HawkScan and Azure Pipelines

Microsoft Azure

You can test your applications with HawkScan in Azure Pipelines in one of the following ways:

  1. Using the StackHawk HawkScan Azure extension (recommended):
    This is the recommended approach, as it is a native integration with Azure Pipelines.
  2. Using Docker containers:
    You can use this approach if you prefer to run your application in Docker.

Azure-Extension on Ubuntu

The Azure Extension is tested regularly with the ubuntu-latest image. The preferred method of installation is with the .zip file. Make sure the environment has Java JRE 17 or higher.

Azure Extension on Windows

The Azure Extension is tested regularly with the windows-latest image. The preferred method of installation is with the .msi file. This bundles an installation of Java runtime, so you don’t have to manage a JRE on windows.

Azure Extension on hosted Windows

More Experienced windows professionals may want to use the HawkScan Azure Extension on their own managed VM or Windows-Server instance. Hosted Windows environments may have different administration policies that influence how the pipeline is configured.

We suggest manually installing HawkScan once from the .msi installer on the build host, and then restarting their Azure-Pipelines agent. This will ensure hawk.exe is added and available on the path for use within Azure pipelines jobs.

Some additional suggestions:

Installing HawkScan on hosted Windows

  • If your administration policy disables the msiserver Windows Installer service, then you cannot use the .msi installerType with HawkScanInstall.
  • If your administration policy prohibits running powershell scripts, then you cannot use the .zip installerType with HawkScanInstall.
  • If neither installerType works for running the HawkScanInstall task, you can optionally skip the task entirely, and maintain the HawkScan executable manually.

Running HawkScan on hosted Windows

  • If using the .zip installerType with RunHawkScan, make sure you have Java 17 or higher installed. You can use the JavaToolInstaller task:

azure-pipelines.yml

   - task: JavaToolInstaller@0
     inputs:
       versionSpec: '17'
       jdkArchitectureOption: 'x64'
       jdkSourceOption: 'PreInstalled'
  • Consider increasing JVM memory if your scanned application is exceptionally large.

azure-pipelines.yml

   - task: RunHawkScan@1
     inputs:
       configFile: "stackhawk.yml"
       version: "latest"
     env:
       HAWK_MEM: 2g
  • If the web application is hosted from a staging environment, consider using the HawkScan docker container, if that’s acceptable.

  • If neither installerType works for running the RunHawkScan task, please reach out; we want to help you run your web applications in Azure Pipelines.