Changelog

Inactive trial accounts will be downgraded to free plan at 90 days

Links to CLI documentation iis now included when a user Creates an App

The checkout modal now closes when a yearly subscription is successfully updated, and various visual fixes.

Searching for an existing issue when sending an alert to Jira Cloud can now search by the issue key directly.

The python based entrypoint command has been replaced with the new JVM based CLI command hawk scan.

The base OS for the HawkScan docker container has been update to Ubuntu 20 and the latest version of Firefox.

Error output now contains contextual references to the YAML causing the error as well as links to corresponding documentation.

The StackHawk CLI can be used without Docker to perform scans and validate configurations. The CLI is also included in the Docker image as it is the same scan engine for the CLI or Docker container.

A new command "hawk validate config" that will lint and validate your stackhawk.yml configuration files without performing a scan. Config validation is also performed before a scan to ensure accuracy.

The stackhawk.yml file schema is publicly available via SchemaStore.org enabling realtime linting and validation of the stackhawk.yml configuration files in many popular IDE's.

Newly signed up users will automatically be on a 14-day free trial with access to all Enterprise StackHawk features. Users will be automatically downgraded to the Free version after 14 days if a purchase of Pro or Enterprise is not made. If a trial extension is required, users can contact support via Intercom on the Pricing Page or within the app.

We have simplified subscription management in our UI. Users can now self-service for both Pro and Enterprise subscriptions and easily select the number of developers when upgrading to Pro or Enterprise plans.

Application page graphs are no longer constantly reloading.

Deleting environment modal was automatically closing. The modal will now only close when you tell it to.

GraphQL generated .yml file specifies a POST request instead of GET request.

Find out how long each plugin takes from the plugin summary tab of the scan details page for a better understanding of how HawkScan scans your application.

Plan descriptions and initial scan selections have been updated to better reflect scanning your own application or loading example scan data.

When creating an application, you can now define a specific application type, which will generate a customized scan configuration allowing you to get started scanning faster. Additionally, the Technology Flags step has been removed from this flow, but can still be accessed under application settings.

The Other Info field of a finding has been surfaced in the Finding Details panel when available.

API label is added to events sent from the public StackHawk API to the audit log.

Integration pages now feature a new error state when integration channels cannot be retrieved.

Invited users see a welcome modal, while new users that are owners of their organization are directed to create an application after providing onboarding information.

The StackHawk API is now available for public use by organizations on the Enterprise plan. With extensive documentation and resources, developers can now programmatically manage StackHawk applications and environments directly from the command line.

Authentication and Session management scripts are now supported and configurable via authentication.script and authentication.sessionScript configurations.

A bug in hawkscan 0.11.11 the openapi request generator was not handling incomplete request body references and request bodies with mixed $ref and sub property definitions.

A bug in hawkscan 0.11.11 was causing openapi v2 specifications to fail instead of falling back to the v2 parsing engine.

Fixed an issue where some GraphQL results were displayed incorrectly when viewing scan findings.

Fixed an issue where the dropdown to select a Jira project was not populating while triaging issues.

A bug in hawkscan 0.11.10 that was causing the header replacer configuration to fail has been fixed.

Added improved error detection in openapi specifications that do not result in routes being discovered on your application.

Custom scripts are now loaded before any authentication or API discovery traffic, allowing for custom auth and API discovery requests.

Added the ability to mount a remote git repository for a project instead of a docker volume mount.

Improved error handling to catch errors returned when using https localhost URIs.

Improved the UI for accessing Application settings. Clicking on the application name or the arrow control will allow you to access your Application details and scan settings, such as Technology Flags.

Updated the Slack channel configuration UI to account for any deleted Applications or Environments that are mapped to a Slack channel.

Remove outdated or unused scans, applications and environments from your organization.

The application creation modal will be reset to its default state when closing the modal.

Audit log provides a better message around removing scans from your organization.

Curl commands with nested single quotes are now able to be used to validate findings.

The application name is now present in the downloadable stackhawk.yml.

Fixed announcements panel notifications for when new release notes are published.

We have added the ability to modify technology flags during the application creation process. Technology Flags allow you to fine-tune the tests HawkScan runs to better match your tech stack, leading to faster scans and fewer false positives.

The application creation modal has been updated to include the guided wizard interface.

We now retain the Application ID when clicking back or on to a specific step in the Getting Started wizard.

Fixed a bug that made HawkScan error out when collecting metadata.

HawkScan now automatically configures scan policies for SOAP API endpoints to include relevant tests.

HawkScan now targets GraphQL, OpenAPI and SOAP APIs with more specific and relevant attack vectors.

Fixed a bug with merging scan policy overlays when configured for GraphQL and OpenAPI scanning.

Token authentication will now redact the external token from the scan config.

Enterprise Plan organizations can now triage scan findings with the Jira Data Center Integration. This integration will connect with an Atlassian Jira Server or Atlassian Data Center to create or link Jira issues from StackHawk findings.

Fixed a bug with Jira Cloud integration where the platform could not detect if a project management integration is installed.

HawkScan terminal error output includes more details when validating authentication via the testPath.

Fixed a bug with HawkScan output reporting incorrect counts of triaged findings.

Fixed a bug when configuring a GraphQL schema endpoint with a trailing slash, and the reporting of scanned graphql paths.

Fixed a bug in application specific policies that was preventing plugin overrides from working correctly.

Organizations on the Enterprise Plan can now send Scan Notifications to configured Microsoft Teams channels whenever a scan is run and completed.

Generic Webhooks are now available for Organizations on the Enterprise Plan. Send Scan Results to third-party systems (collaboration tools, incident management platforms, etc.) when a scan completes. Scan Results will be sent in a JSON payload to your configured webhook endpoint.

Updated Powershell instructions for the Getting Started steps.

Quickly see what StackHawk enabled workflow integrations you have installed directly from the integrations tab.

A bug was fixed related to certain audit events missing relevant details in their messages.

View an audit log of all activity within your organization, including when users join and leave your organization, when scans have been kicked off, when findings are triaged, and more!

All scan findings can now be validated. Alerts from HawkScan can be recreated with the Validate button in the Findings tab.

Jump into HawkDocs to learn how to update HawkScan when your version is out of date via a tooltip on the Scan Details page.

A bug was fixed related to following scan link urls in expired browser sessions.