StackHawk Documentation StackHawk Logo HawkDocs
hawkscan
configuration

No results found

Try different keywords or check your spelling

Search documentation

Find guides, API references, and more

esc

Hawkscan Configuration

HawkScan uses a stackhawk.yml file to define how your application should be scanned—including target URL, authentication settings, and scan scope.

By default, hawk scan reads stackhawk.yml from the current directory. You can also:

  • Supply additional configuration files: hawk scan --config additional.yml
  • Use Hosted Configuration to manage settings from the StackHawk platform

Minimum Configuration

Every stackhawk.yml requires three fields:

app:
  applicationId: xxxx-xxxx-xxxx-xxxx  # Your app ID from app.stackhawk.com
  env: Development                     # Environment name (Development, Staging, Production, etc.)
  host: http://localhost:8080          # The URL of your running application

Configuration Reference

The HawkScan configuration. The stackhawk.yml file follows this structure. A run of HawkScan will use this configuration to inform the scanner how to operate.

The minimum stackhawk.yml required is the following:

 app:
  applicationId: kkAAAKAW-kAWW-kkAA-WWwW-kAAkkAAAAwWW
  env: Test
  host: http://localhost:1337

Signup for a StackHawk account and Get Started.

Parameter Default Description
hawk {}

Parameters for scanner runtime and how it should look for vulnerabilities.
app {}

Required. Parameters for the target application and specifics for how it should be scanned.
hawkAddOn {}

Parameters for additional HawkScan add-ons and custom scripts.
tags []

Searchable keywords to associate with this scan.

hawk

Define global HawkScan settings, independent of the scanned application:

  • spider: Configure application crawling and scan discovery. Enable base and ajax crawlers, set maxDurationMinutes, add seedPaths, use custom commands, or import har files.
  • startupTimeoutMinutes: Maximum time to wait for the scanner to start (default: 5).
  • failureThreshold: Alert severity level to fail a scan (high, medium, or low).
  • scan: Set runtime behavior like max duration, request throttling, and concurrency.
  • config: Advanced scanner configuration overrides.
  • outboundProxy: Configure an outbound proxy, including host, credentials, and CA certificate.

For more details, see HawkScan Configuration Documentation.

Parameter Default Description
spider {}

Configuration for the application web crawler & scan discovery.
startupTimeoutMinutes 5

Maximum time in minutes to wait for the scanner process to start.
failureThreshold ""

The lowest alert level that returns a failed scan status. Accepted values: high, medium, or low.
scan {}

Configuration for the HawkScan runtime.
config []

Scanner configuration overrides, provided as a list of key=value strings. A list of strings in the form of key=value pairs passed to the scanner as scanner configuration overrides.

This is an advanced feature to configure HawkScan plugins and override their default behavior.
outboundProxy {}

Configuration for an outbound proxy.
hawk.spider

Configuration block for the application crawling and Discovery Phase aka Spider. See the Scan Discovery page for more details.

Parameter Default Description
base true

Enable the basic web crawler for discovering your application's routes. This spider is appropriate for most traditional web applications.
ajax false

Enable the ajax web crawler for discovering your application’s routes. This spider is appropriate for single-page web applications.
maxDurationMinutes 2

Maximum allowed time for enabled spiders to crawl your web application.
ajaxBrowser "CHROME_HEADLESS"

The browser type and style to use when running the AjaxSpider. When running the stackhawk/hawkscan docker container, this setting is ignored and will use the default CHROME_HEADLESS. The options are CHROME_HEADLESS and CHROME. FIREFOX_HEADLESS and FIREFOX are deprecated.
seedPaths []

List of paths to supplement the spider. These paths will be used as additional starting points for crawling your application. Useful for paths that are not crawlable from the root of your application. For example, /admin. Note: this configuration is NOT a replacement for an API spec and provides no benefit to pure REST API's.
custom {}

Discover paths in your application with the assistance of a complimentary developer tool or software command. This is appropriate if your team already implements other application testing tools in their CI/CD pipeline, for a more thorough and repeatable scan.
har {}

Import a HAR file as the API discovery method for the scan.
disableSmartCrawling false

Disable smart crawling for openApiConf to enable legacy openapi import process.
hawk.spider.custom

Configuration for custom scan discovery. See the Custom Scan Discovery section for more details.

Parameter Default Description
command ""

Provide a command to run as part of the scan discovery phase. This command will be split from its arguments and execute on its own thread in a context with additional environment variables set with the proxy configuration for HawkScan to intercept http traffic.
environment []

Key-Value map of environment variable names and values to pass along into the execution of the command.
workingDir ""

The absolute path working directory these commands are run from.
credentials []

Key-Value map of additional environment variables or secrets to pass along into the execution of the command. These values will be redacted from the logs.
arguments []

Command arguments provided as an array of strings. These arguments can be used in addition to or instead of the command. This should be used if the command is sufficiently complex or is exceptionally whitespace sensitive.
excludeParentEnvironment false

Only provide the environment variables and credentials as configured. By default also includes the environment from the parent process environment for convenience.
logOutputToForeground false

This command prints the stdout and stderr of the command to the foreground.
hawk.spider.har

Configuration for using a HAR file as the discovery for a scan. HAR files often contain requests including urls from many hosts, but only URLs matching the app.host or replaceHost will be included in the scan.

Parameter Default Description
replaceHost ""

The hostname of URLs in the HAR file that will be replaced with the host defined in app.host. Leave blank if the app.host is then same hostname in the HAR file.
file {}

Use individual HAR files.
dir {}

Use a directory of HAR files.
hawk.spider.har.file

Paths to .har HTTP Archive formatted files, for use with HARImportConfig.

Parameter Default Description
paths []

Paths to HAR files to import. Files will be loaded in order provided.
hawk.spider.har.dir

Paths to directories, for use with HARImportConfig.

Parameter Default Description
path ""

Path to directory containing .har files. Only files with the .har extension will be loaded in alphanumeric order.
hawk.scan

Configuration block for HawkScan runtime.

Parameter Default Description
maxDurationMinutes 0

Maximum duration that a scan will run.
maxRuleDurationMinutes 0

Maximum duration that a scan will spend on a rule.
requestDelayMillis 0

Delay time between sending requests.
concurrentRequests 20

Number of request threads. If you need that little extra push. defaults to 20.
throttlePassiveBacklog 10000

Pause active scan when passive backlog is greater than this value, resumes once backlog is empty. defaults to 50.
throttleIntervalSeconds 600

How often the throttle check is run, in seconds.
throttleTempRecordMax 100000

The max number of temp records allowed before pruning of temp records begins.
throttleTempRecordDeleteQuota 50

The percentage of throttleTempRecordMax records to delete on each throttleIntervalSeconds.
policyName ""

Name of a specific named scan policy to use. This field is optional, and an applicable scan policy will be selected if omitted.
hawk.outboundProxy

Configuration block for a proxy. This enables HawkScan to traffic scanner requests through an outbound network proxy.

Parameter Default Description
host ""

The host of the outbound explicit proxy, including port (e.g. https://localhost:8888).
credentials {}

Credentials for logging into the outbound explicit proxy.
rootCACertPath ""

Path to root CA Certificate for transparent outbound proxies. This can be used without specifying host or credentials.
hawk.outboundProxy.credentials

Credential details for the outbound proxy behavior.

Parameter Default Description
username ""

Required. The username for proxy credentials.
password ""

Required. The password for proxy credentials.
realm ""

Realm for proxy credentials.
scheme ""

Scheme of proxy authentication. Currently BASIC, NTLM are supported.

app

Define key settings for the application to be scanned, including properties like the application's host URL, authentication methods, API type, and custom paths. This section includes essential parameters, such as:

  • applicationId: Required. The unique identifier for the application in the StackHawk platform.
  • env: Required. The environment name used to organize scan results (e.g., "Production" or "Staging").
  • host: Required. The base URL of the application to scan, e.g., http://localhost:8000. The scan will not proceed if the URL is unreachable.

Additionally, specify other optional details such as session tokens, CSRF parameters, API-specific configurations (e.g., GraphQL, OpenAPI, SOAP, gRPC), and any paths to exclude or include in the scan.

Parameter Default Description
host ""

Required. The base url of the application to scan ex: http://localhost:8000. If the url cannot be reached, the scan will not proceed.
sessionTokens []

The names of any session tokens used by your application, provided as an array of strings (Hint: these are the names of session cookies used by your application).
antiCsrfParam ""

The name of your CSRF security parameter used in any application form inputs. Globally set, HawkScan will parse this parameter value from form responses to use in subsequent requests.
authentication {}

Define how HawkScan authenticates as a user to your application. Options include usernamePassword, external tokens, oauth, or custom script. Configure loggedInIndicator/loggedOutIndicator regex patterns, tokenExtraction, tokenAuthorization, and testPath to verify authentication. See Authenticated Scanning Documentation.
excludePaths []

An array of strings, used as regexes to match against routes that should be ignored entirely by HawkScan. If populated, paths that match any supplied regex will be excluded from the scan. This field is useful for prohibiting asset directories or other resources that don't require vulnerability scanning.
applicationId ""

Required. Your StackHawk application UUID. Create an application in the StackHawk platform to obtain this identifier.
env ""

Required. The env environment name to organize Scan Results.
graphqlConf {}

GraphQL API scanner parameters.
includePaths []

An array of strings, used as regexes to limit which application routes HawkScan will specifically visit. If populated, paths must match at least one supplied regex to be included as part of the scan. This field is useful for constraining the reach of the HawkScan scanner and spider.
autoPolicy false

Set to true to enable an optimized policy when scanning specific APIs like GraphQL and OpenAPI. Defaults to True.
autoInputVectors false

Set to true to automatically enabled the correct input data types when scanning APIs like GraphQL and OpenAPI. This can increase scan accuracy and reduce false positives. Defaults to True.
openApiConf {}

OpenApi scanner parameters.
soapConf {}

SOAP API scanner parameters.
grpcConf {}

gRPC scanner parameters.
inputVectors {}

Fine grained control of injectable input vectors (injectableParam, enabledRpcParam). Input vectors are managed automatically and should only be modified for advanced scenarios under guidance from StackHawk Support.
waitForAppTarget {}

Optional configuration for waiting for the host to be up and ready for scanning. Configure path, requestMethod, waitTimeoutMillis, and pollDelay to control readiness checks.
redact {}

Specification for additional redaction of sensitive data in scan logs. Configure headers (header names to redact) and values (static strings to redact). HawkScan automatically redacts app.authentication credentials.
scanPolicy {}

Organization scan policy configuration. Specify name (required), excludePluginIds, and includePluginIds. Works with policies created via Organization Policy Management.
jsonRpcConf {}

JSON-RPC API scanner parameters.
app.authentication

Configuration block for application authentication to enable scanning as the provided user of your application. If provided, HawkScan will first attempt to sign into your web application with the provided login credentials. Only after successfully verifying will scanning occur. For more information, see the Authenticated Scanning section.

Parameter Default Description
usernamePassword {}

Optional configuration specifying a username and password based authentication configuration. Do not configure if using external.
external {}

Optional configuration block for specifying an externally supplied authorization token. Do not configure if using usernamePassword.
script {}

Optional configuration block for using an authentication script.
externalCommand {}

Optional configuration block for running an external command process.
oauth {}

Optional configuration block for 3rd Party/OAuth.
tokenExtraction {}

Optional configuration block for extracting the authorization token from the authentication response.
cookieAuthorization {}

Optional configuration specifying if authorization is maintained via a cookie session. Do not configure if using tokenAuthorization.
tokenAuthorization {}

Optional configuration telling HawkScan how to pass the authorization token to your application on each request to maintain authorized access. Do not configure if using cookieAuthorization.
sessionScript {}

Optional configuration for using a session management script.
loggedInIndicator ""

A regex to match against http responses from pages in the web application to determine if the scanned pages user session is still logged in to the app, provided as a string (ex. ".*signed in as.*"). Required if authorization token is not a JWT.
loggedOutIndicator ""

A regex to match against http responses from pages in the web application to determine if the scanned pages user session is logged out of the app, provided as a string. Required if authorization token is not a JWT.
testPath {}

A configuration block specifying how to verify authentication/authorization is working.
overrideJWTAutoRenew false

If set to true HawkScan will not try to autorenew a JWT.
profiles []

Optional extra creds
app.authentication.usernamePassword

Optional configuration specifying a username and password based authentication configuration. Currently POSTing the credentials via FORM or JSON type is supported. Use in conjunction cookieAuthorization or tokenAuthorization to maintain authorized access to your application.

Parameter Default Description
loginPagePath ""

The path to your login form, if applicable. This is an optional path but is often required if the POST to the loginPath requires an anti csrf token to be passed as part of the POST. The app.antiCsrfParam will be extracted from the response body of a GET request to this page.
loginPath ""

Required. login route to POST credentials for a user in the application (ex. /login). An http POST request using the type specified will be made to this path.
usernameField ""

Required. the username html field used in your application form or json, provided as a string.
passwordField ""

Required. The password html field used in your application form or json, provided as a string.
scanUsername ""

Required*. The username credentials provided to authentication when attempting to login to the web application, provided as a string. HawkScan best practices recommend using environment variable runtime overrides for this value (ex. "${SCAN_USERNAME:admin}" will use the $SCAN_USERNAME environment variable as the scanUsername, or fallback to admin).
scanPassword ""

Required*. The password credentials provided to authentication when attempting to login to the web application, provided as a string. HawkScan best practices recommend using environment variable runtime overrides for this value (ex. "${SCAN_PASSWORD}" will use the $SCAN_PASSWORD environment variable as the scanPassword).
type "FORM"

An enum value describing the type of POST data expected by the loginPath
otherParams []

Other request parameters required by your login payload, provided as an array of objects with name and value string keys. This setting is helpful if your authentication process requires other parameters included in the form POST besides the username and password parameters. If in doubt, this setting can be safely left unconfigured.
realm ""

Realm for NTLM authentication
jsonrpcMethod ""

The JSON-RPC method name to call for authentication (e.g., "auth.login"). Required when type is JSON_RPC.
grpcMethod ""

The gRPC method path for authentication (e.g., "/auth.AuthService/Login"). Required when type is GRPC. Uses grpcConf for descriptor.
app.authentication.usernamePassword.otherParams

General name / value parameter.

Parameter Default Description
name ""

Param name.
val ""

Param value.
app.authentication.external

Optional configuration block for specifying an externally supplied authorization token, HawkScan will attempt to access a protected path in your web application with the supplied token before scanning. For more information, see the Authenticated Scanning section.

Parameter Default Description
type "TOKEN"

Specifies the type of token being supplied. If COOKIE is specified the .external.value should be in the form of a cookie value = . Defaults to TOKEN.
value ""

Required. The value containing the token that will authorize requests. How the token is passed to your application is determined by the assigned type. Use value or values but not both. The value containing the token that will authorize requests. How the token is passed to your application is determined by the assigned type.
values []

The value pairs containing the token that will authorize requests. How the token is passed to your application is determined by the assigned type.
app.authentication.external.values

Configuration for Token Authentication.

Parameter Default Description
type "TOKEN"

Specifies the type of token being supplied, either TOKEN or COOKIE. Defaults to TOKEN.
tokenType ""

If specified tokenType will be prepended the header value e.g. tokenType: Bearer -> "Bearer xxxxxxxxx"
value {}

Name and value of token. If token is specified it will be appended Name: Val.
app.authentication.script

Configuration for a custom authentication script. HawkScan will run the provided authentication script until a request matches the loggedInIndicator, or if the loggedOutIndicator is tripped on a request. The authentication script name should also be included in the hawkAddOn.scripts.name

Parameter Default Description
name ""

The name of the authentication script, as specified in the hawkAddOn.scripts.name.
parameters []

The parameters required for the authentication script.
credentials []

The credentials required for the authentication script. These values will be redacted.
app.authentication.externalCommand

Optional configuration block allowing HawkScan to run a specified command line process. HawkScan will attempt to access a protected path in your web application with the supplied headers or cookies before scanning. For more information, see the Authenticated Scanning section.

Parameter Default Description
command ""

The command to start the process e.g. bash, python
parameters []

Parameters required to run the script e.g. -c, --verbose
timeoutSeconds 0

Maximum time in seconds to wait for the process to complete. Defaults to 60 seconds.
app.authentication.oauth

Optional configuration block allowing HawkScan to authorize requests with a 3rd party OAuth 2.0 auth provider.

Parameter Default Description
credentials {}

Credentials needed to authenticate with an OAuth/3rd party provider e.g. password, clientSecret, etc.
parameters {}

Non sensitive parameters to use with an OAuth/3rd party provider e.g. tokenEndpoint, scope, etc.
app.authentication.oauth.credentials

Credential parameters sent to an OAuth/3rd party provider.

Parameter Default Description
username ""

Username which will be posted in the request body to the token endpoint with the field name of username.
password ""

Password which will be posted in the request body to the token endpoint with the field name of password.
clientId ""

The client id of your application registered with your OAuth provider which will be posted n the request body to the token endpoint with the field name of client_id.
clientSecret ""

The client secret of your application registered with your OAuth provider which will be posted n the request body to the token endpoint with the field name of client_secret.
additionalCreds []

A list of name/value pairs of any additional fields or credentials that need to be posted to the OAuth provider token endpoint.
app.authentication.oauth.parameters

Configuration parameters sent to an OAuth/3rd party provider.

Parameter Default Description
tokenEndpoint ""

URL of the endpoint to get a token
grantType ""

Grant type of token request, this will be passed to the request body of the token endpoint as grant_type.
scope ""

Scope type of token request, this will be passed to the request body of the token endpoint as scope.
additionalQueryParams []

A list of optional additional name/value pairs to be passed to the query string.
additionalBodyParams []

A list of optional additional name/value pairs to be included in the request body of the post. NOTE: These values are not redacted, if you need additional sensitive values please use outhCredentials.additionalCreds
requestMethod "POST"

Http method for accessing the token endpoint. The default is POST.
requestHeaders {"Content-Type":"application/x-www-form-urlencoded","Accept":"application/json","Cache-control":"no-cache"}

Additional headers to be sent along with the request to the token endpoint
app.authentication.tokenExtraction

Token extraction is optional unless you're using the tokenAuthorization in combination with usernamePassword authentication. This configuration specifies how to extract the authorization token from the authentication response.

Parameter Default Description
type "TOKEN_PATH"

Specifying TOKEN_PATH tells HawkScan to extract the token from the JSON payload of the response from authentication. HEADER tells HawkScan to extract the token from a header in the response from authentication. defaults to TOKEN_PATH.
value ""

Required*. String containing the path to the token in the JSON payload authentication response or the name of the response header containing the token. Example: if the authentication response JSON payload looks like {"auth" : {"token": "<my-auth-token>"}} the value would be auth.token. If the authentication response has a header named AuthToken: <my-token>, then the value should be AuthToken.
app.authentication.cookieAuthorization

An optional configuration specifying if authorization is maintained via a cookie session.

Parameter Default Description
cookieNames []

A list of strings that are the names of cookies used for maintaining a session. Typically this is one value like jsessionid or PHPSESS. When used in combination with authentication HawkScan will use this value to persist authenticated session state with your application.
app.authentication.tokenAuthorization

An optional configuration telling HawkScan how to pass the authorization token to your application on each request to maintain authorized access.

Parameter Default Description
type "HEADER"

An enum value representing how to pass the authorization token to your application. HEADER indicates that each request should have the authorization token header added to the requests. QUERY_PARAM indicates that the token should be passed as a query parameter.
value ""

Required. The name of the HEADER or QUERY_PARAM the token should be passed as.
tokenType "Bearer"

TokenType will be prepended the header value e.g. tokenType: TOKEN -> "TOKEN xxxxxxxxx"
isJWT false

If the token is a JWT, mark this field as true
renewMillis 1500

If isJWT is set to true, this field will determine the time in milliseconds before expiration to auto renew the JWT.
app.authentication.sessionScript

Optional configuration block for specifying a custom session management script. To learn more about session scripts, reference the HawkScan Examples{:target="_blank"} repository.

Parameter Default Description
name ""

Required The name of the session script defined in hawkAddons.scripts. The script type must be session, and match the hawkAddOn.scripts.name field.
parameters []

A map of key/value pairs that will be passed to your session script, which can be accessed via sessionWrapper.getParam() function.
app.authentication.testPath

A configuration specifying how to verify if Scan authentication and authorization is working before running a scan.

An example configuration of app.authentication.testPath:

 app:
  authentication:
    testPath:
      type: HEADER
      path: /user/profile
      success: ".*200.*"
      requestMethod: POST
      requestBody: '{"feeling": "KaaKaww!"}'
      requestHeaders:
        Content-Type: "application/json"

This uses either success or fail criteria to determine if authorized access is working correctly.

Parameter Default Description
type "HEADER"

An enum value representing what to match against in the response from issuing a request to the testPath.path. The supported values are HEADER and BODY.
path ""

Required. The path to a protected route in your application that requires authorization. For example /mysettings. A GET request will be made to this path using the configured authentication.
success ""

A regex that will match against the response header or body, specified by type, of the GET request to the path. A match of the regex supplied will indicate that scanning should proceed with the specified authentication.

HawkScan requires that either success OR fail be configured (do not configure both).
fail ""

A regex that will match against the response header or body, specified by type, of the GET request to the path. A match of the regex supplied will indicate that scanning should halt and enter an error state.

HawkScan requires that either success OR fail be configured (do not configure both).
requestMethod "GET"

Request method to use for queries. Will generate GraphQL queries as either POST payloads or GET uri strings.
requestBody ""

The request content to send along with POST or PUT requests for authentication verification.
requestHeaders []

List of key/value pairs to be included as headers in the request to the path. Headers that match the following pattern are unable to be added or modified '^(Host|Origin|Proxy-.*|Sec-.*|Content-Length)'.
grpcTestMethod ""

The gRPC method path to call for authentication validation (e.g., "/auth.AuthService/ValidateToken"). Only used when authentication type is GRPC.
app.authentication.profiles

Configuration for additional user profiles used in multi-user scanning scenarios for testing multi-tenancy isolation and access control.

Parameter Default Description
name ""

Required. A unique identifier name for this user profile to distinguish between different users during multi-user scans.
userNamePassword {}

Username and password based authentication for this profile.
external {}

External token based authentication for this profile.
authScript {}

Custom authentication script for this profile.
isPrivileged false

Indicates whether this user profile has elevated privileges (true for admin/privileged users, false for standard users).
globalParameters []

Use this for parameters for individual users that can't be discovered by smart crawling.
app.authentication.profiles.userNamePassword

Username and password credentials for basic authentication similar to the primary authentication configuration.

Parameter Default Description
username ""

Required. The username for this user profile. Use environment variable interpolation (e.g., ${USER2_USERNAME}).
password ""

Required. The password for this user profile. Use environment variable interpolation (e.g., ${USER2_PASSWORD}).
app.authentication.profiles.external

External authentication tokens for this user profile using pre-obtained tokens (e.g., JWT tokens, API keys, or session cookies).

Parameter Default Description
authTokens []

List of authentication tokens to use for this user profile. Can include multiple tokens or cookies.
app.authentication.profiles.authScript

Custom authentication script configuration for this user profile requiring custom authentication logic.

Parameter Default Description
name ""

Required. The name of the authentication script defined in hawkAddOn.scripts to use for this profile.
credentials []

Key-value pairs of sensitive credentials required by the authentication script that will be redacted from logs.
app.graphqlConf

Configure how HawkScan interacts with GraphQL APIs.

One of the following is Required:

  • schemaPath: Relative path to the introspection endpoint (based on the host address).
  • filePath: Relative path to a GraphQL schema file (SDL format).

The following are Optional:

  • operation: Adjust the operation requests generated by the spider (QUERY or MUTATION, defaults to both).
  • excludeOperations: Exclude particular GraphQL operations from being scanned.

For full details, see GraphQL Configuration Documentation.

Parameter Default Description
schemaPath ""

Path to the GraphQL introspection endpoint, relative to the target URI.
requestMethod "POST"

Request method to use for queries. Will generate GraphQL queries as either POST payloads or GET uri strings.
uriMaxLength 0

Max length of URIs when generation queries for GET requests.
maxDepth 0

Maximum depth for generated query graphs.
enabled false

Enable GraphQL scan support. HawkScan will enumerate all possible field types and input values for GraphQL Queries and Mutations. Provide relative path to the API endpoint.
operation "ALL"

GraphQL operation to enumerate and scan. Defaults to find all Query and Mutation operations. Options are All, QUERY and MUTATION.
filePath ""

Path to a local GraphQL schema file (SDL format) to use instead of introspection.
excludeOperations []

GraphQL operations to exclude from the spider.
fakerEnabled false

Enables faker for a GraphQL scan to generate more realistic values when format is provided on the API spec or custom variables.
customVariables []

Define custom variables and values for use in GraphQL scanning.
app.graphqlConf.excludeOperations

A GraphQL operation to exclude from the spider by name and type.

Parameter Default Description
name ""

GraphQL operation name.
type "ALL"

Graphql operation type. Options are All, QUERY and MUTATION.
app.graphqlConf.customVariables

Custom variable data specific to OpenAPI schemas.

Parameter Default Description
field ""

The field name of the param to inject values into.
values []

A list of possible values to be randomly selected for the given field.
operationName ""

An optional operationName that will only inject custom values if the name of the operation on the request matches.
operationType "ALL"

An optional GraphQL operation type (MUTATION or QUERY) that will inject custom values only when the request matches the operation type.
app.openApiConf

Define how HawkScan scans OpenAPI endpoints.

One of the following is Required:

  • filePath: Path to a local OpenAPI specification file (JSON or YAML).
  • path: URL path to fetch the OpenAPI spec from the scanned host.

For full details such as custom variable injection, see OpenAPI Configuration Documentation.

Parameter Default Description
path ""

A string relative path to an OpenAPI specification file (JSON or YAML) from the scanned host.
filePath ""

Path to a local OpenAPI specification file (JSON or YAML format).
inline ""

Define your openapi specification yaml inlined as a string.
strict false

Whether to enable strict parsing of the OpenAPI.
deprecatedCustomVariables []

Define custom variables and values for use in REST API scanning.
customVariables []

Define custom variables and values for use in REST API scanning.
includeAllMethods false

When custom variables are provided, DELETE's are skipped for injection. Set this to true to override this default and include all methods in variable injection.
includedMethods []

List of methods to include in custom variable injection. Note: if 'includeAllMethods' is set to true, this list is ignored and all methods will be used for custom variable injection.
fakerEnabled false

Enables faker for a REST API scan to generate more realistic values when format is provided on the API spec or custom variables.
maxAliasesForCollections 0

Maximum number of aliases for a collection when parsing YAML. Increase this value if you see the "Number of aliases for non-scalar nodes exceeds the specified max=100" error.
filePaths []

A list of relative path to specification file(s) (JSON or YAML) for the open api generation for specs with multiple open api files.
usePlatform false

Use the OpenApi Specifications mapped to this application from the StackHawk Platform for this scan.
globalParameters []

Use this for parameters for all users that can't be discovered by smart crawling.
app.openApiConf.deprecatedCustomVariables

Generic custom variable for different API types.

Parameter Default Description
field ""

The field name of the param to inject values into. Using object notation will resolve nested objects for request bodies e.g. myobject.id
values []

A list of possible values to be randomly selected for the given field.
path ""

Optional path for the endpoint or gRPC service to hit e.g. /myservice/myfunction
app.openApiConf.customVariables

Custom variable data specific to OpenAPI schemas.

Parameter Default Description
field ""

The field name of the param to inject values into.
values []

A list of possible values to be randomly selected for the given field.
path ""

An optional path regex that will only inject custom values if the path of the request matches.
requestMethods []

A list of optional HTTP request methods that will inject custom values only when the request matches one of those methods.
app.soapConf

Set parameters for scanning SOAP APIs.

One of the following is Required:

  • path: Relative URL to fetch the SOAP API WSDL from the scanned host.
  • filePath: Path to a local SOAP API WSDL specification file.

For full details, see SOAP Configuration Documentation.

Parameter Default Description
path ""

Host path to the SOAP WSDL, prefixed with a / .
filePath ""

Relative path to the SOAP WSDL schema definition file.
app.grpcConf

Configure HawkScan for gRPC API scanning.

One of the following is Required:

For full details such as custom variable injection, see gRPC Configuration Documentation.

Parameter Default Description
path ""

Host path for the grpc reflection endpoint.
filePath ""

Path to a local gRPC protobuf descriptor_set file.
customVariables []

Define custom variables and values for use in gRPC scanning.
maxDepth 0

Maximum depth for resolving nested protobuf.
filePaths []

A list of paths to the grpc protobuf descriptor_set file.
app.inputVectors

Fine-grained configuration of HawkScan input vectors. This configuration is how and where testable inputs are applied on http requests.

Parameter Default Description
injectableParam {}

Configuration of where params are injectable in the request.
enabledRpcParam {}

Configuration of what RPC parts are injectable by configuration.
app.waitForAppTarget

Configuration specifying how to determine if the web application is up, responsive and ready for scanning.

Parameter Default Description
path ""

The path to a public reachable route in your application. For example /index. A GET request will be made to this path to confirm the host is up and ready to receive traffic.
requestMethod "GET"

Request method to use for queries. Will generate GraphQL queries as either POST payloads or GET uri strings.
requestBody ""

The request content to send along with POST or PUT requests for target verification.
waitTimeoutMillis 0

The maximum amount of time in milliseconds that HawkScan will wait for your app to be available before it starts scanning
pollDelay 0

The maximum amount of time in milliseconds in between requests to your application to see if it's running
requestHeaders {"X-Custom-Header":"my-custom-value"}

Key-value map of additional headers to be sent along with the request to the app target host.
app.redact

Redaction policy of scan logs and stdout when scanning this application.

HawkScan maintains a list of redacted tokens; strings that are sensitive and should be scrubbed preemptively from logs and collected messages. By default, HawkScan redacts app.authentication credentials, and any provided script / discovery credentials.

Parameter Default Description
headers []

List of string header names: the values of HTTP headers matching these names will be redacted from alerts and logs.
values []

List of string static values: the values here will be added to the redacted token list. This is best used with ${ENV_VAR:default} interpolation.
app.scanPolicy

Configure the policy to be applied for the scan, optionally specifying which plugins to include or exclude. Note: Applies to scan policies created with Organization Policy Management.

Parameter Default Description
name ""

Required. The unique name of the organization scan policy.
excludePluginIds []

Plugin ids to exclude from the named scan policy.
includePluginIds []

Plugin ids to include in the scan that are not in the named scan policy.
app.jsonRpcConf

Configure HawkScan for JSON-RPC 2.0 API scanning.

One of the following is Required:

  • endpoint: The JSON-RPC endpoint path (e.g., /jsonrpc or /api/rpc).
  • filePath: Relative path to an OpenRPC schema file (JSON format).

For full details such as custom variable injection, see JSON-RPC Configuration Documentation.

Parameter Default Description
enabled false

Enable JSON-RPC scan support.
endpoint ""

The JSON-RPC endpoint path relative to the target host (e.g., /jsonrpc). Defaults to /.
filePath ""

Path to a local OpenRPC schema file (JSON format) to use instead of network discovery.
maxDepth 0

Maximum depth for generated nested objects. Defaults to 3.
fakerEnabled false

Enables faker for JSON-RPC scanning to generate more realistic values when format is provided on the schema or custom variables.
requestTimeout 0

HTTP request timeout in milliseconds. Defaults to 30000 (30 seconds).
excludeMethods []

Regex patterns for JSON-RPC method names to exclude from scanning.
customVariables []

Define custom variables and values for use in JSON-RPC scanning.
app.jsonRpcConf.customVariables

Custom variable data specific to JSON-RPC schemas.

Parameter Default Description
field ""

The field name of the param to inject values into. Using dot notation will resolve nested objects for request bodies (e.g., user.address.id).
values []

A list of possible values to be randomly selected for the given field.
path ""

An optional regex pattern that will only inject custom values if the JSON-RPC method name matches.

hawkAddOn

Extend HawkScan functionality with add-ons and custom scripts:

  • replacer: Modify or replace HTTP request headers using rules with properties like matchString, replacement, isRegex, and replaceOnly.
  • scripts: Configure custom scripts to customize scan behavior with name, type (e.g., active, authentication), path, language (KOTLIN, JAVASCRIPT), and vars.

For more detail, see HawkScan Configuration Documentation.

Parameter Default Description
replacer {}

Configuration for the replacer addOn.
scripts []

List of configurations for custom scripts.
hawkAddOn.replacer

Configuration block for header value replacement. These rules support manipulating request headers, useful for modifying requests to web applications running behind a proxy.

Parameter Default Description
rules []

List of regex match and replace rules for request headers.
hawkAddOn.replacer.rules

A list of configuration blocks for the Replacer add-on rules. Each configuration block in the list is made up of the following elements. See Configuration Examples for more information.

Parameter Default Description
matchString ""

If replaceOnly is false, only match the header name. If replaceOnly is true, matches the exact string on the header line.
replacement ""

If false, replace existing header value or add the missing header using replacement as the value. If true, only replace the matchString of an existing header line.
initiators []

Replacer rule initiators.
replaceOnly false

If false, replace existing header value or add the missing header using replacement as the value. If true, only replace the matchString of an existing header line.
isRegex false

Enable regex search for matchString. Useful when replaceOnly is true (e.g. Referer:.* will replace the entire Referer: header line).
hawkAddOn.scripts

Configuration block for custom scripts.

Parameter Default Description
name ""

The name of this custom script.
type "active"

The type of this script. One of active, authentication, httpsender, passive, proxy, standalone, targeted, session.
path ""

Path to the file location for the custom script.
vars []

Named variables to expose to the script.
language "KOTLIN"

Required. The language of this script. Either KOTLIN or JAVASCRIPT.
id 0

Plugin Id for script.

tags

Scan tags are name value pairs that represent metadata of the scan, capturing additional state or context around a scan.

Examples could include adding commit SHAs, branch names, or project management issue titles.

Tag names can use any combination of the following characters: a-zA-Z-_, and their values can be any string. Tag entries can also be interpolated from the environment.

{:class="alert alert-info"}

ℹ️ NOTE: Tag names beginning with _STACKHAWK are in a reserved tag name space.

The following selection of YAML is an example of how you can configure your stackhawk.yml file to include scan tags:

stackhawk.yml {: .filename-tab}

app:
applicationId: <application-uuid>
env: localhost
host: http://localhost:8080
tags:
- name: category
value: hawksome
- name: Another-Value
value: ${SOMETHING_FROM_ENV:default}
- name: _GIT_COMMIT_SHA
value: ${MY_COMMIT_SHA_ENV:HEAD}
Parameter Default Description
name ""

The keyword name.
value ""

An arbitrary value to associate with the keyword.

hawk.config

The hawk.config setting provides advanced control over the underlying scan engine. Use these options to fine-tune spider and form handling behavior.

OverrideDefaultDescription
spider.processformtrueWhether the spider should process forms and request discovered URLs from forms.
spider.postformtrueWhether to use the POST method when requesting URLs discovered in forms.
spider.handleParametersUSE_ALLHow to handle form parameters. USE_ALL uses name and value. IGNORE_VALUE uses only the name. IGNORE_COMPLETELY ignores parameters entirely.

Environment Variables

Configure HawkScan behavior at runtime using environment variables:

VariableDescription
NO_COLORDisable colored terminal output
SHAWK_DEBUGEnable verbose debug logging
HAWK_MEMSet memory allocation (e.g., 2048m or 2g)

Pass environment variables to Docker with the -e flag:

docker run -e SHAWK_DEBUG=true -e API_KEY=hawk.xxx...xxx \
  --rm -v $(pwd):/hawk:rw -t stackhawk/hawkscan:latest

Examples

Replacer Plugin Configuration

The replacer plugin allows you to either replace or inject headers on each HTTP request.

Example: Inject a New Header

Configure the replacer addOn in the following way to force a new header in every request.

Note that if the header exists in a request it will also be replaced by the replacement value.

Explanation:

  • matchString is a string value to set the injected header’s key (e.g. x-requested-with)
  • replacement is the injected header’s value (e.g. fetch)
  • replaceOnly is set to false to enable header injection
...
hawkAddOn:
  replacer:
    rules:
      - matchString: "x-requested-with"
        replacement: "fetch"
        replaceOnly: false
...

Resulting Request Header:

POST http://localhost:9000/ws HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 999
Content-Type: text/xml;charset=UTF-8
x-requested-with: fetch
Host: localhost:9000

Example: Replace an Existing Header - Simple

Configure the replacer addOn in the following way to exactly match and replace an existing header in every request.

Explanation:

  • matchString is a string value that exactly matches the header text to be replaced
    • In this example, matchString is an exact match of the full header pair with both the header key and value
  • replacement is the replacement for matchString
    • The replacement string should include both the replacement header’s key and value if an entire header pair is to be replaced
  • replaceOnly set to true to avoid injecting a new header
  • isRegex set to false makes this replacement dependent on an exact string match
    • Note: partial matches of a header line will occur if, for example, only the header key is provided in matchString (e.g. User-Agent). In this case, starting at the beginning of the header line, only the matching portion will be replaced. Any text following the match on the line will remain the same.
...
hawkAddOn:
  replacer:
    rules:
      - matchString: "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0"
        replacement: "User-Agent: HawkScan custom User Agent (v9.42)"
        replaceOnly: true
        isRegex: false
...

Resulting Request Header:

POST http://localhost:9000/ws HTTP/1.1
User-Agent: HawkScan custom User Agent (v9.42)
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 999
Content-Type: text/xml;charset=UTF-8
Host: localhost:9000

Example: Replace an Existing Header - Regex

Explanation:

  • matchString is a regex value matching the header text to be replaced
    • In this example, User-Agent.* matches the entire header line beginning with User-Agent
  • replacement is the replacement for matchString
    • The replacement string will replace everything found within the regex match group
  • replaceOnly set to true to avoid injecting a new header
  • isRegex sets the matchString as a PCRE regex value rather than a simple string value
    • Note: partial matches of a header line will occur if only part of the header value or the header key is provided in matchString. In this way, any portion of a header line may be replaced by the replacement text.
Full Line Replacement
...
hawkAddOn:
  replacer:
    rules:
      - matchString: "User-Agent.*"
        replacement: "User-Agent: HawkScan custom User Agent (v9.42)"
        replaceOnly: true
        isRegex: true
...

Resulting Request Header:

POST http://localhost:9000/ws HTTP/1.1
User-Agent: HawkScan custom User Agent (v9.42)
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 999
Content-Type: text/xml;charset=UTF-8
Host: localhost:9000
Partial Line Replacement
...
hawkAddOn:
  replacer:
    rules:
      - matchString: "Gecko/20100101.*"
        replacement: "Gecko/99999999 Chrome/99.42"
        replaceOnly: true
        isRegex: true
...

Resulting Request Header:

POST http://localhost:9000/ws HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/99999999 Chrome/99.42
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 999
Content-Type: text/xml;charset=UTF-8
Host: localhost:9000

Your privacy settings

We use first and third party cookies to ensure that we give you the best experience on our website and in our products.

Privacy Policy