Upgrading to HawkScan 4.0.0

Table of contents

HawkScan 4.0.0 has been released and is major upgrade and there are some breaking changes. You do not have to upgrade to HawkScan 4.0.0 yet and HawkScan 3.x.x versions are still supported. This page will address breaking changes you may encounter when upgrading, with solutions for these problems, and instructions to use older HawkScan 3.9.0 if you’re not ready to upgrade.

Breaking changes

There are a few breaking changes in HawkScan 4.0.0 that will require you to make some changes to your runtime configurations and scripts if you use them.

Docker image

The HawkScan docker image stackhawk/hawkscan:4.0.0 has been updated to reflect the change in our scan engine from ZAP to HSTE which you can learn more about here.

Due to this change we’ve updated the default user of our docker container from zap to steve. Who’s Steve? StackHawk’s hawk mascot has a name, and it’s Steven S. Hawk which is why we’re using steve as the username.

The changes made to the docker container are as follows…

  1. Default working directory
    1. /zap -> /steve
  2. Username
    1. zap -> steve
  3. Users home directory
    1. /home/zap -> /home/steve

Supported Java versions

HawkScan 4.0.0 requires a minimum version of Java 17 and supports up to Java 21.

NOTE: Java 22 is NOT supported yet.

If you see an error similar to the following you’ll need to install a compatible version of Java.

java.lang.UnsupportedClassVersionError: com/stackhawk/hste/Bootstrap 
has been compiled by a more recent version of the Java Runtime (class file version 61.0), 
this version of the Java Runtime only recognizes class file versions up to 55.0

HawkScan Action

When using HawkScan GitHub Action you’ll need to include an install step for a compatible version of Java as the ubuntu-latest runner uses Java 11 as its default version.

- uses: actions/setup-java@v4
    distribution: 'temurin'
    java-version: '17'

Azure Extensions

When using Azure Extension you’ll need to include an install step for a compatible version of Java.

# update pipeline to use the correct version of Java
  - task: JavaToolInstaller@0
      versionSpec: "17"
      jdkArchitectureOption: "x64"
      jdkSourceOption: "PreInstalled"

Zip or Brew Installers

When using the Zip file install be sure to install a compatible version of Java, like Java 17.

If using brew run the following command to install Java 17.

brew install openjdk@17

HawkScan Scripts

Due to the change of ZAP to HSTE the package names of dependencies in HawkScan scripts have changed.

If you see an error similar to the following you’ll need to update the script import package names as follows.

Example error

TypeError: Access to host class org.zaproxy.zap.authentication.AuthenticationHelper 
is not allowed or does not exist.
Package name change

org.zaproxy.zap -> com.stackhawk.hste

Example name change





I’m not ready to upgrade

If you’re not ready to upgrade or the breaking changes create work you’re not ready to prioritize. You can keep using HawkScan 3.9.0 by pinning the version of HawkScan in your preferred runtime.


If you use the docker image for running scan set the tag to 3.9.0 eg: stackhawk/hawkscan:3.9.0.

HawkScan GitHub Action

If you’re using the HawkScan GitHub Action set the following variables on the HawkScan action configuration.

- name: Run HawkScan
  id: run-hawkscan
  uses: stackhawk/hawkscan-action@main
    sourceURL: https://download.stackhawk.com/hawk/cli
    version: 3.9.0

Azure Extensions

If you’re using the Azure Extension set the following variables on the HawkScan Install and Run configurations.

   - task: HawkScanInstall@1
        version: "3.9.0"
   - task: RunHawkScan@1
        configFile: "stackhawk.yml"
        version: "3.9.0"