Changelog

Our GitHub integration will now consider the failure threshold (set using hawk.failureThreshold in your configuration) to communicate scan success or failure in build checks and pull-request comments. Pull-request comments have been updated to include more relevant information in an easier-to-consume format.

Users can now get their code contributors count via Github Integration or Code Contributors Script without contacting Stackhawk Sales team

Organization owners can now upgrade admin users to owners.

The application filter now includes the application uuid, allowing for all applications, even those with conflicting names, to show up in the filter dropdown.

You can now get GitHub pull request checks and comments from StackHawk by installing the official StackHawk GitHub App and updating your stackhawk.yml with the correct scan tags.

Fixed some instances where our SAST buttons weren't quite styled to our standards.

Applications mapped to SAST integrations will now always show the appropriate badging on the applications page.

HawkScan can now generate smarter values when scanning with an OpenAPI configuration. Custom variables can now be configured with Faker supplied data for better scan results.

Users can now add their own active scan tests with HawkScan Script support, enabling application security checks using custom business logic and/or data.

Specific operations can now be ignored when scanning GraphQL APIs. The graphqlConf.excludeOperations setting can be populated with pairs of GraphQL operation names and types, and those operations will be excluded from the scan.

HawkScan can now intercept the HTTP traffic from any software development tool that supports proxy configuration. Discover your web application with Postman Collections, Cypress test suites, and even Curl commands.

HawkScan users with Postman Collections can discover more of their scanned application with new configuration for Postman Scan Discovery.

Documentation has been added describing Scan Discovery the process for spidering and discovering your web application with HawkScan.

You can supply a list of custom variables for each parameter in your OpenAPI definition, and HawkScan will randomly inject a variable from the corresponding list when scanning your API.

Scan Tags are name value pairs that represent metadata you can use to capture additional state or context around a scan.

When run with the --debug flag, the CLI banner now displays additional information on the current scan.

Certain fields around GraphQL and auth scripts were not being validated properly. These fields are now properly validated.

Fixed classpath construction issues with the ZAP subprocess in Windows environments.

HawkScan will now terminate a scan when an active script fails.

Cookies scoped to the domain of the application being scanned are now passed to the application correctly. For instance, *.example.com vs app.example.com.

Fixed several bugs that caused spontaneous page hangs or crashes in the StackHawk UI.

Generate reports summarizing your most recent scans across all applications and environments.

The "hawk validate api" can be used to validate the OpenAPI configuration in your stackhawk.yml without running a scan.

Users can now add their own active scan tests with HawkScan Custom Test Scripts, enabling application security checks using custom business logic and/or data.

Updated the Hidden Files Found scan rule to not trigger on ambiguous https status codes like 3xx redirect codes.

Updated logic regarding 3xx redirect code analysis on responses to avoid false positives.

Fixed a bug where StackHawk wouldn't always track issues sent to Jira in scan findings

The Official StackHawk GitHub Integration is live, allowing you to correlate GitHub CodeQL findings as you scan.

Scan policies now exclude the following, (10058) GET for POST, (10104) User Agent Fuzzer, (20014) HTTP Parameter Pollution, (40023) Possible Username Enumeration, (90027) Cookie Slack Detector, (40016) Cross Site Scripting (Persistent) - Prime, (40017) Cross Site Scripting (Persistent) - Spider, (90017) XSLT Injection, (90034) Cloud Metadata Potentially Exposed

The core networking stack has been updated to use netty 4 allowing for http 2 support.

Using the --git-url/GIT_URL option with the stackhawk/hawkscan docker image will clone the git repo to the home directory of the non-root docker user, instead of /hawk, to avoid permission errors.

The authentication form POST will now use HTTP/1.1 which is the default for all other traffic.

Fixed minor issues that were causing the application page to freeze.

Paths will now be populated when creating a new issue.

Made it easier to get your YAML file and run a scan after creating a new application.

Applications option is now first in the navigation bar.

Clicking on metrics in the environment card will navigate users to its latest scan.

Fixed an issue preventing users from adding their API specification when creating an application.

Fixed minor issues with cross site scripting rule, date time conversions, and plugin reporting

Improved instructions on how to provide your API key to the scanner during the first app creation process.

Restored the ability to remove a linked SAST project and fixed issues with SAST badging not displaying correctly in some places such as scan results and the applications list.

Hawkscan has been upgraded to use ZAP 2.12.0 the latest stable release.

HawkScan is now collecting additional details from scan alerts, including the request / response time, history type, and alert reference.

Fixed a bug when handling exotic escape character sequences in the loggedInIndicator and loggedOutIndicator fields.

StackHawk grows with your team! Small teams can now upgrade to our Pro or Enterprise plans without paying for more developers than you have right now.

Additional third-party authentication providers have been added including Okta, Firebase and Keycloak.

Pagination and filtering will not reset if users navigate to an individual scan and decide to navigate back to the scans page.

Users can now add authentication through third-party providers such as Auth0 or other OAuth-based services. Support for additional OAuth providers will be coming in the near future.

Fixed issue where excludePaths would not work unless at least 1 includePath was set

tokenExtraction.value regex was too strict, removed regex for easier use

Added ability to supply seed paths to supplement spider in crawling applications

Synced with latest zap extensions to obtain Spring4Shell scan rule

Added "hawk download log" command which can be used to download logs for specific scans

Squashed a handful of minor security vulnerabilities

Updated Github Actions integrations to reflect changes using the CLI