After HawkScan is finished testing, click the View on StackHawk platform link in the GitHub Actions HawkScan workflow log.
After you click the link, you can view the results in StackHawk. The Environment card displays the date and time of the scan as well as the environment (GitHub Actions, specified in the stackhawk-actions.yml configuration file) and a high-level overview of the findings.
Clicking on the Environment card will open a list of all scans run on this application in this environment with the latest scan at the top. Clicking into the latest scan provides even more detailed information about the latest scan you just ran.
- Since you have the GitHub integration and the tags element in your HawkScan configuration file, you can see the commit SHA and branch that this scan was run on.
- You can also see all the Findings listed in order of Criticality (high, medium, and low).
- From here you can print a report by clicking Print Scan Report.
- You can also view the different Plugins or tests that were run by clicking the Plugin Summary tab,
- And you can view all the paths that were scanned by clicking the Paths tab.
If you click on a specific finding, you can see more information about that vulnerability including:
- Ideas for remediation
- Brief description
- Risks associated
- Links to cheatsheets with further information on and how to prevent these types of issues
- List of paths that contain this vulnerability
- The Status of the vulnerability, which defaults to New and can be marked as Assigned, False Positive, or Risk Accepted
- On the right side of the page you can see the Evidence of the vulnerability, which includes the body, headers, and cookies included in the request as well as the response.
- You can also click the Other Info tab to see additional information about the vulnerability given by the creators of the ZAP plugin that may be helpful.
- Click Validate to generate a curl request you can use to test the path.
- Or you can click Actions to triage or categorize the issue vulnerability as Assigned, Risk Accepted, or False Positive.