Link

HawkScan and Travis CI

It’s easy to integrate StackHawk into your pipeline with Travis CI. The basic steps are to:

  1. Secure your API key as an environment variable in your Travis CI Project
  2. Configure your Travis CI job by adding a .travis.yml file to your project repository
  3. Configure HawkScan with a stackhawk.yml file

Secure Your API Key

When you signed up on StackHawk, you created an API key. To keep it a secret, copy it to the Environment Variables for your project. In the Travis CI web app, find your repository, and select More options –> Settings. From here, find the Environment Variables section. Add your StackHawk API key as a variable called HAWK_API_KEY.

Configure Your Travis CI Job

At the base directory of your code repository, add a .travis.yml file to configure Travis CI to run HawkScan. An example is provided below.

.travis.yml

language: shell
services:
  - docker
script:
  - |
    docker run --volume $(pwd):/hawk:rw --tty \
      --env API_KEY="${HAWK_API_KEY}" \
      --env NO_COLOR=true \
      stackhawk/hawkscan

This configuration tells Travis CI to run a single script, which runs HawkScan as a Docker container. The StackHawk API key injected from the secure environment variable, HAWK_API_KEY. The NO_COLOR environment variable suppresses colorized text so that HawkScan’s output is more readable in the Travis CI console.

Configure HawkScan

At the base directory of your code repository, create a stackhawk.yml appropriate for scanning your application. For our example, we will create a minimal config pointing to our development environment API endpoint.

stackhawk.yml

app:
  applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  host: http://dev.example.com
  env: development
  contactEmail: integration-test@example.com
hawk:
  startupTimeoutMinutes: 1
  spider:
    base: false

Replace the host entry with your test endpoint, and replace applicationId with your App ID from StackHawk.

Run It

Check those two files into source control, and head over to the CircleCI app console to watch your job run. And once CircleCI is done, check your account at StackHawk to review your scan details!


Copyright © 2019-2020 StackHawk, Inc.