Tracking updates to the StackHawk platform and HawkScan.
Current HawkScan Version: 2.8.0
Enhanced Application Filter
The application filter now includes the application uuid, allowing for all applications, even those with conflicting names, to show up in the filter dropdown.
GitHub Integration Pull Request Checks
You can now get GitHub pull request checks and comments from StackHawk by installing the official StackHawk GitHub App and updating your `stackhawk.yml` with the correct scan tags. GitHub Pull Request Checks
Fixed some instances where our SAST buttons weren't quite styled to our standards.
SAST Application Badging
Applications mapped to SAST integrations will now always show the appropriate badging on the applications page.
Custom Variable Injection
HawkScan can now generate smarter values when scanning with an OpenAPI configuration. Custom variables can now be configured with Faker supplied data for better scan results. Smart values for Parameters
Custom Test Scripts
Users can now add their own active scan tests with HawkScan Script support, enabling application security checks using custom business logic and/or data. Create and Register Custom Test Script
GraphQL Exclude Operations
Specific operations can now be ignored when scanning GraphQL APIs. The `graphqlConf.excludeOperations` setting can be populated with pairs of GraphQL operation names and types, and those operations will be excluded from the scan. Configure GraphQL
Custom Scan Discovery
HawkScan can now intercept the HTTP traffic from any software development tool that supports proxy configuration. Discover your web application with Postman Collections, Cypress test suites, and even Curl commands. Custom Scan Discovery
Postman Scan Discovery
HawkScan users with Postman Collections can discover more of their scanned application with new configuration for Postman Scan Discovery. Postman Scan Discovery
Documentation has been added describing _Scan Discovery_ the process for spidering and discovering your web application with HawkScan. Scan Discovery
Custom Variable Injection for REST APIs
You can supply a list of custom variables for each parameter in your OpenAPI definition, and HawkScan will randomly inject a variable from the corresponding list when scanning your API. Using Custom Variable Injection
Scan Tags are name value pairs that represent metadata you can use to capture additional state or context around a scan. Scan Tags
More info in CLI banner
When run with the `--debug` flag, the CLI banner now displays additional information on the current scan.
Various YAML config validation bugs
Certain fields around GraphQL and auth scripts were not being validated properly. These fields are now properly validated.
Windows CLI instability issues
Fixed classpath construction issues with the ZAP subprocess in Windows environments.
Active Script exception handling
HawkScan will now terminate a scan when an active script fails.
Domain level cookies not being sent to the application
Cookies scoped to the domain of the application being scanned are now passed to the application correctly. For instance, *.example.com vs app.example.com.
Fixed several bugs that caused spontaneous page hangs or crashes in the StackHawk UI.
Summary Scan Reports
Generate reports summarizing your most recent scans across all applications and environments. Reports
Validate OpenAPI configuration command
The "hawk validate api" can be used to validate the OpenAPI configuration in your stackhawk.yml without running a scan.
Custom Test Scripts (BETA)
Users can now add their own active scan tests with HawkScan Custom Test Scripts, enabling application security checks using custom business logic and/or data. Custom scan rules
Hidden Files Found scan rule false positives
Updated the Hidden Files Found scan rule to not trigger on ambiguous https status codes like 3xx redirect codes.
Path Traversal scan rule false positives
Updated logic regarding 3xx redirect code analysis on responses to avoid false positives.
Fixed a bug where StackHawk wouldn't always track issues sent to Jira in scan findings
The Official StackHawk GitHub Integration is live, allowing you to correlate GitHub CodeQL findings as you scan.
Disabled problematic and informational scan rules
Scan policies now exclude the following, (10058) GET for POST, (10104) User Agent Fuzzer, (20014) HTTP Parameter Pollution, (40023) Possible Username Enumeration, (90027) Cookie Slack Detector, (40016) Cross Site Scripting (Persistent) - Prime, (40017) Cross Site Scripting (Persistent) - Spider, (90017) XSLT Injection, (90034) Cloud Metadata Potentially Exposed
Updated networking stack
The core networking stack has been updated to use netty 4 allowing for http 2 support.
Permissions issue with git clone in docker image
Using the --git-url/GIT_URL option with the stackhawk/hawkscan docker image will clone the git repo to the home directory of the non-root docker user, instead of /hawk, to avoid permission errors.
Authentication form POST using HTTP/1.0
The authentication form POST will now use HTTP/1.1 which is the default for all other traffic.
Create an App
Made it easier to get your YAML file and run a scan after creating a new application.
Applications option is now first in the navigation bar.
Clicking on metrics in the environment card will navigate users to its latest scan.
Fixed minor issues that were causing the application page to freeze.
Paths will now be populated when creating a new issue.
Create an App
Fixed an issue preventing users from adding their API specification when creating an application.
Fixed minor issues with cross site scripting rule, date time conversions, and plugin reporting
Enhanced Create an App Flow
Improved instructions on how to provide your API key to the scanner during the first app creation process.
SAST Integration Bugs
Restored the ability to remove a linked SAST project and fixed issues with SAST badging not displaying correctly in some places such as scan results and the applications list.
Updated ZAP to the latest version 2.12.0
Hawkscan has been upgraded to use ZAP 2.12.0 the latest stable release. zap-extensions
Additional Scan Alert Details
HawkScan is now collecting additional details from scan alerts, including the request / response time, history type, and alert reference.
Escape sequence handling in the config
Fixed a bug when handling exotic escape character sequences in the `loggedInIndicator` and `loggedOutIndicator` fields.
StackHawk grows with your team! Small teams can now upgrade to our Pro or Enterprise plans without paying for more developers than you have right now.
Authenticated Scanning Helper
Additional third-party authentication providers have been added including Okta, Firebase and Keycloak.
Pagination and filtering will not reset if users navigate to an individual scan and decide to navigate back to the scans page.
Authenticated Scanning Helper
Users can now add authentication through third-party providers such as Auth0 or other OAuth-based services. Support for additional OAuth providers will be coming in the near future.
Fixed issue where excludePaths would not work unless at least 1 includePath was set
Token Extraction Regex
tokenExtraction.value regex was too strict, removed regex for easier use
Added ability to supply seed paths to supplement spider in crawling applications seedPaths
Spring4Shell Alpha Scan Rule
Synced with latest zap extensions to obtain Spring4Shell scan rule
Download Scan Logs
Added "hawk download log" command which can be used to download logs for specific scans
Minor Security Vulnerabilities
Squashed a handful of minor security vulnerabilities
Updated Github Actions integrations to reflect changes using the CLI
Added an extra flag that outputs verbose logging to the foreground
Added ability for HawkScan to detect Log4Shell vulnerabilities
Support For M1 Architecture
Added support for Docker and HawkScan CLI for multi architecture
Updated ZAP Integrations
Updated HawkScan with the lastest upstream changes from ZAP
Improved validation for JSON schema plugin and security certificate errors
Debug Flag Causing Double Printout
Fixed issue with the --debug flag causing double printout of logs
Maximum Duration Flag
Fixed issue with the maximum duration flag not being respected in Ajax scans
Slack Integration Button Style
Our Slack Integration install button was less-than-visible, but you can see it again!
Auth Helper Popup
The auth helper popup will no longer appear over the new application wizard
The dates in the application will correctly appear in the user’s local time
Defect Dojo Integration
Find documentation on the StackHawk Defect Dojo Integration from the Integrations tab
Visual callouts to scans list and scan details page for Log4Shell scans
Add an App Button
Users on a Free plan that already have an application will be prompted with an upgrade message once they click on Add an App button
Authenticated Scanning Popup
After running their first scan, users can open a helper that will help them setup authenticated scanning.
Authenticated Scanning Helper
Users can easily learn how to authenticate their application with this helper. It includes information about injecting a token or cookie, or using HTTP and JSON form authentication methods. After users select their authentication method, they will be shown a YAML snippet that should be added to their stackhawk.yml file.
Added technology flag for the Java Spring framework
Updated config validation error handling
Added contextual error messaging to invalid scan configurations
Apply path excludes globally
The app excludePaths are now applied globally instead of just on active scan requests, exclude paths will be applied to the spider and all other requests through the proxy. This allows for definitive blocking of paths that may be sensitive to scan requests. Application Exclude Paths
JWT Token failing to refresh
For longer scans (>30m) the platform jwt token will now auto-refresh for uploading scan logs to the platform
Over failure threshold reporting as a scan error
When the configured failure threshold was reached on a scan the scan was being marked as an error in the platform. The scan is no longer marked as an error when the failure threshold is reached but the exit code is still 42 so the build will fail. Failure Threshold
Organizations without any applications will no longer see a generic platform error
Inactive trial accounts will be downgraded to free plan at 90 days
Button to CLI docs
Links to CLI documentation iis now included when a user Creates an App
Plan name is displayed in audit log events regarding a subscription
Audit log and email notifications can now be accessed from the settings page on mobile devices
The checkout modal now closes when a yearly subscription is successfully updated, and various visual fixes.
Jira Cloud Issue Triage
Searching for an existing issue when sending an alert to Jira Cloud can now search by the issue key directly.
The StackHawk CLI can be used without Docker to perform scans and validate configurations. The CLI is also included in the Docker image as it is the same scan engine for the CLI or Docker container. StackHawk CLI
New hawk validate config command
A new command "hawk validate config" that will lint and validate your stackhawk.yml configuration files without performing a scan. Config validation is also performed before a scan to ensure accuracy.
Schema linting and validation for stackhawk.yml files in IDE's
The stackhawk.yml file schema is publicly available via SchemaStore.org enabling realtime linting and validation of the stackhawk.yml configuration files in many popular IDE's. SchemaStore.org
Removed dependency on python
The python based entrypoint command has been replaced with the new JVM based CLI command hawk scan.
Updated Docker image OS to Ubuntu 20
The base OS for the HawkScan docker container has been update to Ubuntu 20 and the latest version of Firefox.
Updated error output
Error output now contains contextual references to the YAML causing the error as well as links to corresponding documentation.
StackHawk Enterprise Trial
Newly signed up users will automatically be on a 14-day free trial with access to all Enterprise StackHawk features. Users will be automatically downgraded to the Free version after 14 days if a purchase of Pro or Enterprise is not made. If a trial extension is required, users can contact support via Intercom on the Pricing Page or within the app.
We have simplified subscription management in our UI. Users can now self-service for both Pro and Enterprise subscriptions and easily select the number of developers when upgrading to Pro or Enterprise plans.
Env Card Graphs
Application page graphs are no longer constantly reloading.
Delete Env Modal
Deleting environment modal was automatically closing. The modal will now only close when you tell it to.
GraphQL generated .yml file specifies a POST request instead of GET request.
Find out how long each plugin takes from the plugin summary tab of the scan details page for a better understanding of how HawkScan scans your application.
Jira Issues are now retrieved when the Send to Jira modal opens.
Choosing to load example scan data from Google Firing Range will no longer show the Welcome modal to new users.
Getting Started Updates
Plan descriptions and initial scan selections have been updated to better reflect scanning your own application or loading example scan data.
Create an Application Updates
When creating an application, you can now define a specific application type, which will generate a customized scan configuration allowing you to get started scanning faster. Additionally, the Technology Flags step has been removed from this flow, but can still be accessed under application settings.
Findings Other Info
The Other Info field of a finding has been surfaced in the Finding Details panel when available.
(Enterprise) API Source in Audit Log
API label is added to events sent from the public StackHawk API to the audit log.
Integration Error State
Integration pages now feature a new error state when integration channels cannot be retrieved.
Invited users see a welcome modal, while new users that are owners of their organization are directed to create an application after providing onboarding information.
Deleting last environment on a filtered applications view updates to reflect deletion.
(Enterprise) StackHawk API Access
The StackHawk API is now available for public use by organizations on the Enterprise plan. With extensive documentation and resources, developers can now programmatically manage StackHawk applications and environments directly from the command line. Read the Docs
Authentication and Session script support
Authentication and Session management scripts are now supported and configurable via authentication.script and authentication.sessionScript configurations.
OpenAPI request generation
A bug in hawkscan 0.11.11 the openapi request generator was not handling incomplete request body references and request bodies with mixed $ref and sub property definitions.
A bug in hawkscan 0.11.11 was causing openapi v2 specifications to fail instead of falling back to the v2 parsing engine.
Fixed an issue where some GraphQL results were displayed incorrectly when viewing scan findings.
Jira Issue Promotion
Fixed an issue where the dropdown to select a Jira project was not populating while triaging issues.
Header Replacer Rules
A bug in hawkscan 0.11.10 that was causing the header replacer configuration to fail has been fixed.
Added improved error detection in openapi specifications that do not result in routes being discovered on your application.
Custom scripts are now loaded before any authentication or API discovery traffic, allowing for custom auth and API discovery requests.
Git Repo Mounting
Added the ability to mount a remote git repository for a project instead of a docker volume mount.
Improved error handling to catch errors returned when using https localhost URIs.
Application View Updates
Improved the UI for accessing Application settings. Clicking on the application name or the arrow control will allow you to access your Application details and scan settings, such as Technology Flags.
Updated the Slack channel configuration UI to account for any deleted Applications or Environments that are mapped to a Slack channel.
Delete Applications, Environments, and Scans
Remove outdated or unused scans, applications and environments from your organization.
Application Creation Modal
The application creation modal will be reset to its default state when closing the modal.
(Pro & Enterprise) Audit Log Messaging
Audit log provides a better message around removing scans from your organization.
Curl Command Generation
Curl commands with nested single quotes are now able to be used to validate findings.
The application name is now present in the downloadable stackhawk.yml.
Fixed announcements panel notifications for when new release notes are published.
(Pro & Enterprise) Create an App Flow: Tech Flags
We have added the ability to modify technology flags during the application creation process. Technology Flags allow you to fine-tune the tests HawkScan runs to better match your tech stack, leading to faster scans and fewer false positives.
Create an App Flow
The application creation modal has been updated to include the guided wizard interface.
Getting Started Flow
We now retain the Application ID when clicking back or on to a specific step in the Getting Started wizard.
Repository Metadata Collection
Fixed a bug that made HawkScan error out when collecting metadata.
SOAP specific scan policies
HawkScan now automatically configures scan policies for SOAP API endpoints to include relevant tests.
HawkScan now targets GraphQL, OpenAPI and SOAP APIs with more specific and relevant attack vectors.
Fixed a bug with merging scan policy overlays when configured for GraphQL and OpenAPI scanning.
Token authentication will now redact the external token from the scan config.
Jira Data Center Integration
Enterprise Plan organizations can now triage scan findings with the Jira Data Center Integration. This integration will connect with an Atlassian Jira Server or Atlassian Data Center to create or link Jira issues from StackHawk findings.
Fixed a bug with Jira Cloud integration where the platform could not detect if a project management integration is installed.
HawkScan terminal error output includes more details when validating authentication via the testPath.
Fixed a bug with HawkScan output reporting incorrect counts of triaged findings.
Fixed a bug when configuring a GraphQL schema endpoint with a trailing slash, and the reporting of scanned graphql paths.
Fixed a bug in application specific policies that was preventing plugin overrides from working correctly.
Microsoft Teams Integration
Organizations on the Enterprise Plan can now send Scan Notifications to configured Microsoft Teams channels whenever a scan is run and completed.
Generic Webhooks are now available for Organizations on the Enterprise Plan. Send Scan Results to third-party systems (collaboration tools, incident management platforms, etc.) when a scan completes. Scan Results will be sent in a JSON payload to your configured webhook endpoint.
Updated Powershell instructions for the Getting Started steps.
Quickly see what StackHawk enabled workflow integrations you have installed directly from the integrations tab.
A bug was fixed related to certain audit events missing relevant details in their messages.
(Enterprise) Audit Log
View an audit log of all activity within your organization, including when users join and leave your organization, when scans have been kicked off, when findings are triaged, and more!
All scan findings can now be validated. Alerts from HawkScan can be recreated with the Validate button in the Findings tab.
HawkScan Version Tooltip
Jump into HawkDocs to learn how to update HawkScan when your version is out of date via a tooltip on the Scan Details page.
A bug was fixed related to following scan link urls in expired browser sessions.
GraphQL Spider Progress
Percentage complete progress output to the terminal for long running GraphQL spiders.
Threshold Exit Code 42
When the finding threshold has been reached return exit code 42 so it can be distinguished from an unsuccessful scan with an exit code of 1.
Inaccurate Finding/Triage Counts
Fixes the finding and triage counts not being accurate in the HawkScan terminal output.
Remove Stacktrace From Terminal Output
Removed the stacktrace from the terminal output when an incorrect applicationId is specified in the stackhawk.yml.
Redact Credentials From Terminal Output
Redact the authentication credentials from the terminal output on authentication failure.
Fixed an intermittent race condition when sending the final scan results to the platform.
Deprecated GraphQL Fields
The deprecated graphqlConf fields batchQueries and introspection have been removed from the terminal output banner.
Fixes an error when you configure failureThreshold in your application config. HawkScan will now exit correctly with this configuration.
Having issues with the StackHawk web app? Can’t seem to get HawkScan configured? By clicking on your username in the sidebar you can find easy access to HawkDocs and how to contact our support team.
Keyboard Control for Integrations
The tables, buttons and dropdowns of the Integration pages are now able to be controlled with a keyboard.
App Creation Wizard Display
The Application ID will be displayed without overlapping its field boundaries in the App Creation Wizard.
SOAP API Support
Use the app.soapConf configuration section to specify a local or hosted SOAP WSDL to configure the scanner to scan your SOAP endpoints. app.soapConf
All your inputs are belong to us
Set the app.autoInputVectors=true to ensure only the correct data types are used when scanning your API. This will help increase accuracy and completeness of the scan.
New OpenAPI Conf section
The app.api section is being deprecated in favor of app.openApiConf to allow for easier configuration and expanded options when scanning an OpenAPI based API. app.openApiConf
OpenAPI scanning improvements
When scanning an OpenAPI-based API, HawkScan will automatically detect and configure any data driven nodes in your API spec. This allows the HawkScan to avoid rescanning repetitive paths in your site tree as well as detect and scan sub paths. The overall effect is a more complete and accurate OpenAPI scan.
Scan Speed + Accuracy
When scanning an API use the StackHawk Platform Technology Flags in combination with app.autoPolicy and app.autoInputVectors to get the most out of your scan. The combination will inform the scanner of the most accurate approach to attacking your application. We've seen a dramatic reduction in false positives, reduced scan times on large API's, and an increase in harder to find vulnerabilities when using these options together on API scans.
Users who navigate the app without a mouse will be able to perform any action a keyboard and mouse user can.
(Enterprise) Download Scan Results
Download Scan Results as JSON from Scan Details page.
(Enterprise) SAML Support
SAML authentication and authorization for accessing the StackHawk platform. Contact our sales team to learn how to add this for your organization.
Members and account settings pages are updated for Single SignOn users.
Lazy loading and dependency management
Users will not load specific routes or dependencies until they need them.
Findings Management History
Findings Management History displays full history of the status of a finding.
Mobile Display on Finding Details page
Getting Started on Free Tier
Free tier users can navigate getting started flow again without getting stuck by an Upgrade modal.
Findings Path Display
Determines the validity of URIs displayed on the Finding Details page.
Find documentation on the StackHawk Spinnaker, Buildkite and Bitbucket Pipeline Integrations from the Integrations tab.
Application creation experience includes a step-by-step wizard to guide users through scanning their first app.
Usability and Display Improvements
Improvements across the app to increase usability and display of technology flags checkboxes and the Scans and Findings tables.
Keyboard control improvements made to the multi-select components in the web app, as well as improved control of the left hand Welcome panel.
Finding Details Sorting
Finding Details on the Print Scan page are sorted by severity.
Finding Details Display
Resolved an issue where the Finding Details page would get confused when switching between GraphQL and REST scans.
app.autoPolicy flag for API scans
Realtime streaming of scan findings to the platform
As security findings are found during a scan they will be sent to platform for imediate viewing.
GraphQL Spider query improvement
The GraphQL spider process will generate queries to retrieve nested object fields that may contain data leaks... we see you.
Obscure error when using includePaths
Addressed an issue using includePaths that causes the spider to fail resulting in an obscure error on the terminal.
Optimize HawkScan by applying custom technology flags from the Applications page settings in the web app. Improve scan speeds and reduce false positives by only running tests around the technologies your application uses.
Scan Error Display
View scan errors from a tab on the Scan Details page.
Include http for an application’s host name if not present, and added a button to easily copy Docker commands.
Integrations Data Loading
Updated logic for Jira and Slack integrations to avoid unnecessary authentication for the Jira and Slack Integrations pages.
Creating a new application in the StackHawk web app has never been smoother. Add an app from the Applications page for an optimized application creation experience.
Environments Table Graph
Who doesn’t like colorful bar graphs? View the environments table on the Applications page for a truncated version of the StackHawk graphs you know and love.
Type Errors and Warnings
Removed code that was falsely causing a few too many logging errors and added some boundaries around a type error in the onboarding flow.
GraphQL Findings Table
Scanning your GraphQL app? The Finding Details page will now display the operation and operation name around each finding.
Sample App Onboarding Wizard
Scanning Google Firing Range for the first time is easier than ever. Updates to the onboarding modal include navigating between steps of the modal, copying shell commands and other minor visual improvements.
Plugin Table Loading State
The plugin summary table of the Scan Details page now has a loading state.
Finding Details Right Panel
The right panel on the Finding Details page is now open by default.
The profile menu in the sidebar has made it even easier to switch between multiple organizations, and a new loading animation has been added when switching organizations.
Limit User Sessions
Fixed a bug where the platform got confused if you were logged into more than one account at the same time.
Google Firing Range Banner Display
Updated logic around displaying a banner in the Applications page allowing a new user to scan the Google Firing Range app.
Usability and Display Improvements
Improvements across the app to increase usability and performance of the Finding Details panel and tab display.
Added testPath.requestHeaders parameter to stackhawk.yml
The authentication testPath.requestHeaders is a map of extra headers to include in your testPath configuration. This is useful when using a POST route that requires JSON or some other Content-Type for requestBody.
Updated ZAP to the latest version 2.10
Hawkscan has been upgraded to use ZAP 2.10 the latest stable release. zap-extensions
Updated scan plugins from zap-extentions
Updated to the latest scanner plugins zap-extensions
Sample Application Onboarding
New users who load Google Firing Range sample data can view a modal wizard which will walk them through how to scan the Firing Range App on their own.
A user can now join multiple organizations, and switch between organizations by using the organization switcher in the left hand nav located under your profile picture.
The user invite flow has been improved to ensure the user knows the difference between joining an organization and creating a new account.
On the Finding Details Page, the GraphQL Response Body in the right panel has been reformatted.
Finding Details Page
A selected Finding List Item will stay selected upon the Right Panel opening.
Create New App Modal
After creating a new Application from the Applications Page, the Application ID can now be visible in the Create New App success modal.
Who let the dogs out? A user can now see who enabled their organization’s Datadog integration.
Real Time Scan Progress
Ready, set, scan! Once a HawkScan is in flight, see real time scan progress in the StackHawk web app. The Scans page displays overall scan progress. Navigating to the Scan Details page provides insight to the plugins and tests HawkScan is running, as well as details on any errored or successful scans.
Plan Users Selection
Save yourself some clicks! Input the number of users you’d like to include in your plan - via keyboard or mouse.
Findings Details page
Uncategorized alerts would disrupt the display of metadata on the Finding Details page.
Usability and Display Improvements
Improvements across the app to increase usability and performance of the onboarding flow, integrating with Slack and using StackHawk on Safari.
Updated scan plugins from zap-extentions
Updated to the latest scanner plugins which address a number of bugs and false positives. zap-extensions
The hawk.failureThreshold can now be set to high, medium, or low. If any alerts are found a for the supplied threshold, or higher, the scan will fail and output the count of alerts at or above the configured threshold.
Crashes due to conflicting virtual frame buffer lock files in docker compose environments
In some scenarios running hawkscan in a docker compose environment, an existing Xvfb lock file can be present without the process. Avoid this by detecting X11 lock state and choosing an available id.
We are shaking the tree at StackHawk! We are now offering a free plan and a Pro plan to meet the needs of all kinds of customers, from seasoned hawks to spring chickens. Check out our pricing page
Scanning your GraphQL application? The StackHawk web app now identifies and displays specifics around your GraphQL queries and variables so you can easily identify your vulnerabilities from the Finding Details page.
Choose Your Own Adventure
Signing up for StackHawk for the first time? Choose your plan and what kind of application you are looking to scan in the Getting Started flow. Load in your application data or check out a scan of the Google Firing Range project to familiarize yourself with the platform.
Welcome to the improved Scan Details page! Take a look at the improvements around the Scan Overview - we’ve added a new graph and display to help you identify the criticalities of the vulnerabilities in your application.
Filtered Scan Results
Click on the environment name from the Applications page to see a filtered view of your Scans specific to that application and environment.
New to the StackHawk web app? We'll highlight some of the awesome features of the application for you. Look for the glowing buttons!
Usability and Display Improvements
Improvements across the app to increase usability and performance of the login flow, display in various browsers and responsive behavior. Sometimes the Getting Started flow didn’t load to help users get started.
Performance and stability improvements when scanning large sites.
StackHawk Free Tier
If you are an individual developer looking to get the application security basics under your belt, our all-new free tier was built just for you. In this single user plan, you will get all the best parts of StackHawk's Team plan. You can run scans and manage findings for a single application and receive weekly updates.
Usability and Display Improvements
Improvements across the app to increase usability of Announcements panel, Slack Integration and Settings pages.
Recaptcha Verification on Account Signup
Email signups will now be verified with reCaptcha v3 technology because bots are sneaky.
Fixed a bug with the Jira Integration when sending findings to Jira next-gen projects, the integration now uses the correct “Bug” issue type enabled for the project.
Release Notes Nudge
See a visual indicator in the web app sidebar when new release notes have been published
Findings Status History
View who last updated a finding’s status from the Findings Details page panel Activity tab
Usability and Display Improvements
Improvements across the app to increase usability of Announcements panel, Findings Details table, Login and Settings pages
Adding Applications with Low Risk Level
Applications with a risk level of low can be added in the Getting Started flow and Applications page
We broke the validate button. In this release, we fixed it. Various other bug fixes and improvements.
Print Scan Report
Print or download a report of scan findings for an application and environment from the Scans and Scans Details pages.
Opt out of weekly emails
Opt out of weekly emails from the Notifications panel of the Settings page.
Usability and Display Improvements
Improvements across the web app to increase usability of scrollbars, form fields, mobile display, announcements panel and table spacing
HawkDocs have been updated with a new design, dark mode, and responsive mobile layouts. Check out the Updated Docs
Configuration controls for file-based GraphQL schemas
HawkScan was released with improvements to the GraphQL vulnerability scanner configuration to support scanning with file-based schemas.
Application Table View
Listed Applications can be viewed as a table, rather than cards, in the StackHawk platform. This creates more real estate for organizations with many applications.
Remove users from the Organization
Organization owners can now remove users from their org.
Assign Risk Level and Data Type for your applications from the Applications page of the StackHawk platform.
Scan Details Page
When viewing the scan details page, the version of HawkScan alongside whether an update is available is displayed.
Release Notes in HawkDocs
Review the StackHawk and HawkScan release notes from the official documentation. Read our Release Notes
Taking Jira actions on the Findings page has been improved on the paths table and details panel. Jira tickets search has been optimized.
Errored Environment Cards
When an error occurs during a scan the associated environment card on the Applications page will accurately display an errored state.
Scanning urls without a specified port
HawkScan was released with a fix to support scanning endpoints that don't specify a port.
Hawkscan will now accept the `app.includePaths` configuration, specifying any routes the scanner should visit. Read the docs
Hawkscan will now send additional telemetry and improved exception introspection.
Weekly Summary Emails
Organization owners will now see a weekly email containing summaries of your weekly activity using StackHawk
Send your StackHawk scan notifications to Datadog. Read the docs
Accessibility improvements around navigating the StackHawk platform via keyboard
Applications Page Table View
View your applications and environments in a compact view from the Applications page
Getting Started Flow
Added clarity around the steps of the Getting Started flow, as well as the ability to skip the Getting Started flow
The StackHawk application will detect your operating system and display the proper set of command-line shell commands
Applications Page Display
Applications page display on mobile and tablet size screens has been updated to improve usability
Finding Details Panel Stickiness
Panel will now persist user’s choice of viewing request or response metadata for a specific finding
Placeholder UI implemented for API key table, members table and account info pages
App creation wizard modals will not overlay on each other
Application filter shows application name instead of ID when navigating to the Applications page with query strings in the URL
Hover state color in dropdown menus
GraphQL file loading
Support using GraphQL schema from file
Toast notifications now display error messages, in addition to success confirmations when taking action on scan findings
Use python `print()` in most places - errors still use the logging mechanism
Terminal Output Colors
term_color flag is checked in the Logger module to respect colored output in the terminal
Improved access to the billing page from the account settings view
Connect StackHawk with Slack and receive notifications on HawkScan events Read the docs
Terminal Output Colors
Adds colors and logging for YAML exceptions and clear color delineation for problem items in the YAML config
Update the config loader to include the filename with the stream
Exception and Error Handling
Add new exception type for YAML exceptions, granulate the exception handler on the top level and add generic log output controls for info and error
ZAP False Positives
Disables certain zap plugins causing false positive reports in scanned applications
Improved GraphQL scanning support
Auth recheck on long running scans
Modified HawkScan memory settings
Choose between the Startup, KaaKaww, or Enterprise Plans on the StackHawk settings page
Find documentation on the StackHawk Bamboo Integration from the Integrations tab
Findings Management Controls
Improved display of findings status in the right panel, linking to Jira from the right panel and updating status experience
Settings page routing
Each page of the settings menu has a dedicated URL
Applications Card Display
Increased size of the kebab button on the cards of the Applications page
Getting Started Flow
Refreshing the page during the Getting Started flow will preserve your progress in the flow
Bug related to scanning for organizations without a subscription
Check for valid subscription when scanning
Copy in terminal scan results output text
Data returned for Findings and Scans tables is paginated to improve performance of unbounded data lists
Reset your password for accessing the StackHawk platform from the profile page
Settings navigation is optimized for mobile and small screen sizes
Hovering over the graphs on the Applications page will display details of a specific scan
From the Applications page view your latest scan results for a specific application by choosing one of the options in the kebab menu
Applications and Environments Overview
See current status, history of past scans, and manage your applications and environments via the Applications tab in the sidebar
Finding Details pagination
Findings Details page contains pagination controls
Modals display has been improved for usability on smaller screen sizes
Cleanup Jira page request to remove excessive calls to get Jira projects and issues
Integrate with your Jira Software instance to manage your appsec bugs by assigning and linking to Jira tickets Read the docs
Filter scans in the Scans List by Application and Environment
New link to Azure Pipelines HawkDocs
Scan findings URLs are now sorted alphabetically as well as by status
Header Replacer Support
Enables manipulation of request headers to better support apps running behind a proxy
GraphQL Config Section
Support for tuning the GraphQL introspection process
Rate Limiting Controls
Provides more control over the aggressiveness of the scanning capability
Kotlin Scripting Support
ZAP open source contribution for Kotlin support
Passthrough Config Support for ZAP
Supports advanced ZAP configuration via StackHawk YAML
More support for enumeration types and improvements to the test query builder
Flexible logging control for ZAP
Adds support for debug logging
Transparent localhost proxy instead of url rewriting
Better support for scanning localhost networking scenarios and reverse proxies
Assess completeness of scans by reviewing all paths scanned by HawkScan
New links to Concourse CI and Github Actions HawkDocs
Bulk controls UI improvements, findings table UI improvements, and findings are sorted alphabetically
Findings Management Alert Rules
Alert rules are now specific to request method
Pagination controls are accessible at the top of the Scans table
This Announcement Panel!
See specific changes for HawkScan and StackHawk platform
Applications Page Results
See up to 100 applications on Applications page
Invite users popup UX fixes
URI truncation in many places throughout the application for readability
curl command generated with double quotes around request body
Scan progress is now printed to the terminal output
GraphQL Querying Improvements
Log in using any email via StackHawk authentication, or OAuth via Google and Github
Take action from the Findings Management right panel for triaging your application’s security vulnerabilities
App Creation Wizard
Add missing escape characters to downloaded StackHawk.yml from App Creation Wizard
This Announcement Panel!
Announcement panel is a source for release notes, social links, docs and submitting feedback
Users may now triage scan findings by marking them as Assigned, Risk Accepted or False Positive
Scans List Table
As part of Findings Management, the scan list will now reflect new findings (not yet triaged) and a count of triaged findings
Browser Support and Logout Notification
Users on unsupported browsers will see a new informational page, and users logged out due to inactivity will be notified via toast notification
Faster Performance for Scan Findings Display
Support for GraphQL Union and Interface Types
Support OpenAPI and Graphql API Scanning with same Config and App
HawkScan now supports configuration for customers that utilize both OpenAPI spec and GraphQL API scanning
Gitlab DAST Report Updates
Customers utilizing the StackHawk integration with Gitlab will now see findings updated in their report dashboard.
Curl Attack Regenerator
Users may quickly validate a finding by clicking the “Recreate” button. This generates a curl command that a user may paste into their terminal in debug mode and quickly recreate an attack
Improvements to the Getting-Started Page Navigation
Scan List Pagination
Improvements to Mobile Styling
GitLab CI/CD Service Templates
Advanced Slack Integration Configuration
You may now configure updates from specific applications to be sent to specific channels in Slack, ensuring that your teams are only getting updates about the applications relevant to their workflow
Logout event percolates across all open tabs
Login-timeout redirects will take you to the last requested page instead of the last visited page