The StackHawk Changelog

Tracking updates to the StackHawk platform and HawkScan.

Current HawkScan Version: 4.6.0

July 2nd, 2025

HawkScan (4.6.0)

HSTE Update

• Update Proxy Disclosure Rule (attempts to be more accurate)
• Update MongoDB Injection Rules, timing and Regular (more accurate, less false positives)
• Additional GraphQL Tests in Beta:
• Active: Batch Query 90052
• Active: Resource Intensive Query 90053(series 1-4)
• Active: Introspection Exploit 90054
• Active: Field Suggestion Exploit 90055
• Active: Interface Protection Bypass 90056
• Passive: Introspection Detected 90050

waitForAppTarget Custom Header

Added support for sending a custom header when using waitForAppTarget.

API Paths Sorting

Added deterministic sorting to API-path output for cleaner, predictable diffs.

gRPC Reflection Support

Added gRPC v1 and v1alpha reflection handling to service handlers.

Authentication Validation

Fixed authentication validation to not depend on starting perch daemon.

Hosted OpenAPI Support

Support for fetching AI generated OpenAPI specs.

Base-Image Upgrade to Ubuntu 22.04

Migrated build base image to Ubuntu 22.04.

Rolling-Appender Log Order

Corrected rolling-appender logic so hawkscan.log entries stay in chronological order.

June 9th, 2025

StackHawk Platform

Sensitive Data

Connected repositories can now be scanned for Sensitive Data terms, like PII, PCI and PHI word patterns, that can be detected within repositories and reviewed in the API Discovery view.

April 28th, 2025

HawkScan (4.5.0)

Openapi helper tool merge command

The openapi-helper cli tool now has a merge command to facilitate merging OAS files.

OSX signing and notarization

Hawkscan pkg install is now fully signed and notarized by Apple to avoid any security warnings when installing

Large log files are fully sent to StackHawk platform

When Hawkscan generated multiple large log files not all files were being uploaded to the platform. This has been fixed and max log file control is now configurable.

February 4th, 2024

StackHawk Platform

Multiple Project Management tool support

Improvements to our Jira Cloud and Azure Devops Integrations now allow administrators to connect multiple workspaces to a single StackHawk organization.

Project Management tool selection

Triaging findings with multiple workspace ticketing integrations connected will give the option to select the preferred ticketing tool.

January 29th, 2025

HawkScan (4.4.0)

Java Opts Command Line Options

Allow user to add jvm args/opts to HawkScan via command line --hawk-jvm-opts.

Automatically Enable Scripts in Scan

Automatically enable passive/active script scanning without it being expressly set in scan policy.

Brew Installer

Install correct version of Java when installing from Homebrew.

Dependency Updates

Updated outdated dependencies.

Remote OS Command Injection

Introduced a separate timing based attack used for unauthorized execution of operating system commands.

Failed Authentication Request/Response

Fixed an issue where HawkScan was not showing requests and responses for failed authentication.

Passive Scan Stats

Fixed issue where scan stats were not showing up for all scans.

Java Version

Throw exception and stop the scan if no compatible version of Java is found.

December 11th, 2024

StackHawk Platform

Product Update 🎄🎁

Explore all the features we’ve recently released in our new product update.

December Product Update

October 30th, 2024

HawkScan (4.3.0)

WSDL File Base Path

When using a wsdl filePath, the SOAP parser will use the directory of the specified file as the base directory for resolving linked files.

HTTP Request display

Updated display of HTTP Request to display accurately what was sent over the network.

Specifying Outbound Proxy in stackhawk.yml

Fixed issue where HawkScan was not resolving the hawk.outboundProxy configuration before trying to authenticate to the platform.

Hawk Plugin Commands

Fixed null pointer exceptions when running hawk register plugin and hawk list plugin.

October 14th, 2024

HawkScan (4.2.0)

External Command Timeout

Added a timeout for externalCommand authentication to exit problematic scripts sooner.

Hosted Scan Configuration

HawkScan can now run with a configuration hosted on https://app.stackhawk.com/ by running hawk scan hawk://policy-name

Log Cleanup

Reduced noisy debug logs by moving them to the trace level.

gRPC Auto Input Vectors

Added gRPC auto input vectors to speed up scanning.

Ignore Unimplemented gRPC Methods

The scanner will now skip paths that are not implemented on the gRPC server.

Allow small OpenAPI spec

Allow for OpenAPI specs where the only route is the testPath.

Http Log Redaction

Enhanced sensitive data protection by redacting specified headers from logs when using --log-http

Intermittent Hanging on Scans

Fixed an issue where HawkScan would sometimes hang while scanning.

August 7th, 2024

StackHawk Platform

Organization Scan Policy Management

Added a page in the organization settings for management of Organization Scan Policies and to review readonly StackHawk Scan Policies. Organization Scan Policies allow teams to choose which vulnerability checks are applicable to their StackHawk scans, improving scan performance and accuracy.

Scan Policy Management
Using Scan Policies

July 26th, 2024

HawkScan (4.1.0)

Organization Level Scan Policy

Added support for scan policies defined at the organization level.

scanPolicy configuration reference

Check for polyfill.io Vulnerability

Added check to test for polyfill.io cdn vulnerability.

Scan Policy Display in Banner

Added scan policy for HawkScan run in the console output.

Updated Details in SARIF Output

Updated details with more information in the SARIF output.

Updated OpenAPI Helper

Improved OpenAPI parsing for the HawkScan OpenAPI helper tool.

Progress Bar Display

Fixed an issue where the progress bar was displayed multiple times in the terminal output.

Updating HawkScan from .pkg Installer

Fixed an issue where HawkScan was not available on the command line after upgrading.

OpenAPI Parsing

Fixed issues where HawkScan could not parse some OpenAPI 3.1 specs.

GraphQL Configuration Banner Display

Fixed an issue where the GraphQL configuration file was not shown in the console output.

June 27th, 2024

HawkScan (4.0.0)

Use HSTE (HawkScan Testing Engine) instead of ZAP

Switched the scanner to HSTE which is a renamed fork of ZAP the StackHawk team has been maintaining. To learn more about this change see the link to the blog post below. Please note if you are using custom scripts all references to org.zaproxy.zap should be renamed to com.stackhawk.hste.

HawkScan Testing Engine (HSTE)

Multiple API spec support for OpenAPI and gRPC

The app.openApiConf and app.grpcConf now support .filePaths allowing for multiple specification files to be used in a single scan configuration. This is especially useful when an API is comprised of multiple lambdas.

openApiConf configuration reference
grpcConf configuration reference

PassiveScan script support

Passive scripts can now raise alerts in StackHawk by registering a custom plugin id, like active scripts. This is useful to create alerts for PII data, missing HTTP headers, and more.

New details to SARIF output

Added links and more details about the alert to the SARIF output format’s new markdown fields.

Updated the scan throttle settings to increase scan speed

The default throttle settings have been tuned to facilitate faster scanning. Users with scanner resource constraints may need to adjust these settings back to their lower values to avoid crashes due to resource consumption.

Docker user changed from zap to steve

The stackhawk/hawkscan docker image default non-privileged user is now named steve instead of zap. The home and default working directory have also been updated to reflect this change and are /home/steve and /steve respectively. For reference the StackHawk mascots name is Steven S. Hawk ;).

Custom data variables override example data in OpenApi spec

Custom data variables in the StackHawk configuration will override example variables that are in the Openapi spec at runtime.

June 27th, 2024

StackHawk Platform

Scan policy name in the scan details pane

The scan policy name is displayed in the scan details pane indicating which policy was chosen for the scan run.

May 30th, 2024

StackHawk Platform

Official Support for Multiple GitHub Integrations

Connect multiple GitHub Accounts or Organizations to a single StackHawk Organization.

May 10th, 2024

HawkScan (3.9.0)

Prompt For API Key

Added a feature that will prompt and create an API key when HawkScan detects no API key is installed.

StackHawk Config JSON Schema

Updated StackHawk JSON schema to the latest version.

HawkScan Launcher Icons

Updated the HawkScan Launcher items for .msi and .pkg installs.

HTTP Request/Response Logging

Capture more http logs from earlier in the scan.

gRPC Data Generation

Allow configuration of the recursion depth of gRPC data generation in the StackHawk.yml.

GraphQL Misconfiguration Error

Fixed an issue where a validation error was thrown when the GraphQL configuration specified both file and filePath.

Wait For App Target

Fixed a bug where the waitForAppTarget feature would exit after 64 attempts.

May 7, 2024

StackHawk Platform

Account Set Up

Simplified sign up form for new users.

Getting Started Page

This update introduces new video resources to help new users run their first scan successfully and get started with StackHawk quickly.

April 16th, 2024

HawkScan (3.8.0)

3rd party/OAuth stackhawk.yml configuration

Most 3rd party/OAuth providers can now be directly configured in the stackhawk.yml without addditional authentication scripts.

PKG installer

HawkScan can now be installed via a pkg file for Mac OS.

Weak Cipher Detection

Added custom test to check if weak ciphers are enabled on the host during hawk scan.

Preflight CDN Header Check

When HawkScan is run with the --enable-preflight flag, it will detect if the application is possibly running in a CDN.

HawkScan HTTP Request/Response logging

When HawkScan is run with the --log-http flag, it will log all http requests and responses.

Hawk Perch

Fixed a bug where HawkScan perch would not run from the Windows Executable version. To run hawk perch browser or hawk perch start --with-chrome on Windows arm 64 versions, Visual C++ Redistributable needs to be installed. Follow the link below and select the link for the x86 architecture to download the vc_redist.x86.exe installer.

Visual C++ Redistributable Downloads

gRPC Data Generation

Limited the recurssion depth of gRPC data generation and added in more data types.

April 15, 2024

StackHawk Platform

Getting Started Page

This newly added page provides key context to help new users get started with StackHawk successfully.

Create New Application

This update enhances the clarity of the host URL information and adds a dropdown to specify the required URL format.

February 29, 2024

StackHawk Platform

Repository Details Page

Dedicated repository details page where users can manage it and its application mappings easily.

Repositories Page

Users can create multiple applications per repository.

Repositories Page

Improvements to the repositories table data display.

Repositories Page

Clicking on the repository table row will navigate users to the repository details page.

February 22nd, 2024

HawkScan (3.7.0)

OpenApi Splitter Max Parameters

Added a flag to the open-api splitter to allow for max parameters in a single file or endpoint.

Preflight Check (Alpha)

Introduced the --enable-preflight flag, allowing users to run a preflight check during scans. This feature is designed to provide warnings for potential issues in application configurations. Please note that this feature is currently in its alpha stage, and we welcome your valuable feedback to enhance its effectiveness.

New perch start command flags

Added hawk perch start --with-chrome and --with-proxy-info to enable using hawk perch as a recording proxy. Run hawk perch start --help for details.

New perch stop command flag

Added hawk perch stop --har-file=<har file name> to save the perch recorded session as a har file. Run hawk perch stop --help for details.

Browser Detection For Ajax Spider

HawkScan will now check to see if the browser is installed on the OS before running the ajax spider.

Git Checkout Revision

Fixed a bug where HawkScan would error if a branch was specified in the HAWK_GIT_REV environment variable

February 6th, 2024

HawkScan (3.6.0)

HAR file support

Support for using a HAR file or directory of HAR files as the spider for the scan process.

External Command Authentication

Allows for supplying a command to authenticate to the scanned application.

Learn more

JWT support

Automatically renews JWTs before token expiration.

Additional OWASP API Top 10 Rules

Added checks for Broken Object Property Level Authorization and Broken Function Level Authorization for OpenAPI specifications.

January 29, 2024

StackHawk Platform

Github Integration Page

Added a link to repositories page.

Bug fixes

Various bugfixes and improvements.

January 10, 2024

StackHawk Platform

API Endpoint: Get Application Tech Flags

Added endpoint to get application tech flags.

API Endpoint: Get Application Scan Policy

Added endpoint to retrieve the current scan policy configured for a specific application.

API Endpoint: All StackHawk Scan Policies

Added endpoint to lists all available StackHawk scan policies, providing details of each policy.

API Endpoint: Get StackHawk Scan Policy

Added endpoint to returns details of a specific StackHawk scan policy.

API Endpoint: Assign Application Scan Policy Plugins

Added endpoint to assign scan policy plugins to an application’s scan policy.

API Endpoint: Toggle App Scan Policy Plugin

Added endpoint to enable/disable an app scan policy plugin.

API Endpoint: Update Application Tech Flags

Added endpoint to update technology flags for an application, affecting the behavior of plugins during HawkScan runs.

December 7, 2023

StackHawk Platform

Upgraded to React 18

The StackHawk UI now soars on React 18, bringing enhanced performance and innovation! Tonight, the engineering flock rests as their dreams of this upgrade take flight!

November 21, 2023

HawkScan (3.5.0)

OWASP API Top 10 Security Testing (Beta)

HawkScan now has experimental support for testing for Broken Object-level Authorization and Insecure Direct Object Reference vulnerabilities. Using the OpenAPI - Experimental named scan policy will test for these vulnerabilities.

Data usage improvements

Improved disk usage and network throttling when running HawkScan in memory constrained environments.

Pipeline Scanning

Added a --no-progress CLI flag to hawk scan to disable progress bars when running HawkScan, ideal for scanning in a CI pipelines.

Check Target Host

Fixed a bug when checking a scanned host is started when configuring app.waitForAppTarget.path.

November 15, 2023

StackHawk Platform

Finding Details Page

Enhanced vulnerability descriptions with clear remediation steps, risk details, and multi-language code examples.

Repositories Table

General improvements to the functionality of the repositories table.

Filtering Apps, Envs, and Teams

Fixes a bug in all filters when an app, env, or team is deleted.

November 14, 2023

StackHawk Platform

Security in Jira Integration Issue Linking

Issues created for vulnerabilities in Jira are now automatically linked to StackHawk scan finding paths.

Linking Jira Issues from the Security Tab

October 31, 2023

StackHawk Platform

Repositories Page

Github Insights is officially GA.

Repositories Page

Users can filter their repositories by languages and topics.

Repositories Page

Archived and forked repositories will be hidden by default. Use the toggle to explore all hidden repositories.

October 24, 2023

StackHawk Platform

Selected Repositories Counter

Now view how many repositories you have selected next to the Create Applications button.

Repositories Beta

Updates to improve the filtering and sorting of the Repositories table.

October 18, 2023

StackHawk Platform

Toggle Hidden Repositories

Hide and show hidden repositories using our new Hidden toggle on on the Repositories page.

Repositories Languages and Topics

View what languages and topics a repository is using by clicking in the table and getting a run down in the right panel.

Teams and Users Pages

Teams and Users are now included in the left hand navigation for quicker access.

Policy Management Docs Link

Policy Management Documentation is now directly linkable from the Policy Management and Application Settings pages.

Archived and Forked Repositories

Repositories will now have an icon to indicate if they are forked or archived.

October 11, 2023

StackHawk Platform

Hide Forked and Archived Repositories

Forked and Archived repositories will be hidden by default on the Repositories page.

October 3, 2023

StackHawk Platform

Scan Details

We improved the way you save your Tech Flags in the Optimization Panel.

Repositories Page

We added a hyperlink that will take you to the scan details of the last scan from the Repositories page.

October 3, 2023

HawkScan (3.4.0)

Support for Root CA Certificates for Transparent proxies

Users can now configure the path to their Root CA Certificate in the stackhawk.yml file and HawkScan will dynamically load that certificate for communication through a transparent proxy

JSON Schema Validation for HawkScan Config

Fixed an issue where validating HawkScan config was caught in a loop and not validating

Validate Auth Command

Fixed an issue where the validate auth command was not working

September 26th, 2023

StackHawk Platform

Org Details

Team Members can now see their Organization ID in the Organization Details tab of their Settings.

Repositories Page

The columns of the Repositories table are now sortable.

September 12th, 2023

HawkScan (3.3.0)

Hawk Create App

HawkScan now has the ability to create applications from the command line.

Hawk Create App

Hawk CLI Colors

HawkScan now sports more colorful terminal output, and shows a progress bar when discovering large OpenAPI specifications.

Include & Exclude Paths

Include and Exclude Path configuration now applies to OpenAPI specifications. Paths in an OpenAPI specification will not be discovered if they are excluded, and will only be discovered if they are included.

GraphQL Scanning

Fixed a bug when scanning with large GraphQL API schemas causing HawkScan to not finish correctly.

Include & Exclude Paths

Fixed a bug where Include and Exclude Paths would not be respected on Windows, or could find no results with conflicting entries.

Logging improvements on Windows

HawkScan logs to the .hawk/logs directory in the user home directory on Windows.

August 31st, 2023

StackHawk Platform

GitHub Insights Beta

GitHub Insights Beta Launch! Connect your GitHub repositories to StackHawk applications. Track StackHawk scans in context with code repositories, bulk create applications to scan from these repositories, and invite code contributors into the platform all in one place.

July 7th, 2023

StackHawk Platform

Applications and Scans Pages

The empty states for the Applications Page and the Scans Page will now prompt you to make and configure your Applications, and invite more hawks to your nest.

Applications and Scans Pages

For organizations on the StackHawk enterprise plan, owner & admin roles can now create new teams directly from the Teams dropdown on the Applications and Scans pages.

Optimization Panel

There were a few types of API documentation that were not being included in scan discovery for optimization tips. Now, GraphQL, gRPC, and SOAP APIs will all count towards having scan discovery enabled.

July 6th, 2023

HawkScan (3.2.0)

Hawk Perch

Added experimental support for running HawkScan as an ongoing daemon process for authentication validation.

Hawk Perch

Multiple external Cookie and Token Support

Added support for supplying multiple cookies and tokens.

Custom Test Data

improved custom value injection for more granularity when scanning OpenAPI, GRPC or GraphQL APIs with HawkScan.

OpenAPI Custom Values
GraphQL Custom Values
gRPC Custom Values

HawkScan Configuration from Url

It is now possible to run HawkScan configured with a url to a stackhawk.yml file.

gRPC Scanning

Fixed a bug that prevented scanning gRPC applications over tls.

Rogue Zap Process

Fixed a bug where HawkScan could fail to start if a Zap process was not previously stopped or running as a daemon with hawk perch.

Configurable Redaction List

Fixed a few bugs where error or debug logging of messages from Zap would not have headers fully redacted when configured.

Outbound Proxy Support

A variety of bugfixes supporting outbound proxy behavior, particularly when running HawkScan with proxy support on Windows.

June 28th, 2023

StackHawk Platform

Optimization Tips

The scan details page now displays our new Optimization Tips panel which houses key feature configuration advice to improve your scan speed and accuracy. We’ve also added the optimization icon to the application environment cards so you can quickly identify which configurations need your attention. This is available only for Pro and Enterprise plan.

Getting Started

We would love to know a little more about you, so we’ve added a role collection to the signup page. This will help us continue to improve our experience.

Create New App

Because we know that sometimes getting the details of a new application requires the help of your developers, we’ve added quick access to the user invite flow directly to the create an app wizard.

May 26th, 2023

HawkScan (3.1.0)

Configurable Redaction List

Added support for defining values in the stackhawk.yml to be redacted from HawkScan logs.

Outbound Proxy Support

Added support for HawkScan to be used with an outbound proxy.

Outbound Proxy Configuration

Improved Networking

Updated and optimized networking libraries.

Fixed HawkScan Logs on Windows

Fixed a bug with the location of HawkScan logs on Windows.

May 26th, 2023

StackHawk Platform

Security in Jira Integration

StackHawk now supports Atlassian Security in Jira functionality with the existing jira cloud addon.

Jira Data Center Integration

StackHawk has deprecated support for the Jira Data Center Integration.

April 13th, 2023

StackHawk Platform

Billing

Cleaned up some rough edges around the self-service experience.

Slack and Microsoft Teams Integration

Updated the Slack and Microsoft Teams integration management pages to be consistent with other integrations.

April 4th, 2023

HawkScan (3.0.0)

gRPC Scanning (Beta)

Added support for scanning grpc applications.

gRPC Configuration

NTLM support (Beta)

Users can now add NTLM authentication to their scans.

March 28th, 2023

StackHawk Platform

Bug Fixes

Fixed minor bugs throughout the app.

March 23th, 2023

StackHawk Platform

Application Environment Cards

Environment cards will now display our new API type icons with your next scan!

Bug Fixes and Performance Improvements

Cleaning up some sneaky bugs and improving the all-round performance of our app.

March 20th, 2023

StackHawk Platform

(Enterprise) Microsoft Azure DevOps Boards

Integrate StackHawk with Microsoft Azure DevOps Boards to track findings as work items.

Azure DevOps Boards Integration

GitHub CodeQL Code Snippets

The relevant code snippets for a GitHub CodeQL SAST finding will now be displayed in StackHawk.

Webhook Integration

Added the ability to specify which scan event(s) a webhook receives.

March 9th, 2023

HawkScan (2.12.0)

Gitlab Dast Report

Fixed formatting of markdown links in the Gitlab DAST report.

Java Runtime Inference

Fixed a bug where HawkScan could select a different version of Java to start Zap on systems with multiple versions of Java installed.

waitForAppTarget

Fixed a bug where app.waitForAppTarget could fail when running in Docker.

OpenApi Spec Parsing

Fixed a null-pointer issue when parsing incomplete OpenAPI specifications with empty POST request bodies.

March 7th, 2023

StackHawk Platform

Webhook Integration

Added the ability to specify which application(s) a webhook applies to so that webhook receives alerts only for relevant scans.

February 21st, 2023

StackHawk Platform

(Enterprise) Teams and Member Role

Create groups of applications with Teams and assign users the Member role to limit their access.

February 14th, 2023

StackHawk Platform

Settings

Various bugfixes and improvements.

Webhook Integration

Added the ability to create and enable multiple webhooks.

Audit Log

Improved how Scan Policy events are displayed in the audit log.

January 30th, 2023

StackHawk Platform

Application Filter Dropdowns

Filters now automatically update when selecting Applications and Environments on the applications and scan results pages.

Tech Flags UI

Tech Flags in application settings has been redone for easier access and configuration.

January 25th, 2023

HawkScan (2.11.0)

Windows Installer (BETA)

HawkScan can now be installed on Windows operating systems with a dedicated MSI installer.

(Enterprise) Scan Policy Management

Added support to customize the application scan policy directly from the StackHawk Platform, enabling HawkScan to deliver faster and tailored scan results.

Scan Policy Management

OpenApi Spec Parsing

Fixed a bug when parsing large OpenApi specifications.

Updated Log4J

Updates Log4J library to 2.19.0.

January 11th, 2023

StackHawk Platform

Support for Snyk Groups

Added the ability to connect a Snyk Integration at the Snyk Group Account level.

Auth Getting Started updates

Various updates to the Auth Getting Started examples.

Organization Details Page

The account’s billing status is now shown.

January 6th, 2023

HawkScan (2.10.0)

Support for Limited YAML Anchors in OpenApiConf

Added the app.openApiConf.maxAliasesForCollections setting to control the number of allowed anchor aliases when parsing a YAML OpenApi definition.

Updated Networking Libraries

Underlying Netty and Apache networking libraries were upgraded to the latest versions, supporting HTTP2.

Embedded Scripting Engine Updates

Embedded Kotlin and JavaScript scripting engines now have access to the HawkScan configuration at runtime.

November 29th, 2022

StackHawk Platform

Jira Cloud Integration

Improved the Atlassian Jira Cloud integration to enable selecting an issue type when triaging findings into Jira issues.

Invite User Flow

Users invited to an existing account now have a streamlined sign-up experience.

November 3rd, 2022

StackHawk Platform

GraphQL Operations tab

Added a new Operations tab, visible only for GraphQL scans, that includes a complete list of operations used during a scan.

HawkScan Rescan button

Generate the CLI or Docker command for rescanning your application with the Rescan findings button. Rescan allows you to test an application for only previously discovered findings.

November 3rd, 2022

HawkScan (2.9.0)

HawkScan Rescan

Rescan an application to quickly test only previously discovered findings.

Hawk Rescan

GraphQL Custom Variable Injection

Configure HawkScan GraphQL API scans with Faker supplied data for better scan results.

Smart values for Parameters

Windows Powershell support

Run the StackHawk CLI on a Windows terminal using an included hawk.ps1 PowerShell script.

HawkScan Configuration Parsing

Improved the linting and validation of stackhawk.yml files to catch unexpected fields in the HawkScan configuration.

October 20th, 2022

StackHawk Platform

GitHub Integration Pull Request Checks

Our GitHub integration will now consider the failure threshold (set using hawk.failureThreshold in your configuration) to communicate scan success or failure in build checks and pull-request comments. Pull-request comments have been updated to include more relevant information in an easier-to-consume format.

GitHub Pull Request Checks

October 13th, 2022

StackHawk Platform

Account Details Page

Users can now get their code contributors count via Github Integration or Code Contributors Script without contacting Stackhawk Sales team

October 3rd, 2022

StackHawk Platform

Members Page

Organization owners can now upgrade admin users to owners.

September 28th, 2022

StackHawk Platform

Enhanced Application Filter

The application filter now includes the application uuid, allowing for all applications, even those with conflicting names, to show up in the filter dropdown.

September 22nd, 2022

StackHawk Platform

GitHub Integration Pull Request Checks

You can now get GitHub pull request checks and comments from StackHawk by installing the official StackHawk GitHub App and updating your stackhawk.yml with the correct scan tags.

GitHub Pull Request Checks
Scan Tags Beta

SAST Buttons

Fixed some instances where our SAST buttons weren’t quite styled to our standards.

SAST Application Badging

Applications mapped to SAST integrations will now always show the appropriate badging on the applications page.

September 20th, 2022

HawkScan (2.8.0)

Custom Variable Injection

HawkScan can now generate smarter values when scanning with an OpenAPI configuration. Custom variables can now be configured with Faker supplied data for better scan results.

Smart values for Parameters

Custom Test Scripts

Users can now add their own active scan tests with HawkScan Script support, enabling application security checks using custom business logic and/or data.

Create and Register Custom Test Script

GraphQL Exclude Operations

Specific operations can now be ignored when scanning GraphQL APIs. The graphqlConf.excludeOperations setting can be populated with pairs of GraphQL operation names and types, and those operations will be excluded from the scan.

Configure GraphQL

Custom Scan Discovery

HawkScan can now intercept the HTTP traffic from any software development tool that supports proxy configuration. Discover your web application with Postman Collections, Cypress test suites, and even Curl commands.

Custom Scan Discovery

Postman Scan Discovery

HawkScan users with Postman Collections can discover more of their scanned application with new configuration for Postman Scan Discovery.

Postman Scan Discovery

Scan Discovery

Documentation has been added describing Scan Discovery the process for spidering and discovering your web application with HawkScan.

Scan Discovery

August 29th, 2022

HawkScan (2.7.0)

Custom Variable Injection for REST APIs

You can supply a list of custom variables for each parameter in your OpenAPI definition, and HawkScan will randomly inject a variable from the corresponding list when scanning your API.

Using Custom Variable Injection

Scan Tags

Scan Tags are name value pairs that represent metadata you can use to capture additional state or context around a scan.

Scan Tags

More info in CLI banner

When run with the --debug flag, the CLI banner now displays additional information on the current scan.

Various YAML config validation bugs

Certain fields around GraphQL and auth scripts were not being validated properly. These fields are now properly validated.

Windows CLI instability issues

Fixed classpath construction issues with the ZAP subprocess in Windows environments.

Active Script exception handling

HawkScan will now terminate a scan when an active script fails.

Domain level cookies not being sent to the application

Cookies scoped to the domain of the application being scanned are now passed to the application correctly. For instance, *.example.com vs app.example.com.

August 29th, 2022

StackHawk Platform

Platform Stability

Fixed several bugs that caused spontaneous page hangs or crashes in the StackHawk UI.

August 23rd, 2022

StackHawk Platform

Summary Scan Reports

Generate reports summarizing your most recent scans across all applications and environments.

Reports

August 1st, 2022

HawkScan (2.6.0)

Validate OpenAPI configuration command

The “hawk validate api” can be used to validate the OpenAPI configuration in your stackhawk.yml without running a scan.

Custom Test Scripts (BETA)

Users can now add their own active scan tests with HawkScan Custom Test Scripts, enabling application security checks using custom business logic and/or data.

Custom scan rules

Hidden Files Found scan rule false positives

Updated the Hidden Files Found scan rule to not trigger on ambiguous https status codes like 3xx redirect codes.

Path Traversal scan rule false positives

Updated logic regarding 3xx redirect code analysis on responses to avoid false positives.

July 27th, 2022

StackHawk Platform

Jira Integration

Fixed a bug where StackHawk wouldn’t always track issues sent to Jira in scan findings

July 13th, 2022

StackHawk Platform

GitHub CodeQL

The Official StackHawk GitHub Integration is live, allowing you to correlate GitHub CodeQL findings as you scan.

Disabled problematic and informational scan rules

Scan policies now exclude the following, (10058) GET for POST, (10104) User Agent Fuzzer, (20014) HTTP Parameter Pollution, (40023) Possible Username Enumeration, (90027) Cookie Slack Detector, (40016) Cross Site Scripting (Persistent) - Prime, (40017) Cross Site Scripting (Persistent) - Spider, (90017) XSLT Injection, (90034) Cloud Metadata Potentially Exposed

July 13th, 2022

HawkScan (2.5.0)

Updated networking stack

The core networking stack has been updated to use netty 4 allowing for http 2 support.

Permissions issue with git clone in docker image

Using the –git-url/GIT_URL option with the stackhawk/hawkscan docker image will clone the git repo to the home directory of the non-root docker user, instead of /hawk, to avoid permission errors.

Authentication form POST using HTTP/1.0

The authentication form POST will now use HTTP/1.1 which is the default for all other traffic.

July 11th, 2022

StackHawk Platform

Create an App

Made it easier to get your YAML file and run a scan after creating a new application.

Navigation Bar

Applications option is now first in the navigation bar.

Environment Card

Clicking on metrics in the environment card will navigate users to its latest scan.

Minor Bugs

Fixed minor issues that were causing the application page to freeze.

Jira Integration

Paths will now be populated when creating a new issue.

June 24th, 2022

StackHawk Platform

Create an App

Fixed an issue preventing users from adding their API specification when creating an application.

June 22nd, 2022

HawkScan (2.4.1)

Minor Bugs

Fixed minor issues with cross site scripting rule, date time conversions, and plugin reporting

June 22nd, 2022

StackHawk Platform

Enhanced Create an App Flow

Improved instructions on how to provide your API key to the scanner during the first app creation process.

SAST Integration Bugs

Restored the ability to remove a linked SAST project and fixed issues with SAST badging not displaying correctly in some places such as scan results and the applications list.

June 10th, 2022

HawkScan (2.4.0)

Updated ZAP to the latest version 2.12.0

Hawkscan has been upgraded to use ZAP 2.12.0 the latest stable release.

zap-extensions

Additional Scan Alert Details

HawkScan is now collecting additional details from scan alerts, including the request / response time, history type, and alert reference.

Escape sequence handling in the config

Fixed a bug when handling exotic escape character sequences in the loggedInIndicator and loggedOutIndicator fields.

June 9th, 2022

StackHawk Platform

Billing

StackHawk grows with your team! Small teams can now upgrade to our Pro or Enterprise plans without paying for more developers than you have right now.

June 6th, 2022

StackHawk Platform

Authenticated Scanning Helper

Additional third-party authentication providers have been added including Okta, Firebase and Keycloak.

Scans Page

Pagination and filtering will not reset if users navigate to an individual scan and decide to navigate back to the scans page.

May 20th, 2022

StackHawk Platform

Authenticated Scanning Helper

Users can now add authentication through third-party providers such as Auth0 or other OAuth-based services. Support for additional OAuth providers will be coming in the near future.

May 2nd, 2022

HawkScan (2.3.1)

Exclude Paths

Fixed issue where excludePaths would not work unless at least 1 includePath was set

Token Extraction Regex

tokenExtraction.value regex was too strict, removed regex for easier use

April 20th, 2022

HawkScan (2.3.0)

Seed Paths

Added ability to supply seed paths to supplement spider in crawling applications

seedPaths

Spring4Shell Alpha Scan Rule

Synced with latest zap extensions to obtain Spring4Shell scan rule

Download Scan Logs

Added “hawk download log” command which can be used to download logs for specific scans

April 18th, 2022

StackHawk Platform

Minor Security Vulnerabilities

Squashed a handful of minor security vulnerabilities

April 6th, 2022

StackHawk Platform

Integrations

Updated Github Actions integrations to reflect changes using the CLI

April 6th, 2022

HawkScan (2.2.0)

Verbose Logging

Added an extra flag that outputs verbose logging to the foreground

Log4Shell Scanning

Added ability for HawkScan to detect Log4Shell vulnerabilities

Support For M1 Architecture

Added support for Docker and HawkScan CLI for multi architecture

Updated ZAP Integrations

Updated HawkScan with the lastest upstream changes from ZAP

Validation Rules

Improved validation for JSON schema plugin and security certificate errors

Debug Flag Causing Double Printout

Fixed issue with the –debug flag causing double printout of logs

Maximum Duration Flag

Fixed issue with the maximum duration flag not being respected in Ajax scans

April 1st, 2022

StackHawk Platform

Slack Integration Button Style

Our Slack Integration install button was less-than-visible, but you can see it again!

March 18th, 2022

StackHawk Platform

Auth Helper Popup

The auth helper popup will no longer appear over the new application wizard

Dates Display

The dates in the application will correctly appear in the user’s local time

March 15th, 2022

StackHawk Platform

Defect Dojo Integration

Find documentation on the StackHawk Defect Dojo Integration from the Integrations tab

February 28th, 2022

StackHawk Platform

Pricing Table

Scans List

Visual callouts to scans list and scan details page for Log4Shell scans

February 18th, 2022

StackHawk Platform

Add an App Button

Users on a Free plan that already have an application will be prompted with an upgrade message once they click on Add an App button

February 17th, 2022

StackHawk Platform

Authenticated Scanning Popup

After running their first scan, users can open a helper that will help them setup authenticated scanning.

Authenticated Scanning Helper

Users can easily learn how to authenticate their application with this helper. It includes information about injecting a token or cookie, or using HTTP and JSON form authentication methods. After users select their authentication method, they will be shown a YAML snippet that should be added to their stackhawk.yml file.

Technology Flags

Added technology flag for the Java Spring framework

February 10th, 2022

HawkScan (2.1.0)

Updated config validation error handling

Added contextual error messaging to invalid scan configurations

Apply path excludes globally

The app excludePaths are now applied globally instead of just on active scan requests, exclude paths will be applied to the spider and all other requests through the proxy. This allows for definitive blocking of paths that may be sensitive to scan requests.

Application Exclude Paths

JWT Token failing to refresh

For longer scans (>30m) the platform jwt token will now auto-refresh for uploading scan logs to the platform

Over failure threshold reporting as a scan error

When the configured failure threshold was reached on a scan the scan was being marked as an error in the platform. The scan is no longer marked as an error when the failure threshold is reached but the exit code is still 42 so the build will fail.

Failure Threshold

February 8th, 2022

StackHawk Platform

Organizations without any applications will no longer see a generic platform error

February 2nd, 2022

StackHawk Platform

Auto-downgrade

Inactive trial accounts will be downgraded to free plan at 90 days

Button to CLI docs

Links to CLI documentation iis now included when a user Creates an App

January 27, 2022

StackHawk Platform

Plan name is displayed in audit log events regarding a subscription

Audit log and email notifications can now be accessed from the settings page on mobile devices

Checkout Modal

The checkout modal now closes when a yearly subscription is successfully updated, and various visual fixes.

Jira Cloud Issue Triage

Searching for an existing issue when sending an alert to Jira Cloud can now search by the issue key directly.

January 12, 2022

HawkScan (2.0.0)

StackHawk CLI

The StackHawk CLI can be used without Docker to perform scans and validate configurations. The CLI is also included in the Docker image as it is the same scan engine for the CLI or Docker container.

StackHawk CLI

New hawk validate config command

A new command “hawk validate config” that will lint and validate your stackhawk.yml configuration files without performing a scan. Config validation is also performed before a scan to ensure accuracy.

Schema linting and validation for stackhawk.yml files in IDE's

The stackhawk.yml file schema is publicly available via SchemaStore.org enabling realtime linting and validation of the stackhawk.yml configuration files in many popular IDE’s.

SchemaStore.org

Removed dependency on python

The python based entrypoint command has been replaced with the new JVM based CLI command hawk scan.

Updated Docker image OS to Ubuntu 20

The base OS for the HawkScan docker container has been update to Ubuntu 20 and the latest version of Firefox.

Updated error output

Error output now contains contextual references to the YAML causing the error as well as links to corresponding documentation.

January 12, 2022

StackHawk Platform

StackHawk Enterprise Trial

Newly signed up users will automatically be on a 14-day free trial with access to all Enterprise StackHawk features. Users will be automatically downgraded to the Free version after 14 days if a purchase of Pro or Enterprise is not made. If a trial extension is required, users can contact support via Intercom on the Pricing Page or within the app.

Billing Updates

We have simplified subscription management in our UI. Users can now self-service for both Pro and Enterprise subscriptions and easily select the number of developers when upgrading to Pro or Enterprise plans.

December 23, 2021

StackHawk Platform

Env Card Graphs

Application page graphs are no longer constantly reloading.

Delete Env Modal

Deleting environment modal was automatically closing. The modal will now only close when you tell it to.

GraphQL Config

GraphQL generated .yml file specifies a POST request instead of GET request.

November 4, 2021

StackHawk Platform

Plugin Duration

Find out how long each plugin takes from the plugin summary tab of the scan details page for a better understanding of how HawkScan scans your application.

October 19, 2021

StackHawk Platform

Jira Issues are now retrieved when the Send to Jira modal opens.

Choosing to load example scan data from Google Firing Range will no longer show the Welcome modal to new users.

October 18, 2021

StackHawk Platform

Getting Started Updates

Plan descriptions and initial scan selections have been updated to better reflect scanning your own application or loading example scan data.

Create an Application Updates

When creating an application, you can now define a specific application type, which will generate a customized scan configuration allowing you to get started scanning faster. Additionally, the Technology Flags step has been removed from this flow, but can still be accessed under application settings.

Findings Other Info

The Other Info field of a finding has been surfaced in the Finding Details panel when available.

(Enterprise) API Source in Audit Log

API label is added to events sent from the public StackHawk API to the audit log.

Integration Error State

Integration pages now feature a new error state when integration channels cannot be retrieved.

Onboarding Experience

Invited users see a welcome modal, while new users that are owners of their organization are directed to create an application after providing onboarding information.

Deleting last environment on a filtered applications view updates to reflect deletion.

October 6, 2021

StackHawk Platform

(Enterprise) StackHawk API Access

The StackHawk API is now available for public use by organizations on the Enterprise plan. With extensive documentation and resources, developers can now programmatically manage StackHawk applications and environments directly from the command line.

Read the Docs
API Reference

September 17, 2021

HawkScan (0.11.14)

Authentication and Session script support

Authentication and Session management scripts are now supported and configurable via authentication.script and authentication.sessionScript configurations.

OpenAPI request generation

A bug in hawkscan 0.11.11 the openapi request generator was not handling incomplete request body references and request bodies with mixed $ref and sub property definitions.

OpenAPI parsing

A bug in hawkscan 0.11.11 was causing openapi v2 specifications to fail instead of falling back to the v2 parsing engine.

August 31, 2021

StackHawk Platform

GraphQL Findings

Fixed an issue where some GraphQL results were displayed incorrectly when viewing scan findings.

August 26, 2021

StackHawk Platform

Jira Issue Promotion

Fixed an issue where the dropdown to select a Jira project was not populating while triaging issues.

August 26, 2021

HawkScan (0.11.11)

Header Replacer Rules

A bug in hawkscan 0.11.10 that was causing the header replacer configuration to fail has been fixed.

August 25, 2021

HawkScan (0.11.10)

OpenAPI verification

Added improved error detection in openapi specifications that do not result in routes being discovered on your application.

Script loading

Custom scripts are now loaded before any authentication or API discovery traffic, allowing for custom auth and API discovery requests.

August 16, 2021

HawkScan (0.11.9)

Git Repo Mounting

Added the ability to mount a remote git repository for a project instead of a docker volume mount.

Error Handling

Improved error handling to catch errors returned when using https localhost URIs.

August 2, 2021

StackHawk Platform

Application View Updates

Improved the UI for accessing Application settings. Clicking on the application name or the arrow control will allow you to access your Application details and scan settings, such as Technology Flags.

Slack Configuration

Updated the Slack channel configuration UI to account for any deleted Applications or Environments that are mapped to a Slack channel.

July 26, 2021

StackHawk Platform

Delete Applications, Environments, and Scans

Remove outdated or unused scans, applications and environments from your organization.

Application Creation Modal

The application creation modal will be reset to its default state when closing the modal.

(Pro & Enterprise) Audit Log Messaging

Audit log provides a better message around removing scans from your organization.

Curl Command Generation

Curl commands with nested single quotes are now able to be used to validate findings.

Downloadable Configuration

The application name is now present in the downloadable stackhawk.yml.

Announcements Panel

Fixed announcements panel notifications for when new release notes are published.

July 12, 2021

StackHawk Platform

(Pro & Enterprise) Create an App Flow: Tech Flags

We have added the ability to modify technology flags during the application creation process. Technology Flags allow you to fine-tune the tests HawkScan runs to better match your tech stack, leading to faster scans and fewer false positives.

Create an App Flow

The application creation modal has been updated to include the guided wizard interface.

Getting Started Flow

We now retain the Application ID when clicking back or on to a specific step in the Getting Started wizard.

July 9, 2021

HawkScan (0.11.8)

Repository Metadata Collection

Fixed a bug that made HawkScan error out when collecting metadata.

July 6, 2021

HawkScan (0.11.7)

SOAP specific scan policies

HawkScan now automatically configures scan policies for SOAP API endpoints to include relevant tests.

API Scanning

HawkScan now targets GraphQL, OpenAPI and SOAP APIs with more specific and relevant attack vectors.

Scan Policy

Fixed a bug with merging scan policy overlays when configured for GraphQL and OpenAPI scanning.

Token Redaction

Token authentication will now redact the external token from the scan config.

July 6, 2021

StackHawk Platform

Jira Data Center Integration

Enterprise Plan organizations can now triage scan findings with the Jira Data Center Integration. This integration will connect with an Atlassian Jira Server or Atlassian Data Center to create or link Jira issues from StackHawk findings.

Jira Actions

Fixed a bug with Jira Cloud integration where the platform could not detect if a project management integration is installed.

May 28, 2021

HawkScan (0.11.6)

Authentication TestPath

HawkScan terminal error output includes more details when validating authentication via the testPath.

Terminal Output

Fixed a bug with HawkScan output reporting incorrect counts of triaged findings.

GraphQL Configuration

Fixed a bug when configuring a GraphQL schema endpoint with a trailing slash, and the reporting of scanned graphql paths.

Scan Policies

Fixed a bug in application specific policies that was preventing plugin overrides from working correctly.

May 25, 2021

StackHawk Platform

Microsoft Teams Integration

Organizations on the Enterprise Plan can now send Scan Notifications to configured Microsoft Teams channels whenever a scan is run and completed.

Webhook Integration

Generic Webhooks are now available for Organizations on the Enterprise Plan. Send Scan Results to third-party systems (collaboration tools, incident management platforms, etc.) when a scan completes. Scan Results will be sent in a JSON payload to your configured webhook endpoint.

PowerShell Commands

Updated Powershell instructions for the Getting Started steps.

May 5, 2021

StackHawk Platform

Integrations

Quickly see what StackHawk enabled workflow integrations you have installed directly from the integrations tab.

Audit Payload

A bug was fixed related to certain audit events missing relevant details in their messages.

April 23, 2021

StackHawk Platform

(Enterprise) Audit Log

View an audit log of all activity within your organization, including when users join and leave your organization, when scans have been kicked off, when findings are triaged, and more!

Validate Findings

All scan findings can now be validated. Alerts from HawkScan can be recreated with the Validate button in the Findings tab.

HawkScan Version Tooltip

Jump into HawkDocs to learn how to update HawkScan when your version is out of date via a tooltip on the Scan Details page.

App Redirects

A bug was fixed related to following scan link urls in expired browser sessions.

April 22, 2021

HawkScan (0.11.4)

GraphQL Spider Progress

Percentage complete progress output to the terminal for long running GraphQL spiders.

Threshold Exit Code 42

When the finding threshold has been reached return exit code 42 so it can be distinguished from an unsuccessful scan with an exit code of 1.

Inaccurate Finding/Triage Counts

Fixes the finding and triage counts not being accurate in the HawkScan terminal output.

Remove Stacktrace From Terminal Output

Removed the stacktrace from the terminal output when an incorrect applicationId is specified in the stackhawk.yml.

Redact Credentials From Terminal Output

Redact the authentication credentials from the terminal output on authentication failure.

Race Condition

Fixed an intermittent race condition when sending the final scan results to the platform.

Deprecated GraphQL Fields

The deprecated graphqlConf fields batchQueries and introspection have been removed from the terminal output banner.

April 13, 2021

HawkScan (0.11.0)

HawkScan failureThreshold

Fixes an error when you configure failureThreshold in your application config. HawkScan will now exit correctly with this configuration.

April 6, 2021

StackHawk Platform

Support Modal

Having issues with the StackHawk web app? Can’t seem to get HawkScan configured? By clicking on your username in the sidebar you can find easy access to HawkDocs and how to contact our support team.

Keyboard Control for Integrations

The tables, buttons and dropdowns of the Integration pages are now able to be controlled with a keyboard.

App Creation Wizard Display

The Application ID will be displayed without overlapping its field boundaries in the App Creation Wizard.

March 30, 2021

HawkScan (0.10.0)

SOAP API Support

Use the app.soapConf configuration section to specify a local or hosted SOAP WSDL to configure the scanner to scan your SOAP endpoints.

app.soapConf

All your inputs are belong to us

Set the app.autoInputVectors=true to ensure only the correct data types are used when scanning your API. This will help increase accuracy and completeness of the scan.

New OpenAPI Conf section

The app.api section is being deprecated in favor of app.openApiConf to allow for easier configuration and expanded options when scanning an OpenAPI based API.

app.openApiConf

OpenAPI scanning improvements

When scanning an OpenAPI-based API, HawkScan will automatically detect and configure any data driven nodes in your API spec. This allows the HawkScan to avoid rescanning repetitive paths in your site tree as well as detect and scan sub paths. The overall effect is a more complete and accurate OpenAPI scan.

Scan Speed + Accuracy

When scanning an API use the StackHawk Platform Technology Flags in combination with app.autoPolicy and app.autoInputVectors to get the most out of your scan. The combination will inform the scanner of the most accurate approach to attacking your application. We’ve seen a dramatic reduction in false positives, reduced scan times on large API’s, and an increase in harder to find vulnerabilities when using these options together on API scans.

March 23, 2021

StackHawk Platform

Keyboard Control

Users who navigate the app without a mouse will be able to perform any action a keyboard and mouse user can.

(Enterprise) Download Scan Results

Download Scan Results as JSON from Scan Details page.

(Enterprise) SAML Support

SAML authentication and authorization for accessing the StackHawk platform. Contact our sales team to learn how to add this for your organization.

Single SignOn

Members and account settings pages are updated for Single SignOn users.

Lazy loading and dependency management

Users will not load specific routes or dependencies until they need them.

Findings Management History

Findings Management History displays full history of the status of a finding.

Mobile Display on Finding Details page

Getting Started on Free Tier

Free tier users can navigate getting started flow again without getting stuck by an Upgrade modal.

Findings Path Display

Determines the validity of URIs displayed on the Finding Details page.

February 26, 2021

StackHawk Platform

New Integrations

Find documentation on the StackHawk Spinnaker, Buildkite and Bitbucket Pipeline Integrations from the Integrations tab.

Application Creation

Application creation experience includes a step-by-step wizard to guide users through scanning their first app.

Usability and Display Improvements

Improvements across the app to increase usability and display of technology flags checkboxes and the Scans and Findings tables.

Accessibility Improvements

Keyboard control improvements made to the multi-select components in the web app, as well as improved control of the left hand Welcome panel.

Finding Details Sorting

Finding Details on the Print Scan page are sorted by severity.

Finding Details Display

Resolved an issue where the Finding Details page would get confused when switching between GraphQL and REST scans.

February 15, 2021

HawkScan (0.9.0)

app.autoPolicy flag for API scans

When scanning a web API like OpenAPI or GraphQL you can use the app.autoPolicy flag to load an optimized policy for the API type. This can help increase scan speed and reduce false positives when scanning web endpoints that do not serve HTML/Javascript.

app.autoPolicy

Realtime streaming of scan findings to the platform

As security findings are found during a scan they will be sent to platform for imediate viewing.

GraphQL Spider query improvement

The GraphQL spider process will generate queries to retrieve nested object fields that may contain data leaks… we see you.

Obscure error when using includePaths

Addressed an issue using includePaths that causes the spider to fail resulting in an obscure error on the terminal.

February 15, 2021

StackHawk Platform

Technology Flags

Optimize HawkScan by applying custom technology flags from the Applications page settings in the web app. Improve scan speeds and reduce false positives by only running tests around the technologies your application uses.

Scan Error Display

View scan errors from a tab on the Scan Details page.

Application Creation

Include http for an application’s host name if not present, and added a button to easily copy Docker commands.

Integrations Data Loading

Updated logic for Jira and Slack integrations to avoid unnecessary authentication for the Jira and Slack Integrations pages.

February 4, 2021

StackHawk Platform

Application Creation

Creating a new application in the StackHawk web app has never been smoother. Add an app from the Applications page for an optimized application creation experience.

Environments Table Graph

Who doesn’t like colorful bar graphs? View the environments table on the Applications page for a truncated version of the StackHawk graphs you know and love.

Type Errors and Warnings

Removed code that was falsely causing a few too many logging errors and added some boundaries around a type error in the onboarding flow.

January 26, 2021

StackHawk Platform

GraphQL Findings Table

Scanning your GraphQL app? The Finding Details page will now display the operation and operation name around each finding.

Sample App Onboarding Wizard

Scanning Google Firing Range for the first time is easier than ever. Updates to the onboarding modal include navigating between steps of the modal, copying shell commands and other minor visual improvements.

Plugin Table Loading State

The plugin summary table of the Scan Details page now has a loading state.

Finding Details Right Panel

The right panel on the Finding Details page is now open by default.

Changing Organizations

The profile menu in the sidebar has made it even easier to switch between multiple organizations, and a new loading animation has been added when switching organizations.

Limit User Sessions

Fixed a bug where the platform got confused if you were logged into more than one account at the same time.

Google Firing Range Banner Display

Updated logic around displaying a banner in the Applications page allowing a new user to scan the Google Firing Range app.

Usability and Display Improvements

Improvements across the app to increase usability and performance of the Finding Details panel and tab display.

January 21, 2021

HawkScan (0.8.38)

Added testPath.requestHeaders parameter to stackhawk.yml

The authentication testPath.requestHeaders is a map of extra headers to include in your testPath configuration. This is useful when using a POST route that requires JSON or some other Content-Type for requestBody.

Updated ZAP to the latest version 2.10

Hawkscan has been upgraded to use ZAP 2.10 the latest stable release.

zap-extensions

Updated scan plugins from zap-extentions

Updated to the latest scanner plugins

zap-extensions

January 12, 2021

StackHawk Platform

Sample Application Onboarding

New users who load Google Firing Range sample data can view a modal wizard which will walk them through how to scan the Firing Range App on their own.

Multiple Organizations

A user can now join multiple organizations, and switch between organizations by using the organization switcher in the left hand nav located under your profile picture.

User Invites

The user invite flow has been improved to ensure the user knows the difference between joining an organization and creating a new account.

GraphQL Support

On the Finding Details Page, the GraphQL Response Body in the right panel has been reformatted.

Finding Details Page

A selected Finding List Item will stay selected upon the Right Panel opening.

Create New App Modal

After creating a new Application from the Applications Page, the Application ID can now be visible in the Create New App success modal.

Datadog Integration

Who let the dogs out? A user can now see who enabled their organization’s Datadog integration.

December 18, 2020

StackHawk Platform

Real Time Scan Progress

Ready, set, scan! Once a HawkScan is in flight, see real time scan progress in the StackHawk web app. The Scans page displays overall scan progress. Navigating to the Scan Details page provides insight to the plugins and tests HawkScan is running, as well as details on any errored or successful scans.

December 14, 2020

StackHawk Platform

Plan Users Selection

Save yourself some clicks! Input the number of users you’d like to include in your plan - via keyboard or mouse.

Findings Details page

Uncategorized alerts would disrupt the display of metadata on the Finding Details page.

Usability and Display Improvements

Improvements across the app to increase usability and performance of the onboarding flow, integrating with Slack and using StackHawk on Safari.

December 8, 2020

HawkScan (0.8.28)

Updated scan plugins from zap-extentions

Updated to the latest scanner plugins which address a number of bugs and false positives.

zap-extensions

hawk.failureThreshold parameter not working correctly

The hawk.failureThreshold can now be set to high, medium, or low. If any alerts are found a for the supplied threshold, or higher, the scan will fail and output the count of alerts at or above the configured threshold.

Crashes due to conflicting virtual frame buffer lock files in docker compose environments

In some scenarios running hawkscan in a docker compose environment, an existing Xvfb lock file can be present without the process. Avoid this by detecting X11 lock state and choosing an available id.

December 5, 2020

StackHawk Platform

New Plans!

We are shaking the tree at StackHawk! We are now offering a free plan and a Pro plan to meet the needs of all kinds of customers, from seasoned hawks to spring chickens.

Check out our pricing page

GraphQL Findings

Scanning your GraphQL application? The StackHawk web app now identifies and displays specifics around your GraphQL queries and variables so you can easily identify your vulnerabilities from the Finding Details page.

Choose Your Own Adventure

Signing up for StackHawk for the first time? Choose your plan and what kind of application you are looking to scan in the Getting Started flow. Load in your application data or check out a scan of the Google Firing Range project to familiarize yourself with the platform.

Scan Overview

Welcome to the improved Scan Details page! Take a look at the improvements around the Scan Overview - we’ve added a new graph and display to help you identify the criticalities of the vulnerabilities in your application.

Filtered Scan Results

Click on the environment name from the Applications page to see a filtered view of your Scans specific to that application and environment.

Nudges

New to the StackHawk web app? We’ll highlight some of the awesome features of the application for you. Look for the glowing buttons!

Usability and Display Improvements

Improvements across the app to increase usability and performance of the login flow, display in various browsers and responsive behavior. Sometimes the Getting Started flow didn’t load to help users get started.

November 24, 2020

HawkScan (0.8.26)

Memory Management

Performance and stability improvements when scanning large sites.

November 23, 2020

StackHawk Platform

StackHawk Free Tier

If you are an individual developer looking to get the application security basics under your belt, our all-new free tier was built just for you. In this single user plan, you will get all the best parts of StackHawk’s Team plan. You can run scans and manage findings for a single application and receive weekly updates.

Usability and Display Improvements

Improvements across the app to increase usability of Announcements panel, Slack Integration and Settings pages.

November 10, 2020

StackHawk Platform

Recaptcha Verification on Account Signup

Email signups will now be verified with reCaptcha v3 technology because bots are sneaky.

Jira Integration

Fixed a bug with the Jira Integration when sending findings to Jira next-gen projects, the integration now uses the correct “Bug” issue type enabled for the project.

November 9, 2020

StackHawk Platform

Release Notes Nudge

See a visual indicator in the web app sidebar when new release notes have been published

Findings Status History

View who last updated a finding’s status from the Findings Details page panel Activity tab

Usability and Display Improvements

Improvements across the app to increase usability of Announcements panel, Findings Details table, Login and Settings pages

Adding Applications with Low Risk Level

Applications with a risk level of low can be added in the Getting Started flow and Applications page

October 30, 2020

StackHawk Platform

Bug Fixes

We broke the validate button. In this release, we fixed it. Various other bug fixes and improvements.

October 29, 2020

StackHawk Platform

Print Scan Report

Print or download a report of scan findings for an application and environment from the Scans and Scans Details pages.

Opt out of weekly emails

Opt out of weekly emails from the Notifications panel of the Settings page.

Usability and Display Improvements

Improvements across the web app to increase usability of scrollbars, form fields, mobile display, announcements panel and table spacing

October 20, 2020

StackHawk Platform

HawkDocs

HawkDocs have been updated with a new design, dark mode, and responsive mobile layouts.

Check out the Updated Docs

October 19, 2020

HawkScan (0.8.16)

Configuration controls for file-based GraphQL schemas

HawkScan was released with improvements to the GraphQL vulnerability scanner configuration to support scanning with file-based schemas.

October 14, 2020

StackHawk Platform

Application Table View

Listed Applications can be viewed as a table, rather than cards, in the StackHawk platform. This creates more real estate for organizations with many applications.

Remove users from the Organization

Organization owners can now remove users from their org.

Application metadata

Assign Risk Level and Data Type for your applications from the Applications page of the StackHawk platform.

Scan Details Page

When viewing the scan details page, the version of HawkScan alongside whether an update is available is displayed.

Release Notes in HawkDocs

Review the StackHawk and HawkScan release notes from the official documentation.

Read our Release Notes

Jira Actions

Taking Jira actions on the Findings page has been improved on the paths table and details panel. Jira tickets search has been optimized.

Errored Environment Cards

When an error occurs during a scan the associated environment card on the Applications page will accurately display an errored state.

October 13, 2020

HawkScan (0.8.14)

Scanning urls without a specified port

HawkScan was released with a fix to support scanning endpoints that don’t specify a port.

October 12, 2020

HawkScan (0.8.12)

Include Paths

Hawkscan will now accept the app.includePaths configuration, specifying any routes the scanner should visit.

Read the docs

Error Handling

Hawkscan will now send additional telemetry and improved exception introspection.

September 25, 2020

StackHawk Platform

Weekly Summary Emails

Organization owners will now see a weekly email containing summaries of your weekly activity using StackHawk

Datadog Integration

Send your StackHawk scan notifications to Datadog.

Read the docs
View in app

Keyboard Navigation

Accessibility improvements around navigating the StackHawk platform via keyboard

Applications Page Table View

View your applications and environments in a compact view from the Applications page

Getting Started Flow

Added clarity around the steps of the Getting Started flow, as well as the ability to skip the Getting Started flow

PowerShell Commands

The StackHawk application will detect your operating system and display the proper set of command-line shell commands

Applications Page Display

Applications page display on mobile and tablet size screens has been updated to improve usability

Finding Details Panel Stickiness

Panel will now persist user’s choice of viewing request or response metadata for a specific finding

Placeholders

Placeholder UI implemented for API key table, members table and account info pages

App creation wizard modals will not overlay on each other

Application filters

Application filter shows application name instead of ID when navigating to the Applications page with query strings in the URL

Hover state color in dropdown menus

September 10, 2020

HawkScan (0.8.10)

GraphQL file loading

Support using GraphQL schema from file

September 1, 2020

StackHawk Platform

GA Release

August 28, 2020

StackHawk Platform

Toast Notifications

Toast notifications now display error messages, in addition to success confirmations when taking action on scan findings

August 27, 2020

HawkScan (0.8.8)

Error Logging

Use python print() in most places - errors still use the logging mechanism

Terminal Output Colors

term_color flag is checked in the Logger module to respect colored output in the terminal

August 24, 2020

StackHawk Platform

Billing

Improved access to the billing page from the account settings view

Slack Integration

Connect StackHawk with Slack and receive notifications on HawkScan events

Read the docs
View in app

August 24, 2020

HawkScan (0.8.6)

Terminal Output Colors

Adds colors and logging for YAML exceptions and clear color delineation for problem items in the YAML config

Configuration Loader

Update the config loader to include the filename with the stream

Exception and Error Handling

Add new exception type for YAML exceptions, granulate the exception handler on the top level and add generic log output controls for info and error

ZAP False Positives

Disables certain zap plugins causing false positive reports in scanned applications

August 20, 2020

HawkScan (0.8.4)

Improved GraphQL scanning support

Auth recheck on long running scans

Modified HawkScan memory settings

August 17, 2020

StackHawk Platform

Billing

Choose between the Startup, KaaKaww, or Enterprise Plans on the StackHawk settings page

Bamboo Integration

Find documentation on the StackHawk Bamboo Integration from the Integrations tab

Findings Management Controls

Improved display of findings status in the right panel, linking to Jira from the right panel and updating status experience

Settings page routing

Each page of the settings menu has a dedicated URL

Applications Card Display

Increased size of the kebab button on the cards of the Applications page

Getting Started Flow

Refreshing the page during the Getting Started flow will preserve your progress in the flow

August 17, 2020

HawkScan (0.8.2)

Bug related to scanning for organizations without a subscription

August 17, 2020

HawkScan (0.8.0)

Check for valid subscription when scanning

Copy in terminal scan results output text

August 3, 2020

StackHawk Platform

Pagination

Data returned for Findings and Scans tables is paginated to improve performance of unbounded data lists

Password Reset

Reset your password for accessing the StackHawk platform from the profile page

Settings Navigation

Settings navigation is optimized for mobile and small screen sizes

Graph Popover

Hovering over the graphs on the Applications page will display details of a specific scan

Applications Options

From the Applications page view your latest scan results for a specific application by choosing one of the options in the kebab menu

July 22, 2020

StackHawk Platform

Applications and Environments Overview

See current status, history of past scans, and manage your applications and environments via the Applications tab in the sidebar

Finding Details pagination

Findings Details page contains pagination controls

Mobile UI

Modals display has been improved for usability on smaller screen sizes

Cleanup Jira page request to remove excessive calls to get Jira projects and issues

July 13, 2020

StackHawk Platform

Jira Integration

Integrate with your Jira Software instance to manage your appsec bugs by assigning and linking to Jira tickets

Read the docs
View in app

Scan Filtering

Filter scans in the Scans List by Application and Environment

Integrations

New link to Azure Pipelines HawkDocs

Findings Management

Scan findings URLs are now sorted alphabetically as well as by status

June 29, 2020

HawkScan (0.7.2)

Header Replacer Support

Enables manipulation of request headers to better support apps running behind a proxy

GraphQL Config Section

Support for tuning the GraphQL introspection process

Rate Limiting Controls

Provides more control over the aggressiveness of the scanning capability

Kotlin Scripting Support

ZAP open source contribution for Kotlin support

Passthrough Config Support for ZAP

Supports advanced ZAP configuration via StackHawk YAML

GraphQL Introspection

More support for enumeration types and improvements to the test query builder

Flexible logging control for ZAP

Adds support for debug logging

Transparent localhost proxy instead of url rewriting

Better support for scanning localhost networking scenarios and reverse proxies

June 19, 2020

StackHawk Platform

Paths tab

Assess completeness of scans by reviewing all paths scanned by HawkScan

Integrations

New links to Concourse CI and Github Actions HawkDocs

Findings Management

Bulk controls UI improvements, findings table UI improvements, and findings are sorted alphabetically

Findings Management Alert Rules

Alert rules are now specific to request method

Scans Table

Pagination controls are accessible at the top of the Scans table

This Announcement Panel!

See specific changes for HawkScan and StackHawk platform

Applications Page Results

See up to 100 applications on Applications page

Invite users popup UX fixes

URI Truncation

URI truncation in many places throughout the application for readability

Validate Findings

curl command generated with double quotes around request body

June 6, 2020

HawkScan (0.6.14)

Terminal Output

Scan progress is now printed to the terminal output

GraphQL Querying Improvements

June 5, 2020

StackHawk Platform

StackHawk Authentication

Log in using any email via StackHawk authentication, or OAuth via Google and Github

Findings Management

Take action from the Findings Management right panel for triaging your application’s security vulnerabilities

App Creation Wizard

Add missing escape characters to downloaded StackHawk.yml from App Creation Wizard

May 29, 2020

StackHawk Platform

This Announcement Panel!

Announcement panel is a source for release notes, social links, docs and submitting feedback

Findings Management

Users may now triage scan findings by marking them as Assigned, Risk Accepted or False Positive

Scans List Table

As part of Findings Management, the scan list will now reflect new findings (not yet triaged) and a count of triaged findings

Browser Support and Logout Notification

Users on unsupported browsers will see a new informational page, and users logged out due to inactivity will be notified via toast notification

Faster Performance for Scan Findings Display

May 14, 2020

HawkScan (0.6.6)

Support for GraphQL Union and Interface Types

Support OpenAPI and Graphql API Scanning with same Config and App

HawkScan now supports configuration for customers that utilize both OpenAPI spec and GraphQL API scanning

Gitlab DAST Report Updates

Customers utilizing the StackHawk integration with Gitlab will now see findings updated in their report dashboard.

May 8, 2020

StackHawk Platform

Curl Attack Regenerator

Users may quickly validate a finding by clicking the “Recreate” button. This generates a curl command that a user may paste into their terminal in debug mode and quickly recreate an attack

Improvements to the Getting-Started Page Navigation

Scan List Pagination

Improvements to Mobile Styling

May 8, 2020

HawkScan (0.6.4)

GitLab CI/CD Service Templates

May 4, 2020

StackHawk Platform

Advanced Slack Integration Configuration

You may now configure updates from specific applications to be sent to specific channels in Slack, ensuring that your teams are only getting updates about the applications relevant to their workflow

Logout event percolates across all open tabs

Login-timeout redirects will take you to the last requested page instead of the last visited page