Running Your First Scan

Follow this guide to get up and running with the StackHawk CLI and HawkScan, the easiest way to scan your applications directly from your local environment!

This quick start uses macOS and our CLI tool hawk for the examples. Homebrew, a package manager for macOS, is required and can be installed from brew.sh. For other ways to run HawkScan, such as in other operating systems or within a docker container see the HawkScan documentation.

First things first, if you don’t already have a StackHawk account you can sign up here. It’s free!

Step 1: Install HawkScan

StackHawk CLI requires Java version 11 or higher. If you aren’t sure if you’ve got Java 11 installed, refer to our prerequisites for more details.

To start, install the StackHawk CLI from your terminal:

$ brew install stackhawk/cli/hawk

To verify your new install:

$ hawk version

v2.3.1

Step 2: Initialize the Scanner

Once you’ve installed the StackHawk CLI, the next step is to initialize it with your StackHawk API Key.

$ hawk init

Please enter a StackHawk API key: hawk.xXXxxXXXXxXX.xXXxxXXXXxXX

Authenticated!

During account creation an API key was generated for you, if you need to generate a new key, navigate to Settings > API Keys.

Step 3: Configure Your Application

Not ready to scan your own application? No problem! We’ve provided a set of example projects you can run locally or in a docker container to experience StackHawk right away. If you want to get going as fast as possible, we recommend the JavaSpringVulny project.

Before moving on, you’ll need an Application with it’s corresponding stackhawk.yml configuration file which tells the scanner what type of app you have, where it is located and how to best scan it. A basic configuration file should look something like this:

stackhawk.yml

app:
  # ID of an Application in your StackHawk account
  applicationId: XXxxXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  # Environment name for the scan
  env: Development
  # URL to a running instance of your application
  host: https://localhost:3000

For more advanced configuration options, including how to set up API and authenticated scanning, see HawkScan configuration.

Step 4: Run a scan

From the root folder of your project (containing the stackhawk.yml configuration file) we’re now ready to run our first scan:

$ hawk scan

Step 5: View scan results

Once the scan has completed you should see results in your terminal similar to this:

StackHawk 🦅 HAWKSCAN - v2.3.1
* app id:              xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
* env:                 Development
* scan id:             xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
* scan configs:        ['stackhawk.yml']
* app host:            https://localhost:3000
* graphql:             False

Passive scanning complete
Active scan of https://localhost:3000 complete
Scan results for https://localhost:3000
------------------------------------------------------------
Criticality: New/Triaged
   High: 0/1    Medium: 32/0    Low: 22/0
------------------------------------------------------------

View on StackHawk platform: https://app.stackhawk.com/scans/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx

We recommend reviewing your scan results on the StackHawk platform where you can easily see finding details, recreate and validate vulnerabilities and triage your findings so future scans can alert you to new issues.

Congratulations! You’ve succesfully completed your first scan. 🦅 #Kaakaww!

API Scanning

Next, let’s go deeper by configuring API scanning. First, check out our video for a quick overview of API scanning:

Follow our guides for your specific API to start scanning your endpoints:

Next Steps

Looking for more? Keep going to learn more about the StackHawk platform and how to make the most of dynamic application security testing!