HawkScan and AWS Code Services


AWS has a number of tools to aid in software development, including CodeBuild to build, test, and deploy software, and CodePipeline to sequence actions, including CodeBuild jobs. In this article we will create a simple CodeBuild project to scan an API that has already been deployed to our development environment.

Secure Your API Key

When you signed up on StackHawk, you created an API key. To keep it a secret, copy it to AWS Parameter Store as a SecureString, and name it /hawk/api/key1. We will extract that secret as an environment variable, HAWK_API_KEY, in CodeBuild so that HawkScan can use it.

Configure Codebuild

At the base directory of your code repository, add a buildspec.yml file to configure your CodeBuild job to run HawkScan. Notice the env.parameter-store section, which extracts your SecureString, /hawk/api/key1, into the build-time environment variable HAWK_API_KEY.


version: 0.2

    HAWK_API_KEY: /hawk/api/key1

      - |
        docker run -v $(pwd):/hawk:rw -t \
        -e API_KEY="${HAWK_API_KEY}" \
        -e NO_COLOR=true \

Configure HawkScan

At the base directory of your code repository, create a stackhawk.yml appropriate for scanning your application. For our example, we will create a minimal config pointing to our Development environment API endpoint. Just replace the host entry with your test endpoint, and replace applicationId with your App ID from StackHawk.


  applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  host: http://example.com
  env: Development

  startupTimeoutMinutes: 1
    base: false

Run It

Check those two files into source control, and then configure a CodeBuild job to use that repository as its primary source. Start the build, and tail the logs in the CodeBuild console. You should see your scan initiate, run, and print a summary of results. Also, check your account at StackHawk to review your scan details!