Changelog

View, sort, and filter all open findings across every app and environment in your org in a single table. Findings are refreshed automatically after every scan.

Long-lived, organization-owned API keys purpose-built for CI/CD scanning. Unlike personal API keys that are tied to an individual user, service keys belong to the organization itself, so they keep working when team members come and go. Each key is created with the Scan Only role, which grants only the permissions needed to run and upload scans across any team's applications — and nothing more. Manage them under Settings → Service Keys, gated by the new Read / Write / Delete Service Account permissions.

FlightPath generates authenticated scan configurations automatically. Log in to your application through FlightPath's built-in browser, and StackHawk's AI agent captures your auth flow, maps your endpoints, and generates a complete scan configuration in minutes. No YAML required. Now available in private preview for Enterprise and Scale customers.

hawk validate config now reports validation errors at the specific YAML field that caused the problem with clear, actionable messages — explaining why a path is invalid, what is wrong with a regex, or which authorization method to add. Empty cookieAuthorization and tokenAuthorization blocks, malformed logged-in and logged-out indicator regexes, and missing authentication fields now produce precise errors instead of generic failures.

hawk validate config, hawk validate auth, and hawk validate api now skip calls to the StackHawk platform when every environment variable in your config resolves locally (via System.getenv, the env file, or ${VAR:default} syntax). You can validate configurations without an API key when they don't need platform-managed secrets. When variables remain unresolved, the platform is contacted as before.

Fixed authentication headers not being applied to MCP server handshake and scanner re-fetch requests. Because MCP's text/event-stream transport requires a bare HTTP client instead of ZAP's HttpSender, the session-management pipeline was bypassed and Authorization headers from externalCommand authentication were never stamped onto MCP traffic — causing 401 responses and a Gson parse crash. MCP servers requiring authentication now scan correctly.

Restrict access to your StackHawk organization to a set of approved IPv4 CIDR ranges. When configured, only users connecting from a listed range can reach the platform.

Test your scan configuration and authentication setup against StackHawk-hosted infrastructure in seconds — before running a full scan. The new Test Config button in the Scan Config Drawer validates your stackhawk.yml with field-level error feedback (including exact JSON paths) and, if authentication is configured, executes the login flow against your application to confirm that credentials, success indicators, and cookies all work. Config errors and auth errors are reported separately so you know exactly what kind of problem you're dealing with. No local HawkScan install required.

New hawk scan --json-output flag outputs scan results as structured JSON to stdout, with all console output suppressed. Ideal for AI agent workflows and tool integrations that need to parse findings, errors, warnings, and threshold results programmatically.

New hawk create app --yaml flag outputs a stackhawk.yml configuration stub to stdout after app creation, enabling scripted workflows that pipe directly into config files.

HawkScan can now scan MCP (Model Context Protocol) servers for security vulnerabilities. Configure app.jsonRpcConf.mcp to discover and test MCP tools for injection, SSRF, path traversal, and other attack vectors through the standard MCP handshake lifecycle.

The blind SQL injection detection check has been broken out into a separate scan rule (400021) that runs after the boolean-based check (400030). This allows for more accurate detection of blind SQL injection vulnerabilities by using a different set of payloads and response analysis techniques that are better suited for blind testing.

JSON-RPC scanning now supports automatic method discovery via a hosted OpenRPC spec. Configure hawk.jsonRpc.path to point to your OpenRPC spec endpoint and HawkScan will discover all available JSON-RPC methods automatically.

Plugins that do detection for Credit Card Numbers, Email Addresses, HTML Comments, and IBAN Numbers in responses and local storagehave been improved to reduce false positives and improve accuracy.

Improved the timing checks for PostgreSQL Injection detection to reduce false positives and increase accuracy. The scanner now uses a more robust method of measuring response times and comparing them to baseline measurements, resulting in more reliable detection of timing-based SQL injection vulnerabilities.

The stackhawk.yml schema validator is now strict about unknown properties. Unexpected properties in stackhawk.yml now produce warnings instead of being ignored. AI agents should now produce cleaner configurations that adhere to the schema, and users will get immediate feedback on typos or misconfigurations in their YAML files.

Fixed an UnsupportedOperationException crash when using scan profiles.

Fixed the target reachability check to properly fail with a clear error when the target host is unreachable, instead of proceeding with an invalid configuration.

Fixed double percent-encoding in SARIF artifact URIs (e.g. %253C instead of %3C), switched to IRI-form Unicode output.

Enterprise and Scale customers can now assign Team Admins to manage users, applications, and scan policies within their teams — without provisioning full org-level access.

A new View-Only role gives auditors and stakeholders full read-only visibility across all teams and applications without the ability to modify anything.

HawkScan now supports security testing of JSON-RPC 2.0 APIs. Configure the app.jsonRpcConf section to scan your JSON-RPC endpoints for vulnerabilities.

A completely rewritten AJAX Spider with multi-pass discovery and framework-aware crawling. Automatically detects Angular, React, Vue, and Next.js applications and extracts routes from framework routers and JavaScript bundles for more thorough coverage of single-page applications.

The AJAX Spider now instruments dangerous DOM APIs during crawling to detect potential DOM XSS sinks in real time. The DOM XSS scanner uses these findings to prioritize attack vectors for more accurate results.

New authentication types JSON_RPC and GRPC allow HawkScan to authenticate natively against JSON-RPC and gRPC APIs. Configure app.authentication with the new type and specify the method to call (e.g., auth.login for JSON-RPC or /auth.AuthService/Login for gRPC).

HawkScan now uses Chrome via Puppeteer for all browser-based scanning, replacing Firefox and Selenium. This improves reliability and performance for AJAX spidering and DOM XSS scanning.

OpenAPI 3.0 server URLs with {variable} placeholders are now automatically resolved to their default values during spec parsing. This fixes an issue where server variables like {basePath} were not being substituted correctly.

Scan initialization is significantly faster thanks to parallelized analysis. Applications with many endpoints will see up to 4x faster startup times before active scanning begins.

DOM XSS scanning is now more reliable with configurable timeouts, automatic popup and download handling, and smarter element targeting. Scans no longer hang on pages with complex JavaScript interactions.

The hawk create app command now supports the ORG_ID environment variable, matching the existing behavior of hawk list plugin. Set ORG_ID once instead of passing --org-id on every command.

The FIREFOX_HEADLESS and FIREFOX options for hawk.spider.ajaxBrowser are now deprecated. HawkScan defaults to CHROME_HEADLESS for all browser-based scanning. If your configuration specifies Firefox, update it to use CHROME_HEADLESS or CHROME.

Alerts for parameterized endpoints now use consistent fingerprinting across scans. URLs like /users/123 and /users/456 are recognized as the same endpoint pattern (/users/{id}), enabling accurate alert triage and trend tracking even when path parameter values change between scans.

User-provided global parameters now correctly override crawl plan default values. Previously, faker expressions or context templates in the crawl plan could take precedence over explicitly configured global parameters.

Reduced false positives in boolean-based blind SQL injection detection. The scanner now correctly identifies when both true and false condition payloads return identical error pages, skipping alerts in these cases. Alert details now include both request/response pairs for easier validation.

Fixed an issue where URLs could be lost from the scan when using crawl plans with Data Driven Nodes (DDNs). The scanner now safely handles DDN conversion failures and preserves all discovered endpoints.

New active scan rule (40058) detects React2Shell remote code execution vulnerabilities (CVE-2025-55182, CVE-2025-66478) in Next.js and React Server Components. This critical vulnerability allows unauthenticated attackers to execute arbitrary commands through unsafe deserialization in the React Flight protocol.

Endpoints discovered by smart crawl plan are now properly fuzzed by the active scanner.

Fixed an issue where includePaths and excludePaths configurations were not being applied to smart crawl plan operations. Path filtering now correctly filters operations before crawl plan execution begins.

HawkScan now supports multi-profile scanning for comprehensive business logic testing. Configure multiple authentication profiles to automatically test for:

• BOLA (Broken Object Level Authorization) - cross-user resource access
• BFLA (Broken Function Level Authorization) - privilege escalation

Read the docs to configure multi-profile testing.

When an OpenAPI specification is configured, HawkScan automatically generates a smart crawl plan that understands your API's structure and data relationships, enabling more effective security testing.

BOLA and BFLA alerts now include evidence chains showing the cross-profile access attempts and responses.

Multi-profile scans now verify authentication for all profiles before starting the scan, failing fast if credentials are invalid.

HawkScan can now merge multiple OpenAPI specification files into a unified API definition.

Added object notation and path filtering for custom variables in gRPC configurations.

HawkScan can now uses the native system trust store for multiple operating systems.

New passive scan plugins detect sensitive data exposure in HTTP responses:

• Credit Card Numbers (100008)
• Email Addresses (100009)
• HTML Comments (100011)
• IBAN Numbers (100012)

External command authentication parameters are now properly redacted in logs and output.

Reduced false positives in the SQL Injection scan rule for applications with input validation:

• Improved response comparison by stripping all query/form parameter values (not just the tested parameter) to handle validation error messages with non-deterministic ordering
• Added 4xx status code detection to skip alerts when both original and attack responses return the same 4xx status, indicating input validation rejection rather than SQL injection behavior

StackHawk now tests for five critical LLM risks from the OWASP LLM Top 10:

• LLM01: Prompt Injection
• LLM02: Improper Output Handling
• LLM04: Unbound Consumption
• LLM06: Sensitive Data Disclosure
• LLM09: System Prompt Leakage

Read the docs to enable test coverage.

The official Semgrep integration is live, allowing joint users to correlate StackHawk DAST findings with Semgrep SAST results. When both tools identify the same vulnerability, findings are automatically linked to eliminate duplicates and provide unified remediation context.

Fixed an issue where final results were not being uploaded to the platform for long running scans.

Beta Scan Rules:

• Active: API Broken Authorization 40050
• Active: API Broken Function Level Authorization 40051
• Active: API Lack of Rate Limiting 40052
• Active: API Broken Authentication 40053
• Active: API Broken Object Property Level Authorization 40054
• Active: API Enhanced Broken Object Level Authorization 40055
• Active: API Active IDOR Validation 40056
• Active: API Unrestricted Resource Consumption 40057
• Active: API Server Side Request Forgery 40048
• Active: LLM Injection 40049
• Active: GraphQL Circular Reference 40099
• Active: GraphQL Deep Recursion Query Attack 40100
• Active: GraphQL Interface Exploit 40101
• Active: GraphQL Batch Query 90052
• Active: GraphQL Resource Intensive Query 90053
• Active: GraphQL Introspection Exploit 90054
• Active: GraphQL Field Suggestion Exploit 90055
• Active: GraphQL Interface Protection Bypass 90056

Updated Rules:

• Update: MongoDB Injection Timing Rules (improved accuracy, better timing analysis)
• Update: MongoDB Injection Regular Rules (improved accuracy, less false positives)

added openapi.usePlatform for directly fetching and using generated OpenAPI specifications from code repositories mapped to the scanned application from the platform.

The scanned application name is now included in the HawkScan terminal output banner.

configured app.redact now applies to external command authentication parameters.

Hosted Scanning enables users to run scans directly from the StackHawk infrastructure.

Embed StackHawk's DAST & API security testing directly in your MCP-enabled AI code assistants like Cursor, Claude Code, and Windsurf. With our MCP server, developers get real-time vulnerability detection and remediation using intuitive, natural language commands.

StackHawk now automatically and continuously generates OpenAPI sSpecifications from your source code using AI. Current support includes Java/Spring and JavaScript/Express.js applications.

• Update Proxy Disclosure Rule (improved accuracy)
• Update MongoDB Injection Rules, timing and Regular (improved accuracy, less false positives)
• Additional GraphQL Tests in Beta:
• Passive: Endpoint Detected 90051
• Active: Batch Query 90052
• Active: Resource Intensive Query 90053(series 1-4)
• Active: Introspection Exploit 90054
• Active: Field Suggestion Exploit 90055
• Active: Interface Protection Bypass 90056
• Passive: Introspection Detected 90050
• Active: Circular Reference 40099
• Active: Deep Recursion Query Attack 40100
• Active: Interface Exploit 40101

Added support for sending a custom header when using waitForAppTarget.

Added deterministic sorting to API-path output for cleaner, predictable diffs.

Added gRPC v1 and v1alpha reflection handling to service handlers.

Fixed authentication validation to not depend on starting perch daemon.

Corrected rolling-appender logic so hawkscan.log entries stay in chronological order.

Support for fetching AI generated OpenAPI specs.

Migrated build base image to Ubuntu 22.04.

Connected repositories can now be scanned for Sensitive Data terms, like PII, PCI and PHI word patterns, that can be detected within repositories and reviewed in the API Discovery view.

Hawkscan pkg install is now fully signed and notarized by Apple to avoid any security warnings when installing

When Hawkscan generated multiple large log files not all files were being uploaded to the platform. This has been fixed and max log file control is now configurable.

The openapi-helper cli tool now has a merge command to facilitate merging OAS files.

Improvements to our Jira Cloud and Azure Devops Integrations now allow administrators to connect multiple workspaces to a single StackHawk organization.

Triaging findings with multiple workspace ticketing integrations connected will give the option to select the preferred ticketing tool.

Fixed an issue where HawkScan was not showing requests and responses for failed authentication.

Fixed issue where scan stats were not showing up for all scans.

Allow user to add jvm args/opts to HawkScan via command line --hawk-jvm-opts.

Automatically enable passive/active script scanning without it being expressly set in scan policy.

Install correct version of Java when installing from Homebrew.

Throw exception and stop the scan if no compatible version of Java is found.

Updated outdated dependencies.

Introduced a separate timing based attack used for unauthorized execution of operating system commands.

Explore all the features we've recently released in our new product update.

When using a wsdl filePath, the SOAP parser will use the directory of the specified file as the base directory for resolving linked files.

Updated display of HTTP Request to display accurately what was sent over the network.

Fixed issue where HawkScan was not resolving the hawk.outboundProxy configuration before trying to authenticate to the platform.

Fixed null pointer exceptions when running hawk register plugin and hawk list plugin.

Reduced noisy debug logs by moving them to the trace level.

Enhanced sensitive data protection by redacting specified headers from logs when using --log-http

Added a timeout for externalCommand authentication to exit problematic scripts sooner.

Fixed an issue where HawkScan would sometimes hang while scanning.

Added gRPC auto input vectors to speed up scanning.

The scanner will now skip paths that are not implemented on the gRPC server.

Allow for OpenAPI specs where the only route is the testPath.

HawkScan can now run with a configuration hosted on https://app.stackhawk.com/ by running hawk scan hawk://policy-name