Changelog

Cleaned up some rough edges around the self-service experience.

Updated the Slack and Microsoft Teams integration management pages to be consistent with other integrations.

Added support for scanning grpc applications.

Users can now add NTLM authentication to their scans.

Fixed minor bugs throughout the app.

Environment cards will now display our new API type icons with your next scan!

Cleaning up some sneaky bugs and improving the all-round performance of our app.

Integrate StackHawk with Microsoft Azure DevOps Boards to track findings as work items.

The relevant code snippets for a GitHub CodeQL SAST finding will now be displayed in StackHawk.

Added the ability to specify which scan event(s) a webhook receives.

Fixed formatting of markdown links in the Gitlab DAST report.

Fixed a bug where HawkScan could select a different version of Java to start Zap on systems with multiple versions of Java installed.

Fixed a bug where app.waitForAppTarget could fail when running in Docker.

Fixed a null-pointer issue when parsing incomplete OpenAPI specifications with empty POST request bodies.

Added the ability to specify which application(s) a webhook applies to so that webhook receives alerts only for relevant scans.

Create groups of applications with Teams and assign users the Member role to limit their access.

Various bugfixes and improvements.

Added the ability to create and enable multiple webhooks.

Improved how Scan Policy events are displayed in the audit log.

Filters now automatically update when selecting Applications and Environments on the applications and scan results pages.

Tech Flags in application settings has been redone for easier access and configuration.

HawkScan can now be installed on Windows operating systems with a dedicated MSI installer.

Added support to customize the application scan policy directly from the StackHawk Platform, enabling HawkScan to deliver faster and tailored scan results.

Fixed a bug when parsing large OpenApi specifications.

Updates Log4J library to 2.19.0.

Added the ability to connect a Snyk Integration at the Snyk Group Account level.

Various updates to the Auth Getting Started examples.

The account's billing status is now shown.

Underlying Netty and Apache networking libraries were upgraded to the latest versions, supporting HTTP2.

Embedded Kotlin and JavaScript scripting engines now have access to the HawkScan configuration at runtime.

Added the app.openApiConf.maxAliasesForCollections setting to control the number of allowed anchor aliases when parsing a YAML OpenApi definition.

Improved the Atlassian Jira Cloud integration to enable selecting an issue type when triaging findings into Jira issues.

Users invited to an existing account now have a streamlined sign-up experience.

Added a new Operations tab, visible only for GraphQL scans, that includes a complete list of operations used during a scan.

Generate the CLI or Docker command for rescanning your application with the Rescan findings button. Rescan allows you to test an application for only previously discovered findings.

Rescan an application to quickly test only previously discovered findings.

Configure HawkScan GraphQL API scans with Faker supplied data for better scan results.

Run the StackHawk CLI on a Windows terminal using an included hawk.ps1 PowerShell script.

Improved the linting and validation of stackhawk.yml files to catch unexpected fields in the HawkScan configuration.

Our GitHub integration will now consider the failure threshold (set using hawk.failureThreshold in your configuration) to communicate scan success or failure in build checks and pull-request comments. Pull-request comments have been updated to include more relevant information in an easier-to-consume format.

Users can now get their code contributors count via Github Integration or Code Contributors Script without contacting Stackhawk Sales team

Organization owners can now upgrade admin users to owners.

The application filter now includes the application uuid, allowing for all applications, even those with conflicting names, to show up in the filter dropdown.

You can now get GitHub pull request checks and comments from StackHawk by installing the official StackHawk GitHub App and updating your stackhawk.yml with the correct scan tags.

Fixed some instances where our SAST buttons weren't quite styled to our standards.

Applications mapped to SAST integrations will now always show the appropriate badging on the applications page.

HawkScan can now generate smarter values when scanning with an OpenAPI configuration. Custom variables can now be configured with Faker supplied data for better scan results.

Users can now add their own active scan tests with HawkScan Script support, enabling application security checks using custom business logic and/or data.

Specific operations can now be ignored when scanning GraphQL APIs. The graphqlConf.excludeOperations setting can be populated with pairs of GraphQL operation names and types, and those operations will be excluded from the scan.

HawkScan can now intercept the HTTP traffic from any software development tool that supports proxy configuration. Discover your web application with Postman Collections, Cypress test suites, and even Curl commands.

HawkScan users with Postman Collections can discover more of their scanned application with new configuration for Postman Scan Discovery.

Documentation has been added describing Scan Discovery the process for spidering and discovering your web application with HawkScan.

You can supply a list of custom variables for each parameter in your OpenAPI definition, and HawkScan will randomly inject a variable from the corresponding list when scanning your API.

Scan Tags are name value pairs that represent metadata you can use to capture additional state or context around a scan.

When run with the --debug flag, the CLI banner now displays additional information on the current scan.

Certain fields around GraphQL and auth scripts were not being validated properly. These fields are now properly validated.

Fixed classpath construction issues with the ZAP subprocess in Windows environments.

HawkScan will now terminate a scan when an active script fails.

Cookies scoped to the domain of the application being scanned are now passed to the application correctly. For instance, *.example.com vs app.example.com.

Fixed several bugs that caused spontaneous page hangs or crashes in the StackHawk UI.

Generate reports summarizing your most recent scans across all applications and environments.