Running Your First Scan
Follow this guide to get up and running with the StackHawk CLI, the easiest way to scan your applications directly from your local environment!
First things first, if you don’t already have a StackHawk account you can sign up here. It’s free!
Step 1: Install HawkScan
StackHawk CLI requires Java version 11 or higher. Java is automatically installed by our macOS or Windows installers, but if you are installing the StackHawk CLI via ZIP or aren’t sure if you’ve got Java 11 installed, refer to our prerequisites for more details.
Step 2: Verify Install and Initialize the Scanner
To verify the StackHawk CLI is installed check your terminal for the hawk command version:
$ hawk version
v3.8.0
Once you’ve installed the StackHawk CLI, the next step is to initialize it with your StackHawk API Key.
During account creation an API key was generated for you, if you need to generate a new key, navigate to Settings > API Keys.
$ hawk init
Please enter a StackHawk API key: hawk.xXXxxXXXXxXX.xXXxxXXXXxXX
Authenticated!
Step 3: Configure Your Application
Not ready to scan your own application? No problem! We’ve provided a set of example projects you can run locally or in a docker container to experience StackHawk right away. If you want to get going as fast as possible, we recommend the JavaSpringVulny Tutorial.
First, you’ll need to provide an existing StackHawk Application ID or create a new one. You can do this from the StackHawk platform, or simply create a new Application from the StackHawk CLI using the following command:
$ hawk create app
Application Name: <your app name>
KaaKaww! Here is your new application ID:
XXxxXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
Before moving on, you’ll need to provide a stackhawk.yml configuration file which tells the scanner what type of app you have, where it is located and how to best scan it. A basic configuration file should look something like this:
stackhawk.yml
app:
# ID of an Application in your StackHawk account
applicationId: XXxxXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
# Environment name for the scan
env: Development
# URL to a running instance of your application
host: https://localhost:3000
For more detailed configuration options, including how to set up API discovery and authenticated scanning, see Scanning Next Steps or our detailed HawkScan configuration reference.
Step 4: Run a Scan
From the root folder of your project (containing the stackhawk.yml configuration file) we’re now ready to run our first scan:
$ hawk scan
Step 5: View Scan Results
Once the scan has completed you should see results in your terminal similar to this:
StackHawk 🦅 HAWKSCAN - v3.8.0
* app id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
* env: Development
* scan id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
* scan configs: ['stackhawk.yml']
* app host: https://localhost:3000
* graphql: False
Passive scanning complete
Active scan of https://localhost:3000 complete
Scan results for https://localhost:3000
------------------------------------------------------------
Criticality: New/Triaged
High: 0/1 Medium: 32/0 Low: 22/0
------------------------------------------------------------
View on StackHawk platform: https://app.stackhawk.com/scans/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
We recommend reviewing your scan results on the StackHawk platform where you can easily see finding details, recreate and validate vulnerabilities and triage your findings so future scans can alert you to new issues.
Congratulations! You’ve succesfully completed your first scan. 🦅 #KaaKaww!
Next Steps
Looking for more? Keep going to learn more about the StackHawk platform and how to make the most of dynamic application security testing!