map of additional environment variables or secrets to pass along into the execution of the command. These values will be redacted from the logs.

Key-Value map of environment variable names and values to pass along into the execution of the command.

Only provide the environment variables and credentials as configured. By default also includes the environment from the parent process environment for convenience.

This command prints the stdout and stderr of the command to the foreground.

The absolute path working directory these commands are run from.

The hostname of URLs in the HAR file that will be replaced with the host defined in `app.host`. Leave blank if the `app.host` is then same hostname in the HAR file.

API key to authenticated the user with Postman.

Id of the collection to be pulled from Postman.

File path of the Postman collection.

Content types to exclude from response body uploads. If specified, adds to the default exclude list. Exclusions take precedence over inclusions. Supports wildcards (e.g., `image/*`).

Content types to include in response body uploads. If specified, replaces the default include list. Supports wildcards (e.g., `application/*+json`, `image/*`).

Replacer rule initiators.

Enable regex search for `matchString`. Useful when `replaceOnly` is true (e.g. `Referer:.*` will replace the entire `Referer:` header line).

If `replaceOnly` is false, only match the header name. If `replaceOnly` is true, matches the exact string on the header line.

If false, replace existing header value or add the missing header using replacement as the value. If true, only replace the matchString of an existing header line.

If false, replace existing header value or add the missing header using replacement as the value. If true, only replace the matchString of an existing header line.

Param name.

Param value.