HawkScan and AWS Code Services
Overview
AWS has a number of tools to aid in software development, including CodeBuild to build, test, and deploy software, and CodePipeline to sequence actions, including CodeBuild jobs. In this article we will create a simple CodeBuild project to scan an API that has already been deployed to our development environment.
Secure Your API Key
When you signed up on StackHawk, you created an API key. To keep it a secret, copy it to AWS Parameter Store as a SecureString, and name it /hawk/api/key1. We will extract that secret as an environment variable, HAWK_API_KEY, in CodeBuild so that HawkScan can use it.
Configure Codebuild
At the base directory of your code repository, add a buildspec.yml file to configure your CodeBuild job to run HawkScan. Notice the env.parameter-store section, which extracts your SecureString, /hawk/api/key1, into the build-time environment variable HAWK_API_KEY.
buildspec.yml
version: 0.2
env:
parameter-store:
HAWK_API_KEY: /hawk/api/key1
phases:
build:
commands:
- |
docker run -v $(pwd):/hawk:rw -t \
-e API_KEY="${HAWK_API_KEY}" \
-e NO_COLOR=true \
stackhawk/hawkscan
Configure HawkScan
At the base directory of your code repository, create a stackhawk.yml appropriate for scanning your application. For our example, we will create a minimal config pointing to our Development environment API endpoint. Just replace the host entry with your test endpoint, and replace applicationId with your App ID from StackHawk.
stackhawk.yml
app:
applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
host: http://example.com
env: Development
hawk:
startupTimeoutMinutes: 1
spider:
base: false
Run It
Check those two files into source control, and then configure a CodeBuild job to use that repository as its primary source. Start the build, and tail the logs in the CodeBuild console. You should see your scan initiate, run, and print a summary of results. Also, check your account at StackHawk to review your scan details!