Changelog

The "hawk validate api" can be used to validate the OpenAPI configuration in your stackhawk.yml without running a scan.

Users can now add their own active scan tests with HawkScan Custom Test Scripts, enabling application security checks using custom business logic and/or data.

Updated the Hidden Files Found scan rule to not trigger on ambiguous https status codes like 3xx redirect codes.

Updated logic regarding 3xx redirect code analysis on responses to avoid false positives.

Fixed a bug where StackHawk wouldn't always track issues sent to Jira in scan findings

The Official StackHawk GitHub Integration is live, allowing you to correlate GitHub CodeQL findings as you scan.

Scan policies now exclude the following, (10058) GET for POST, (10104) User Agent Fuzzer, (20014) HTTP Parameter Pollution, (40023) Possible Username Enumeration, (90027) Cookie Slack Detector, (40016) Cross Site Scripting (Persistent) - Prime, (40017) Cross Site Scripting (Persistent) - Spider, (90017) XSLT Injection, (90034) Cloud Metadata Potentially Exposed

The core networking stack has been updated to use netty 4 allowing for http 2 support.

Using the --git-url/GIT_URL option with the stackhawk/hawkscan docker image will clone the git repo to the home directory of the non-root docker user, instead of /hawk, to avoid permission errors.

The authentication form POST will now use HTTP/1.1 which is the default for all other traffic.

Fixed minor issues that were causing the application page to freeze.

Paths will now be populated when creating a new issue.

Made it easier to get your YAML file and run a scan after creating a new application.

Applications option is now first in the navigation bar.

Clicking on metrics in the environment card will navigate users to its latest scan.

Fixed an issue preventing users from adding their API specification when creating an application.

Fixed minor issues with cross site scripting rule, date time conversions, and plugin reporting

Improved instructions on how to provide your API key to the scanner during the first app creation process.

Restored the ability to remove a linked SAST project and fixed issues with SAST badging not displaying correctly in some places such as scan results and the applications list.

Hawkscan has been upgraded to use ZAP 2.12.0 the latest stable release.

HawkScan is now collecting additional details from scan alerts, including the request / response time, history type, and alert reference.

Fixed a bug when handling exotic escape character sequences in the loggedInIndicator and loggedOutIndicator fields.

StackHawk grows with your team! Small teams can now upgrade to our Pro or Enterprise plans without paying for more developers than you have right now.

Additional third-party authentication providers have been added including Okta, Firebase and Keycloak.

Pagination and filtering will not reset if users navigate to an individual scan and decide to navigate back to the scans page.

Users can now add authentication through third-party providers such as Auth0 or other OAuth-based services. Support for additional OAuth providers will be coming in the near future.

Fixed issue where excludePaths would not work unless at least 1 includePath was set

tokenExtraction.value regex was too strict, removed regex for easier use

Added ability to supply seed paths to supplement spider in crawling applications

Synced with latest zap extensions to obtain Spring4Shell scan rule

Added "hawk download log" command which can be used to download logs for specific scans

Squashed a handful of minor security vulnerabilities

Updated Github Actions integrations to reflect changes using the CLI

Added an extra flag that outputs verbose logging to the foreground

Added ability for HawkScan to detect Log4Shell vulnerabilities

Added support for Docker and HawkScan CLI for multi architecture

Updated HawkScan with the lastest upstream changes from ZAP

Improved validation for JSON schema plugin and security certificate errors

Fixed issue with the --debug flag causing double printout of logs

Fixed issue with the maximum duration flag not being respected in Ajax scans

Our Slack Integration install button was less-than-visible, but you can see it again!

The auth helper popup will no longer appear over the new application wizard

The dates in the application will correctly appear in the user’s local time

Find documentation on the StackHawk Defect Dojo Integration from the Integrations tab

Visual callouts to scans list and scan details page for Log4Shell scans

Users on a Free plan that already have an application will be prompted with an upgrade message once they click on Add an App button

After running their first scan, users can open a helper that will help them setup authenticated scanning.

Users can easily learn how to authenticate their application with this helper. It includes information about injecting a token or cookie, or using HTTP and JSON form authentication methods. After users select their authentication method, they will be shown a YAML snippet that should be added to their stackhawk.yml file.

Added technology flag for the Java Spring framework

For longer scans (>30m) the platform jwt token will now auto-refresh for uploading scan logs to the platform

Added contextual error messaging to invalid scan configurations

When the configured failure threshold was reached on a scan the scan was being marked as an error in the platform. The scan is no longer marked as an error when the failure threshold is reached but the exit code is still 42 so the build will fail.

The app excludePaths are now applied globally instead of just on active scan requests, exclude paths will be applied to the spider and all other requests through the proxy. This allows for definitive blocking of paths that may be sensitive to scan requests.