The StackHawk Changelog
Tracking updates to the StackHawk platform and HawkScan.
Current HawkScan Version: 0.11.4
May 5, 2021
StackHawk Platform
Integrations
Quickly see what StackHawk enabled workflow integrations you have installed directly from the integrations tab.
Audit Payload
A bug was fixed related to certain audit events missing relevant details in their messages.
April 23, 2021
StackHawk Platform
(Enterprise) Audit Log
View an audit log of all activity within your organization, including when users join and leave your organization, when scans have been kicked off, when findings are triaged, and more!
Validate Findings
All scan findings can now be validated. Alerts from HawkScan can be recreated with the Validate button in the Findings tab.
HawkScan Version Tooltip
Jump into HawkDocs to learn how to update HawkScan when your version is out of date via a tooltip on the Scan Details page.
App Redirects
A bug was fixed related to following scan link urls in expired browser sessions.
April 22, 2021
HawkScan (0.11.4)
GraphQL Spider Progress
Percentage complete progress output to the terminal for long running GraphQL spiders.
Threshold Exit Code 42
When the finding threshold has been reached return exit code 42 so it can be distinguished from an unsuccessful scan with an exit code of 1.
Inaccurate Finding/Triage Counts
Fixes the finding and triage counts not being accurate in the HawkScan terminal output.
Remove Stacktrace From Terminal Output
Removed the stacktrace from the terminal output when an incorrect applicationId is specified in the stackhawk.yml.
Redact Credentials From Terminal Output
Redact the authentication credentials from the terminal output on authentication failure.
Race Condition
Fixed an intermittent race condition when sending the final scan results to the platform.
Deprecated GraphQL Fields
The deprecated graphqlConf fields batchQueries and introspection have been removed from the terminal output banner.
April 13, 2021
HawkScan (0.11.0)
HawkScan failureThreshold
Fixes an error when you configure failureThreshold in your application config. HawkScan will now exit correctly with this configuration.
April 6, 2021
StackHawk Platform
Support Modal
Having issues with the StackHawk web app? Can’t seem to get HawkScan configured? By clicking on your username in the sidebar you can find easy access to HawkDocs and how to contact our support team.
Keyboard Control for Integrations
The tables, buttons and dropdowns of the Integration pages are now able to be controlled with a keyboard.
App Creation Wizard Display
The Application ID will be displayed without overlapping its field boundaries in the App Creation Wizard.
March 30, 2021
HawkScan (0.10.0)
SOAP API Support
Use the app.soapConf configuration section to specify a local or hosted SOAP WSDL to configure the scanner to scan your SOAP endpoints. app.soapConf
All your inputs are belong to us
Set the app.autoInputVectors=true to ensure only the correct data types are used when scanning your API. This will help increase accuracy and completeness of the scan.
New OpenAPI Conf section
The app.api section is being deprecated in favor of app.openApiConf to allow for easier configuration and expanded options when scanning an OpenAPI based API. app.openApiConf
OpenAPI scanning improvements
When scanning an OpenAPI-based API, HawkScan will automatically detect and configure any data driven nodes in your API spec. This allows the HawkScan to avoid rescanning repetitive paths in your site tree as well as detect and scan sub paths. The overall effect is a more complete and accurate OpenAPI scan.
Scan Speed + Accuracy
When scanning an API use the StackHawk Platform Technology Flags in combination with app.autoPolicy and app.autoInputVectors to get the most out of your scan. The combination will inform the scanner of the most accurate approach to attacking your application. We've seen a dramatic reduction in false positives, reduced scan times on large API's, and an increase in harder to find vulnerabilities when using these options together on API scans.
March 23, 2021
StackHawk Platform
Keyboard Control
Users who navigate the app without a mouse will be able to perform any action a keyboard and mouse user can.
(Enterprise) Download Scan Results
Download Scan Results as JSON from Scan Details page.
(Enterprise) SAML Support
SAML authentication and authorization for accessing the StackHawk platform. Contact our sales team to learn how to add this for your organization.
Single SignOn
Members and account settings pages are updated for Single SignOn users.
Lazy loading and dependency management
Users will not load specific routes or dependencies until they need them.
Findings Management History
Findings Management History displays full history of the status of a finding.
Mobile Display on Finding Details page
Getting Started on Free Tier
Free tier users can navigate getting started flow again without getting stuck by an Upgrade modal.
Findings Path Display
Determines the validity of URIs displayed on the Finding Details page.
February 26, 2021
StackHawk Platform
New Integrations
Find documentation on the StackHawk Spinnaker, Buildkite and Bitbucket Pipeline Integrations from the Integrations tab.
Application Creation
Application creation experience includes a step-by-step wizard to guide users through scanning their first app.
Usability and Display Improvements
Improvements across the app to increase usability and display of technology flags checkboxes and the Scans and Findings tables.
Accessibility Improvements
Keyboard control improvements made to the multi-select components in the web app, as well as improved control of the left hand Welcome panel.
Finding Details Sorting
Finding Details on the Print Scan page are sorted by severity.
Finding Details Display
Resolved an issue where the Finding Details page would get confused when switching between GraphQL and REST scans.
February 15, 2021
HawkScan (0.9.0)
app.autoPolicy flag for API scans
When scanning a web API like OpenAPI or GraphQL you can use the `app.autoPolicy` flag to load an optimized policy for the API type. This can help increase scan speed and reduce false positives when scanning web endpoints that do not serve HTML/Javascript. app.autoPolicy
Realtime streaming of scan findings to the platform
As security findings are found during a scan they will be sent to platform for imediate viewing.
GraphQL Spider query improvement
The GraphQL spider process will generate queries to retrieve nested object fields that may contain data leaks... we see you.
Obscure error when using includePaths
Addressed an issue using includePaths that causes the spider to fail resulting in an obscure error on the terminal.
February 15, 2021
StackHawk Platform
Technology Flags
Optimize HawkScan by applying custom technology flags from the Applications page settings in the web app. Improve scan speeds and reduce false positives by only running tests around the technologies your application uses.
Scan Error Display
View scan errors from a tab on the Scan Details page.
Application Creation
Include http for an application’s host name if not present, and added a button to easily copy Docker commands.
Integrations Data Loading
Updated logic for Jira and Slack integrations to avoid unnecessary authentication for the Jira and Slack Integrations pages.
February 4, 2021
StackHawk Platform
Application Creation
Creating a new application in the StackHawk web app has never been smoother. Add an app from the Applications page for an optimized application creation experience.
Environments Table Graph
Who doesn’t like colorful bar graphs? View the environments table on the Applications page for a truncated version of the StackHawk graphs you know and love.
Type Errors and Warnings
Removed code that was falsely causing a few too many logging errors and added some boundaries around a type error in the onboarding flow.
January 26, 2021
StackHawk Platform
GraphQL Findings Table
Scanning your GraphQL app? The Finding Details page will now display the operation and operation name around each finding.
Sample App Onboarding Wizard
Scanning Google Firing Range for the first time is easier than ever. Updates to the onboarding modal include navigating between steps of the modal, copying shell commands and other minor visual improvements.
Plugin Table Loading State
The plugin summary table of the Scan Details page now has a loading state.
Finding Details Right Panel
The right panel on the Finding Details page is now open by default.
Changing Organizations
The profile menu in the sidebar has made it even easier to switch between multiple organizations, and a new loading animation has been added when switching organizations.
Limit User Sessions
Fixed a bug where the platform got confused if you were logged into more than one account at the same time.
Google Firing Range Banner Display
Updated logic around displaying a banner in the Applications page allowing a new user to scan the Google Firing Range app.
Usability and Display Improvements
Improvements across the app to increase usability and performance of the Finding Details panel and tab display.
January 21, 2021
HawkScan (0.8.38)
Added testPath.requestHeaders parameter to stackhawk.yml
The authentication testPath.requestHeaders is a map of extra headers to include in your testPath configuration. This is useful when using a POST route that requires JSON or some other Content-Type for requestBody.
Updated ZAP to the latest version 2.10
Hawkswcan has been upgraded to use ZAP 2.10 the latest stable release. zap-extensions
Updated scan plugins from zap-extentions
Updated to the latest scanner plugins zap-extensions
January 12, 2021
StackHawk Platform
Sample Application Onboarding
New users who load Google Firing Range sample data can view a modal wizard which will walk them through how to scan the Firing Range App on their own.
Multiple Organizations
A user can now join multiple organizations, and switch between organizations by using the organization switcher in the left hand nav located under your profile picture.
User Invites
The user invite flow has been improved to ensure the user knows the difference between joining an organization and creating a new account.
GraphQL Support
On the Finding Details Page, the GraphQL Response Body in the right panel has been reformatted.
Finding Details Page
A selected Finding List Item will stay selected upon the Right Panel opening.
Create New App Modal
After creating a new Application from the Applications Page, the Application ID can now be visible in the Create New App success modal.
Datadog Integration
Who let the dogs out? A user can now see who enabled their organization’s Datadog integration.
December 18, 2020
StackHawk Platform
Real Time Scan Progress
Ready, set, scan! Once a HawkScan is in flight, see real time scan progress in the StackHawk web app. The Scans page displays overall scan progress. Navigating to the Scan Details page provides insight to the plugins and tests HawkScan is running, as well as details on any errored or successful scans.
December 14, 2020
StackHawk Platform
Plan Users Selection
Save yourself some clicks! Input the number of users you’d like to include in your plan - via keyboard or mouse.
Findings Details page
Uncategorized alerts would disrupt the display of metadata on the Finding Details page.
Usability and Display Improvements
Improvements across the app to increase usability and performance of the onboarding flow, integrating with Slack and using StackHawk on Safari.
December 8, 2020
HawkScan (0.8.28)
Updated scan plugins from zap-extentions
Updated to the latest scanner plugins which address a number of bugs and false positives. zap-extensions
The hawk.failureThreshold can now be set to high, medium, or low. If any alerts are found a for the supplied threshold, or higher, the scan will fail and output the count of alerts at or above the configured threshold.
Crashes due to conflicting virtual frame buffer lock files in docker compose environments
In some scenarios running hawkscan in a docker compose environment, an existing Xvfb lock file can be present without the process. Avoid this by detecting X11 lock state and choosing an available id.
December 5, 2020
StackHawk Platform
New Plans!
We are shaking the tree at StackHawk! We are now offering a free plan and a Pro plan to meet the needs of all kinds of customers, from seasoned hawks to spring chickens. Check out our pricing page
GraphQL Findings
Scanning your GraphQL application? The StackHawk web app now identifies and displays specifics around your GraphQL queries and variables so you can easily identify your vulnerabilities from the Finding Details page.
Choose Your Own Adventure
Signing up for StackHawk for the first time? Choose your plan and what kind of application you are looking to scan in the Getting Started flow. Load in your application data or check out a scan of the Google Firing Range project to familiarize yourself with the platform.
Scan Overview
Welcome to the improved Scan Details page! Take a look at the improvements around the Scan Overview - we’ve added a new graph and display to help you identify the criticalities of the vulnerabilities in your application.
Filtered Scan Results
Click on the environment name from the Applications page to see a filtered view of your Scans specific to that application and environment.
Nudges
New to the StackHawk web app? We'll highlight some of the awesome features of the application for you. Look for the glowing buttons!
Usability and Display Improvements
Improvements across the app to increase usability and performance of the login flow, display in various browsers and responsive behavior. Sometimes the Getting Started flow didn’t load to help users get started.
November 24, 2020
HawkScan (0.8.26)
Memory Management
Performance and stability improvements when scanning large sites.
November 23, 2020
StackHawk Platform
StackHawk Free Tier
If you are an individual developer looking to get the application security basics under your belt, our all-new free tier was built just for you. In this single user plan, you will get all the best parts of StackHawk's Team plan. You can run scans and manage findings for a single application and receive weekly updates.
Usability and Display Improvements
Improvements across the app to increase usability of Announcements panel, Slack Integration and Settings pages.
November 10, 2020
StackHawk Platform
Recaptcha Verification on Account Signup
Email signups will now be verified with reCaptcha v3 technology because bots are sneaky.
Jira Integration
Fixed a bug with the Jira Integration when sending findings to Jira next-gen projects, the integration now uses the correct “Bug” issue type enabled for the project.
November 9, 2020
StackHawk Platform
Release Notes Nudge
See a visual indicator in the web app sidebar when new release notes have been published
Findings Status History
View who last updated a finding’s status from the Findings Details page panel Activity tab
Usability and Display Improvements
Improvements across the app to increase usability of Announcements panel, Findings Details table, Login and Settings pages
Adding Applications with Low Risk Level
Applications with a risk level of low can be added in the Getting Started flow and Applications page
October 30, 2020
StackHawk Platform
Bug Fixes
We broke the validate button. In this release, we fixed it. Various other bug fixes and improvements.
October 29, 2020
StackHawk Platform
Print Scan Report
Print or download a report of scan findings for an application and environment from the Scans and Scans Details pages.
Opt out of weekly emails
Opt out of weekly emails from the Notifications panel of the Settings page.
Usability and Display Improvements
Improvements across the web app to increase usability of scrollbars, form fields, mobile display, announcements panel and table spacing
October 20, 2020
StackHawk Platform
HawkDocs
HawkDocs have been updated with a new design, dark mode, and responsive mobile layouts. Check out the Updated Docs
October 19, 2020
HawkScan (0.8.16)
Configuration controls for file-based GraphQL schemas
HawkScan was released with improvements to the GraphQL vulnerability scanner configuration to support scanning with file-based schemas.
October 14, 2020
StackHawk Platform
Application Table View
Listed Applications can be viewed as a table, rather than cards, in the StackHawk platform. This creates more real estate for organizations with many applications.
Remove users from the Organization
Organization owners can now remove users from their org.
Application metadata
Assign Risk Level and Data Type for your applications from the Applications page of the StackHawk platform.
Scan Details Page
When viewing the scan details page, the version of HawkScan alongside whether an update is available is displayed.
Release Notes in HawkDocs
Review the StackHawk and HawkScan release notes from the official documentation. Read our Release Notes
Jira Actions
Taking Jira actions on the Findings page has been improved on the paths table and details panel. Jira tickets search has been optimized.
Errored Environment Cards
When an error occurs during a scan the associated environment card on the Applications page will accurately display an errored state.
October 13, 2020
HawkScan (0.8.14)
Scanning urls without a specified port
HawkScan was released with a fix to support scanning endpoints that don't specify a port.
October 12, 2020
HawkScan (0.8.12)
Include Paths
Hawkscan will now accept the `app.includePaths` configuration, specifying any routes the scanner should visit. Read the docs
Error Handling
Hawkscan will now send additional telemetry and improved exception introspection.
September 25, 2020
StackHawk Platform
Weekly Summary Emails
Organization owners will now see a weekly email containing summaries of your weekly activity using StackHawk
Datadog Integration
Send your StackHawk scan notifications to Datadog. Read the docs
Keyboard Navigation
Accessibility improvements around navigating the StackHawk platform via keyboard
Applications Page Table View
View your applications and environments in a compact view from the Applications page
Getting Started Flow
Added clarity around the steps of the Getting Started flow, as well as the ability to skip the Getting Started flow
PowerShell Commands
The StackHawk application will detect your operating system and display the proper set of command-line shell commands
Applications Page Display
Applications page display on mobile and tablet size screens has been updated to improve usability
Finding Details Panel Stickiness
Panel will now persist user’s choice of viewing request or response metadata for a specific finding
Placeholders
Placeholder UI implemented for API key table, members table and account info pages
App creation wizard modals will not overlay on each other
Application filters
Application filter shows application name instead of ID when navigating to the Applications page with query strings in the URL
Hover state color in dropdown menus
September 10, 2020
HawkScan (0.8.10)
GraphQL file loading
Support using GraphQL schema from file
September 1, 2020
StackHawk Platform
GA Release
August 28, 2020
StackHawk Platform
Toast Notifications
Toast notifications now display error messages, in addition to success confirmations when taking action on scan findings
August 27, 2020
HawkScan (0.8.8)
Error Logging
Use python `print()` in most places - errors still use the logging mechanism
Terminal Output Colors
term_color flag is checked in the Logger module to respect colored output in the terminal
August 24, 2020
StackHawk Platform
Billing
Improved access to the billing page from the account settings view
Slack Integration
Connect StackHawk with Slack and receive notifications on HawkScan events Read the docs
August 24, 2020
HawkScan (0.8.6)
Terminal Output Colors
Adds colors and logging for YAML exceptions and clear color delineation for problem items in the YAML config
Configuration Loader
Update the config loader to include the filename with the stream
Exception and Error Handling
Add new exception type for YAML exceptions, granulate the exception handler on the top level and add generic log output controls for info and error
ZAP False Positives
Disables certain zap plugins causing false positive reports in scanned applications
August 20, 2020
HawkScan (0.8.4)
Improved GraphQL scanning support
Auth recheck on long running scans
Modified HawkScan memory settings
August 17, 2020
StackHawk Platform
Billing
Choose between the Startup, KaaKaww, or Enterprise Plans on the StackHawk settings page
Bamboo Integration
Find documentation on the StackHawk Bamboo Integration from the Integrations tab
Findings Management Controls
Improved display of findings status in the right panel, linking to Jira from the right panel and updating status experience
Settings page routing
Each page of the settings menu has a dedicated URL
Applications Card Display
Increased size of the kebab button on the cards of the Applications page
Getting Started Flow
Refreshing the page during the Getting Started flow will preserve your progress in the flow
August 17, 2020
HawkScan (0.8.2)
Bug related to scanning for organizations without a subscription
August 17, 2020
HawkScan (0.8.0)
Check for valid subscription when scanning
Copy in terminal scan results output text
August 3, 2020
StackHawk Platform
Pagination
Data returned for Findings and Scans tables is paginated to improve performance of unbounded data lists
Password Reset
Reset your password for accessing the StackHawk platform from the profile page
Settings Navigation
Settings navigation is optimized for mobile and small screen sizes
Graph Popover
Hovering over the graphs on the Applications page will display details of a specific scan
Applications Options
From the Applications page view your latest scan results for a specific application by choosing one of the options in the kebab menu
July 22, 2020
StackHawk Platform
Applications and Environments Overview
See current status, history of past scans, and manage your applications and environments via the Applications tab in the sidebar
Finding Details pagination
Findings Details page contains pagination controls
Mobile UI
Modals display has been improved for usability on smaller screen sizes
Cleanup Jira page request to remove excessive calls to get Jira projects and issues
July 13, 2020
StackHawk Platform
Jira Integration
Integrate with your Jira Software instance to manage your appsec bugs by assigning and linking to Jira tickets Read the docs
Scan Filtering
Filter scans in the Scans List by Application and Environment
Integrations
New link to Azure Pipelines HawkDocs
Findings Management
Scan findings URLs are now sorted alphabetically as well as by status
June 29, 2020
HawkScan (0.7.2)
Header Replacer Support
Enables manipulation of request headers to better support apps running behind a proxy
GraphQL Config Section
Support for tuning the GraphQL introspection process
Rate Limiting Controls
Provides more control over the aggressiveness of the scanning capability
Kotlin Scripting Support
ZAP open source contribution for Kotlin support
Passthrough Config Support for ZAP
Supports advanced ZAP configuration via StackHawk YAML
GraphQL Introspection
More support for enumeration types and improvements to the test query builder
Flexible logging control for ZAP
Adds support for debug logging
Transparent localhost proxy instead of url rewriting
Better support for scanning localhost networking scenarios and reverse proxies
June 19, 2020
StackHawk Platform
Paths tab
Assess completeness of scans by reviewing all paths scanned by HawkScan
Integrations
New links to Concourse CI and Github Actions HawkDocs
Findings Management
Bulk controls UI improvements, findings table UI improvements, and findings are sorted alphabetically
Findings Management Alert Rules
Alert rules are now specific to request method
Scans Table
Pagination controls are accessible at the top of the Scans table
This Announcement Panel!
See specific changes for HawkScan and StackHawk platform
Applications Page Results
See up to 100 applications on Applications page
Invite users popup UX fixes
URI Truncation
URI truncation in many places throughout the application for readability
Validate Findings
curl command generated with double quotes around request body
June 6, 2020
HawkScan (0.6.14)
Terminal Output
Scan progress is now printed to the terminal output
GraphQL Querying Improvements
June 5, 2020
StackHawk Platform
StackHawk Authentication
Log in using any email via StackHawk authentication, or OAuth via Google and Github
Findings Management
Take action from the Findings Management right panel for triaging your application’s security vulnerabilities
App Creation Wizard
Add missing escape characters to downloaded StackHawk.yml from App Creation Wizard
May 29, 2020
StackHawk Platform
This Announcement Panel!
Announcement panel is a source for release notes, social links, docs and submitting feedback
Findings Management
Users may now triage scan findings by marking them as Assigned, Risk Accepted or False Positive
Scans List Table
As part of Findings Management, the scan list will now reflect new findings (not yet triaged) and a count of triaged findings
Browser Support and Logout Notification
Users on unsupported browsers will see a new informational page, and users logged out due to inactivity will be notified via toast notification
Faster Performance for Scan Findings Display
May 14, 2020
HawkScan (0.6.6)
Support for GraphQL Union and Interface Types
Support OpenAPI and Graphql API Scanning with same Config and App
HawkScan now supports configuration for customers that utilize both OpenAPI spec and GraphQL API scanning
Gitlab DAST Report Updates
Customers utilizing the StackHawk integration with Gitlab will now see findings updated in their report dashboard.
May 8, 2020
StackHawk Platform
Curl Attack Regenerator
Users may quickly validate a finding by clicking the “Recreate” button. This generates a curl command that a user may paste into their terminal in debug mode and quickly recreate an attack
Improvements to the Getting-Started Page Navigation
Scan List Pagination
Improvements to Mobile Styling
May 8, 2020
HawkScan (0.6.4)
GitLab CI/CD Service Templates
May 4, 2020
StackHawk Platform
Advanced Slack Integration Configuration
You may now configure updates from specific applications to be sent to specific channels in Slack, ensuring that your teams are only getting updates about the applications relevant to their workflow
Logout event percolates across all open tabs
Login-timeout redirects will take you to the last requested page instead of the last visited page