Changelog

Added a page in the organization settings for management of Organization Scan Policies and to review readonly StackHawk Scan Policies. Organization Scan Policies allow teams to choose which vulnerability checks are applicable to their StackHawk scans, improving scan performance and accuracy.

Added support for scan policies defined at the organization level.

Added check to test for polyfill.io cdn vulnerability.

Fixed an issue where the progress bar was displayed multiple times in the terminal output.

Fixed an issue where HawkScan was not available on the command line after upgrading.

Fixed issues where HawkScan could not parse some OpenAPI 3.1 specs.

Fixed an issue where the GraphQL configuration file was not shown in the console output.

Added scan policy for HawkScan run in the console output.

Updated details with more information in the SARIF output.

Improved OpenAPI parsing for the HawkScan OpenAPI helper tool.

Switched the scanner to HSTE which is a renamed fork of ZAP the StackHawk team has been maintaining. To learn more about this change see the link to the blog post below. Please note if you are using custom scripts all references to org.zaproxy.zap should be renamed to com.stackhawk.hste.

The app.openApiConf and app.grpcConf now support .filePaths allowing for multiple specification files to be used in a single scan configuration. This is especially useful when an API is comprised of multiple lambdas.

Passive scripts can now raise alerts in StackHawk by registering a custom plugin id, like active scripts. This is useful to create alerts for PII data, missing HTTP headers, and more.

Added links and more details about the alert to the SARIF output format's new markdown fields.

The default throttle settings have been tuned to facilitate faster scanning. Users with scanner resource constraints may need to adjust these settings back to their lower values to avoid crashes due to resource consumption.

Custom data variables in the StackHawk configuration will override example variables that are in the Openapi spec at runtime.

The stackhawk/hawkscan docker image default non-privileged user is now named steve instead of zap. The home and default working directory have also been updated to reflect this change and are /home/steve and /steve respectively. For reference the StackHawk mascots name is Steven S. Hawk ;).

The scan policy name is displayed in the scan details pane indicating which policy was chosen for the scan run.

Connect multiple GitHub Accounts or Organizations to a single StackHawk Organization.

Fixed an issue where a validation error was thrown when the GraphQL configuration specified both file and filePath.

Updated StackHawk JSON schema to the latest version.

Updated the HawkScan Launcher items for .msi and .pkg installs.

Fixed a bug where the waitForAppTarget feature would exit after 64 attempts.

Capture more http logs from earlier in the scan.

Allow configuration of the recursion depth of gRPC data generation in the StackHawk.yml.

Added a feature that will prompt and create an API key when HawkScan detects no API key is installed.

Simplified sign up form for new users.

This update introduces new video resources to help new users run their first scan successfully and get started with StackHawk quickly.

Most 3rd party/OAuth providers can now be directly configured in the stackhawk.yml without addditional authentication scripts.

HawkScan can now be installed via a pkg file for Mac OS.

Fixed a bug where HawkScan perch would not run from the Windows Executable version. To run hawk perch browser or hawk perch start --with-chrome on Windows arm 64 versions, Visual C++ Redistributable needs to be installed. Follow the link below and select the link for the x86 architecture to download the vc_redist.x86.exe installer.

Added custom test to check if weak ciphers are enabled on the host during hawk scan.

When HawkScan is run with the --enable-preflight flag, it will detect if the application is possibly running in a CDN.

Limited the recurssion depth of gRPC data generation and added in more data types.

When HawkScan is run with the --log-http flag, it will log all http requests and responses.

This update enhances the clarity of the host URL information and adds a dropdown to specify the required URL format.

This newly added page provides key context to help new users get started with StackHawk successfully.

Users can create multiple applications per repository.

Improvements to the repositories table data display.

Clicking on the repository table row will navigate users to the repository details page.

Dedicated repository details page where users can manage it and its application mappings easily.

Added a flag to the open-api splitter to allow for max parameters in a single file or endpoint.

HawkScan will now check to see if the browser is installed on the OS before running the ajax spider.

Fixed a bug where HawkScan would error if a branch was specified in the HAWK_GIT_REV environment variable

Introduced the --enable-preflight flag, allowing users to run a preflight check during scans. This feature is designed to provide warnings for potential issues in application configurations. Please note that this feature is currently in its alpha stage, and we welcome your valuable feedback to enhance its effectiveness.

Added hawk perch start --with-chrome and --with-proxy-info to enable using hawk perch as a recording proxy. Run hawk perch start --help for details.

Added hawk perch stop --har-file=<har file name> to save the perch recorded session as a har file. Run hawk perch stop --help for details.

Support for using a HAR file or directory of HAR files as the spider for the scan process.

Allows for supplying a command to authenticate to the scanned application.

Automatically renews JWTs before token expiration.

Added checks for Broken Object Property Level Authorization and Broken Function Level Authorization for OpenAPI specifications.

Added a link to repositories page.

Various bugfixes and improvements.

Added endpoint to get application tech flags.

Added endpoint to retrieve the current scan policy configured for a specific application.

Added endpoint to lists all available StackHawk scan policies, providing details of each policy.

Added endpoint to returns details of a specific StackHawk scan policy.

Added endpoint to assign scan policy plugins to an application's scan policy.

Added endpoint to enable/disable an app scan policy plugin.

Added endpoint to update technology flags for an application, affecting the behavior of plugins during HawkScan runs.

The StackHawk UI now soars on React 18, bringing enhanced performance and innovation! Tonight, the engineering flock rests as their dreams of this upgrade take flight!

HawkScan now has experimental support for testing for Broken Object-level Authorization and Insecure Direct Object Reference vulnerabilities. Using the OpenAPI - Experimental named scan policy will test for these vulnerabilities.

Improved disk usage and network throttling when running HawkScan in memory constrained environments.

Added a --no-progress CLI flag to hawk scan to disable progress bars when running HawkScan, ideal for scanning in a CI pipelines.

Fixed a bug when checking a scanned host is started when configuring app.waitForAppTarget.path.

Enhanced vulnerability descriptions with clear remediation steps, risk details, and multi-language code examples.

General improvements to the functionality of the repositories table.

Fixes a bug in all filters when an app, env, or team is deleted.

Issues created for vulnerabilities in Jira are now automatically linked to StackHawk scan finding paths.

Github Insights is officially GA.

Users can filter their repositories by languages and topics.

Archived and forked repositories will be hidden by default. Use the toggle to explore all hidden repositories.

Updates to improve the filtering and sorting of the Repositories table.

Now view how many repositories you have selected next to the Create Applications button.

Teams and Users are now included in the left hand navigation for quicker access.

Hide and show hidden repositories using our new Hidden toggle on on the Repositories page.

View what languages and topics a repository is using by clicking in the table and getting a run down in the right panel.

Policy Management Documentation is now directly linkable from the Policy Management and Application Settings pages.

Repositories will now have an icon to indicate if they are forked or archived.

Forked and Archived repositories will be hidden by default on the Repositories page.

We improved the way you save your Tech Flags in the Optimization Panel.

We added a hyperlink that will take you to the scan details of the last scan from the Repositories page.

Users can now configure the path to their Root CA Certificate in the stackhawk.yml file and HawkScan will dynamically load that certificate for communication through a transparent proxy

Fixed an issue where validating HawkScan config was caught in a loop and not validating

Fixed an issue where the validate auth command was not working

Team Members can now see their Organization ID in the Organization Details tab of their Settings.

The columns of the Repositories table are now sortable.