Changelog

Remove outdated or unused scans, applications and environments from your organization.

The application creation modal will be reset to its default state when closing the modal.

Audit log provides a better message around removing scans from your organization.

Curl commands with nested single quotes are now able to be used to validate findings.

The application name is now present in the downloadable stackhawk.yml.

Fixed announcements panel notifications for when new release notes are published.

We have added the ability to modify technology flags during the application creation process. Technology Flags allow you to fine-tune the tests HawkScan runs to better match your tech stack, leading to faster scans and fewer false positives.

The application creation modal has been updated to include the guided wizard interface.

We now retain the Application ID when clicking back or on to a specific step in the Getting Started wizard.

Fixed a bug that made HawkScan error out when collecting metadata.

HawkScan now automatically configures scan policies for SOAP API endpoints to include relevant tests.

HawkScan now targets GraphQL, OpenAPI and SOAP APIs with more specific and relevant attack vectors.

Fixed a bug with merging scan policy overlays when configured for GraphQL and OpenAPI scanning.

Token authentication will now redact the external token from the scan config.

Enterprise Plan organizations can now triage scan findings with the Jira Data Center Integration. This integration will connect with an Atlassian Jira Server or Atlassian Data Center to create or link Jira issues from StackHawk findings.

Fixed a bug with Jira Cloud integration where the platform could not detect if a project management integration is installed.

HawkScan terminal error output includes more details when validating authentication via the testPath.

Fixed a bug with HawkScan output reporting incorrect counts of triaged findings.

Fixed a bug when configuring a GraphQL schema endpoint with a trailing slash, and the reporting of scanned graphql paths.

Fixed a bug in application specific policies that was preventing plugin overrides from working correctly.

Organizations on the Enterprise Plan can now send Scan Notifications to configured Microsoft Teams channels whenever a scan is run and completed.

Generic Webhooks are now available for Organizations on the Enterprise Plan. Send Scan Results to third-party systems (collaboration tools, incident management platforms, etc.) when a scan completes. Scan Results will be sent in a JSON payload to your configured webhook endpoint.

Updated Powershell instructions for the Getting Started steps.

Quickly see what StackHawk enabled workflow integrations you have installed directly from the integrations tab.

A bug was fixed related to certain audit events missing relevant details in their messages.

View an audit log of all activity within your organization, including when users join and leave your organization, when scans have been kicked off, when findings are triaged, and more!

All scan findings can now be validated. Alerts from HawkScan can be recreated with the Validate button in the Findings tab.

Jump into HawkDocs to learn how to update HawkScan when your version is out of date via a tooltip on the Scan Details page.

A bug was fixed related to following scan link urls in expired browser sessions.

Percentage complete progress output to the terminal for long running GraphQL spiders.

When the finding threshold has been reached return exit code 42 so it can be distinguished from an unsuccessful scan with an exit code of 1.

Fixes the finding and triage counts not being accurate in the HawkScan terminal output.

Removed the stacktrace from the terminal output when an incorrect applicationId is specified in the stackhawk.yml.

Redact the authentication credentials from the terminal output on authentication failure.

Fixed an intermittent race condition when sending the final scan results to the platform.

The deprecated graphqlConf fields batchQueries and introspection have been removed from the terminal output banner.

Fixes an error when you configure failureThreshold in your application config. HawkScan will now exit correctly with this configuration.

Having issues with the StackHawk web app? Can’t seem to get HawkScan configured? By clicking on your username in the sidebar you can find easy access to HawkDocs and how to contact our support team.

The tables, buttons and dropdowns of the Integration pages are now able to be controlled with a keyboard.

The Application ID will be displayed without overlapping its field boundaries in the App Creation Wizard.

Use the app.soapConf configuration section to specify a local or hosted SOAP WSDL to configure the scanner to scan your SOAP endpoints.

Set the app.autoInputVectors=true to ensure only the correct data types are used when scanning your API. This will help increase accuracy and completeness of the scan.

The app.api section is being deprecated in favor of app.openApiConf to allow for easier configuration and expanded options when scanning an OpenAPI based API.

When scanning an OpenAPI-based API, HawkScan will automatically detect and configure any data driven nodes in your API spec. This allows the HawkScan to avoid rescanning repetitive paths in your site tree as well as detect and scan sub paths. The overall effect is a more complete and accurate OpenAPI scan.

When scanning an API use the StackHawk Platform Technology Flags in combination with app.autoPolicy and app.autoInputVectors to get the most out of your scan. The combination will inform the scanner of the most accurate approach to attacking your application. We've seen a dramatic reduction in false positives, reduced scan times on large API's, and an increase in harder to find vulnerabilities when using these options together on API scans.

Users who navigate the app without a mouse will be able to perform any action a keyboard and mouse user can.

Download Scan Results as JSON from Scan Details page.

SAML authentication and authorization for accessing the StackHawk platform. Contact our sales team to learn how to add this for your organization.

Members and account settings pages are updated for Single SignOn users.

Users will not load specific routes or dependencies until they need them.

Findings Management History displays full history of the status of a finding.

Free tier users can navigate getting started flow again without getting stuck by an Upgrade modal.

Determines the validity of URIs displayed on the Finding Details page.

Find documentation on the StackHawk Spinnaker, Buildkite and Bitbucket Pipeline Integrations from the Integrations tab.

Application creation experience includes a step-by-step wizard to guide users through scanning their first app.

Improvements across the app to increase usability and display of technology flags checkboxes and the Scans and Findings tables.

Keyboard control improvements made to the multi-select components in the web app, as well as improved control of the left hand Welcome panel.

Finding Details on the Print Scan page are sorted by severity.

Resolved an issue where the Finding Details page would get confused when switching between GraphQL and REST scans.

As security findings are found during a scan they will be sent to platform for imediate viewing.

Addressed an issue using includePaths that causes the spider to fail resulting in an obscure error on the terminal.

The GraphQL spider process will generate queries to retrieve nested object fields that may contain data leaks... we see you.

When scanning a web API like OpenAPI or GraphQL you can use the app.autoPolicy flag to load an optimized policy for the API type. This can help increase scan speed and reduce false positives when scanning web endpoints that do not serve HTML/Javascript.

Optimize HawkScan by applying custom technology flags from the Applications page settings in the web app. Improve scan speeds and reduce false positives by only running tests around the technologies your application uses.

View scan errors from a tab on the Scan Details page.

Include http for an application’s host name if not present, and added a button to easily copy Docker commands.

Updated logic for Jira and Slack integrations to avoid unnecessary authentication for the Jira and Slack Integrations pages.

Creating a new application in the StackHawk web app has never been smoother. Add an app from the Applications page for an optimized application creation experience.

Who doesn’t like colorful bar graphs? View the environments table on the Applications page for a truncated version of the StackHawk graphs you know and love.

Removed code that was falsely causing a few too many logging errors and added some boundaries around a type error in the onboarding flow.

Scanning your GraphQL app? The Finding Details page will now display the operation and operation name around each finding.

Scanning Google Firing Range for the first time is easier than ever. Updates to the onboarding modal include navigating between steps of the modal, copying shell commands and other minor visual improvements.

The plugin summary table of the Scan Details page now has a loading state.

The right panel on the Finding Details page is now open by default.

The profile menu in the sidebar has made it even easier to switch between multiple organizations, and a new loading animation has been added when switching organizations.

Fixed a bug where the platform got confused if you were logged into more than one account at the same time.

Updated logic around displaying a banner in the Applications page allowing a new user to scan the Google Firing Range app.

Improvements across the app to increase usability and performance of the Finding Details panel and tab display.

The authentication testPath.requestHeaders is a map of extra headers to include in your testPath configuration. This is useful when using a POST route that requires JSON or some other Content-Type for requestBody.

Hawkscan has been upgraded to use ZAP 2.10 the latest stable release.

Updated to the latest scanner plugins

New users who load Google Firing Range sample data can view a modal wizard which will walk them through how to scan the Firing Range App on their own.

A user can now join multiple organizations, and switch between organizations by using the organization switcher in the left hand nav located under your profile picture.

The user invite flow has been improved to ensure the user knows the difference between joining an organization and creating a new account.

On the Finding Details Page, the GraphQL Response Body in the right panel has been reformatted.

A selected Finding List Item will stay selected upon the Right Panel opening.

After creating a new Application from the Applications Page, the Application ID can now be visible in the Create New App success modal.

Who let the dogs out? A user can now see who enabled their organization’s Datadog integration.

Ready, set, scan! Once a HawkScan is in flight, see real time scan progress in the StackHawk web app. The Scans page displays overall scan progress. Navigating to the Scan Details page provides insight to the plugins and tests HawkScan is running, as well as details on any errored or successful scans.

Save yourself some clicks! Input the number of users you’d like to include in your plan - via keyboard or mouse.

Uncategorized alerts would disrupt the display of metadata on the Finding Details page.

Improvements across the app to increase usability and performance of the onboarding flow, integrating with Slack and using StackHawk on Safari.

Updated to the latest scanner plugins which address a number of bugs and false positives.

The hawk.failureThreshold can now be set to high, medium, or low. If any alerts are found a for the supplied threshold, or higher, the scan will fail and output the count of alerts at or above the configured threshold.

In some scenarios running hawkscan in a docker compose environment, an existing Xvfb lock file can be present without the process. Avoid this by detecting X11 lock state and choosing an available id.

We are shaking the tree at StackHawk! We are now offering a free plan and a Pro plan to meet the needs of all kinds of customers, from seasoned hawks to spring chickens.

Scanning your GraphQL application? The StackHawk web app now identifies and displays specifics around your GraphQL queries and variables so you can easily identify your vulnerabilities from the Finding Details page.

Signing up for StackHawk for the first time? Choose your plan and what kind of application you are looking to scan in the Getting Started flow. Load in your application data or check out a scan of the Google Firing Range project to familiarize yourself with the platform.

Welcome to the improved Scan Details page! Take a look at the improvements around the Scan Overview - we’ve added a new graph and display to help you identify the criticalities of the vulnerabilities in your application.

Click on the environment name from the Applications page to see a filtered view of your Scans specific to that application and environment.

New to the StackHawk web app? We'll highlight some of the awesome features of the application for you. Look for the glowing buttons!

Improvements across the app to increase usability and performance of the login flow, display in various browsers and responsive behavior. Sometimes the Getting Started flow didn’t load to help users get started.