Quick Start

Get started with StackHawk by creating an account, installing the scanner, and running your first application security scan in minutes. StackHawk empowers developers to identify and fix vulnerabilities early in the development cycle—before they hit production.

Need an App to Scan?
Follow our Automate Tests with GitHub Actions tutorial to see StackHawk in action right away.

Step 1: Set Up Your StackHawk Account

Sign up for a StackHawk Account
During setup, you’ll receive an API Key used to authenticate scans.
Optionally create your first Application Record in the platform—this will generate your applicationId.

Step 2: Install HawkScan

HawkScan is StackHawk’s security testing engine that runs on your local machine or in CI/CD.

macOS

Install via Homebrew or download the installer.

Download

Windows

Download and run the Windows installer.

Download

Linux

Download the ZIP package for your distribution.

Download

Looking for more downloads? Check out our downloads page.

Note: HawkScan requires Java 17 or higher. Our macOS and Windows installers include Java, but if you're using Linux or having issues, check our prerequisites guide.

Step 3: Verify Installation and Authenticate

1. Verify that HawkScan is installed by checking your terminal for the hawk command version:

$ hawk --version

The current version of HawkScan is 5.2.0.

2. Authenticate to the StackHawk Platform using your API Key:

When you first created your StackHawk account, an API key was automatically generated for you. You’ll need this key to authenticate HawkScan with your StackHawk account.

$ hawk init

When prompted, enter your API key. This one-time setup links HawkScan to your account so scan results can be securely stored and analyzed in the StackHawk Platform.

Log into the StackHawk Platform
Go to Settings > API Keys
Use an existing key (if you saved it previously) or create a new one

Note: An API key was automatically generated when you created your account. For security reasons, API keys are only displayed once when created. If you don’t have access to your original key, simply create a new one from the Settings page.

Generate an API Key

StackHawk requires an API key to run scans and push results to the platform. You can manage your API keys at Settings > API Keys.

To store your API key as an environment variable for use with HawkScan:

Bash:

mkdir -p ~/.hawk
echo 'export HAWK_API_KEY=hawk.xxxxxxxxxx.xxxxxxxxxx' > ~/.hawk/hawk.rc
source ~/.hawk/hawk.rc

PowerShell:

mkdir "$HOME\.hawk"
echo '$env:HAWK_API_KEY="hawk.xxxxxxxxxx.xxxxxxxxxx"' > $HOME\.hawk\hawk.ps1
. $HOME\.hawk\hawk.ps1

Replace hawk.xxxxxxxxxx.xxxxxxxxxx with your actual API key.

Tip: If you lose your API key or need a new one, generate a replacement at Settings > API Keys in the StackHawk platform.

Step 4: Create Your Application and Configuration File

First, you’ll need to provide a valid StackHawk Application ID. You can do this in one of two ways:

Option 1: Use an Existing App

If you already created an app during onboarding, you can grab the applicationId from the App Settings page in the StackHawk platform.

Option 2: Create a New App via the CLI

If you don’t have an existing app, you can create one using the HawkScan CLI.

$ hawk app create

You’ll be prompted for an application name:

$ hawk app create

Application Name: [your app name]

You’ll get a response like:

KaaKaww! 🎉 Here is your new application ID:
XXxxXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX

Define Your Configuration

Next, you’ll create a stackhawk.yml configuration file in the root of your app. This file tells HawkScan how to run against your application, including where it’s hosted and how to behave during the scan.

Here’s a basic example:

app:
  applicationId: [your-application-id]
  env: Development
  host: http://localhost:3000

applicationId: The ID from the CLI or platform
env: The current environment label (Development, Staging, Production, etc.)
host: The base URL where your app is running

Step 5: Run a Scan

With your stackhawk.yml file in place, run this command from your project’s root directory:

$ hawk scan

That’s it! HawkScan will start analyzing your application for security vulnerabilities.

Step 6: Review the Results

After the scan completes, you’ll see the results in the StackHawk Platform.

StackHawk 🦅 HAWKSCAN - v5.1.0
* app id:              xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
* env:                 Development
* scan id:             xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
* scan configs:        ['stackhawk.yml']
* app host:            https://localhost:3000
* graphql:             False

Passive scanning complete
Active scan of https://localhost:3000 complete
Scan results for https://localhost:3000
------------------------------------------------------------
Criticality: New/Triaged
   High: 0/1    Medium: 32/0    Low: 22/0
------------------------------------------------------------

View on StackHawk platform: https://app.stackhawk.com/scans/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx

That’s It!

You’ve just run your first security scan with StackHawk. From here, you can:

Optimize your scans with API specs and seed paths
Set up authenticated scanning to test protected routes
Automate scans in CI/CD with every pull request

Step 1: Set Up Your StackHawk Account

Step 2: Install HawkScan

macOS

Windows

Linux

Step 3: Verify Installation and Authenticate

Generate an API Key

Step 4: Create Your Application and Configuration File

Option 1: Use an Existing App

Option 2: Create a New App via the CLI

Define Your Configuration

Step 5: Run a Scan

Step 6: Review the Results

That’s It!

Your privacy settings