Running Your First Scan

Follow this guide to get up and running with the StackHawk CLI, the easiest way to scan your applications directly from your local environment!

First things first, if you don’t already have a StackHawk account you can sign up here. It’s free!

Step 1: Install HawkScan

StackHawk CLI requires Java version 11 or higher. Java is automatically installed by our macOS or Windows installers, but if you are installing the StackHawk CLI via ZIP or aren’t sure if you’ve got Java 11 installed, refer to our prerequisites for more details.

Step 2: Verify Install and Initialize the Scanner

To verify the StackHawk CLI is installed check your terminal for the hawk command version:

$ hawk version


Once you’ve installed the StackHawk CLI, the next step is to initialize it with your StackHawk API Key.

During account creation an API key was generated for you, if you need to generate a new key, navigate to Settings > API Keys.

$ hawk init

Please enter a StackHawk API key: hawk.xXXxxXXXXxXX.xXXxxXXXXxXX


Step 3: Configure Your Application

Not ready to scan your own application? No problem! We’ve provided a set of example projects you can run locally or in a docker container to experience StackHawk right away. If you want to get going as fast as possible, we recommend the JavaSpringVulny Tutorial.

First, you’ll need to provide an existing StackHawk Application ID or create a new one. You can do this from the StackHawk platform, or simply create a new Application from the StackHawk CLI using the following command:

$ hawk create app
Application Name: <your app name>

KaaKaww! Here is your new application ID:

Before moving on, you’ll need to provide a stackhawk.yml configuration file which tells the scanner what type of app you have, where it is located and how to best scan it. A basic configuration file should look something like this:


  # ID of an Application in your StackHawk account
  applicationId: XXxxXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  # Environment name for the scan
  env: Development
  # URL to a running instance of your application
  host: https://localhost:3000

For more detailed configuration options, including how to set up API discovery and authenticated scanning, see Scanning Next Steps or our detailed HawkScan configuration reference.

Step 4: Run a Scan

From the root folder of your project (containing the stackhawk.yml configuration file) we’re now ready to run our first scan:

$ hawk scan

Step 5: View Scan Results

Once the scan has completed you should see results in your terminal similar to this:

StackHawk 🦅 HAWKSCAN - v3.8.0
* app id:              xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
* env:                 Development
* scan id:             xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
* scan configs:        ['stackhawk.yml']
* app host:            https://localhost:3000
* graphql:             False

Passive scanning complete
Active scan of https://localhost:3000 complete
Scan results for https://localhost:3000
Criticality: New/Triaged
   High: 0/1    Medium: 32/0    Low: 22/0

View on StackHawk platform:

We recommend reviewing your scan results on the StackHawk platform where you can easily see finding details, recreate and validate vulnerabilities and triage your findings so future scans can alert you to new issues.

Congratulations! You’ve succesfully completed your first scan. 🦅 #KaaKaww!

Next Steps

Looking for more? Keep going to learn more about the StackHawk platform and how to make the most of dynamic application security testing!