Scan Optimization
Improve coverage and reduce scan time with API specs and targeted configuration
API Definitions
Provide HawkScan with your API definition for faster, more thorough scans. Without a definition, the scanner relies on discovery alone and may miss endpoints.
REST (OpenAPI)
Point HawkScan to your OpenAPI/Swagger spec:
app:
openApiConf:
path: "/openapi.yaml"Don’t have a spec? StackHawk can generate one automatically from your codebase (Enterprise), or see tips for creating one manually.
Full reference: OpenAPI Configuration
GraphQL
HawkScan uses introspection to discover operations:
app:
graphqlConf:
enabled: true
schemaPath: /graphqlFull reference: GraphQL Configuration
gRPC
HawkScan uses reflection to discover services:
app:
grpcConf:
path: 'localhost:9001'Or provide a descriptor file if reflection isn’t available:
app:
grpcConf:
filePath: '/path/to/descriptor_set.pb'Full reference: gRPC Configuration
SOAP
Point HawkScan to your WSDL:
app:
soapConf:
path: /api/v1?wsdlFull reference: SOAP Configuration
Seed Paths
Add routes the spider can’t discover (pages not linked from your homepage):
hawk:
spider:
seedPaths:
- "/admin"
- "/api/internal"Full reference: Scan Discovery
Tech Flags
Reduce scan time and false positives by telling HawkScan which technologies your app uses. Deselecting unused technologies reduces the number of tests applied to your application.
Tech flags are configured in the StackHawk Platform:
- Go to Applications
- Select your app → Settings
- Under Technology Flags, check only the technologies you use
Full reference: Technology Flags
Scan Policies
Scan policies control which security tests (plugins) run during a scan. Apply a policy in your stackhawk.yml:
app:
scanPolicy:
name: MY_CUSTOM_POLICYCreate and manage policies in the StackHawk Platform under Settings → Org Settings → Policy Management.
Full reference: Policy Management