StackHawk Documentation StackHawk Logo HawkDocs
integrations
ci cd
github actions

No results found

Try different keywords or check your spelling

Search documentation

Find guides, API references, and more

esc

GitHub Actions

GitHub

Add DAST scanning to your GitHub Actions workflows with the HawkScan GitHub Action.

Quick Start

  1. Store your API key as a GitHub secret named HAWK_API_KEY
  2. Add a workflow file at .github/workflows/hawkscan.yml
  3. Configure HawkScan with a stackhawk.yml file

Store Your API Key

Copy your StackHawk API key to a GitHub secret:

  1. Go to your repository’s Settings tab
  2. Click Secrets and variables > Actions
  3. Add a new secret named HAWK_API_KEY with your API key value

Basic Workflow Configuration

Create .github/workflows/hawkscan.yml:

name: HawkScan

on:
  push:
  pull_request:

jobs:
  hawkscan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run HawkScan
        uses: stackhawk/hawkscan-action@v2.2.0
        with:
          apiKey: ${{ secrets.HAWK_API_KEY }}

HawkScan Configuration

Create stackhawk.yml at your repository root:

app:
  applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  host: http://example.com
  env: Development

Replace applicationId with your Application ID from StackHawk.

Run Your Scan

Commit both files and push to GitHub. Monitor the workflow in the GitHub Actions console, then review results in StackHawk.

Local Scanning

The basic example assumes a publicly accessible endpoint. For local testing, you can run your app directly on the GitHub Actions runner.

Scanning a Service on Localhost

Launch your app on the runner and scan it at localhost. The HawkScan action automatically configures network access.

Example workflow running Nginx on port 8080:

name: HawkScan

on:
  push:
  pull_request:

jobs:
  hawkscan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Start Nginx
        run: docker run --rm --detach --publish 8080:80 --name nginx_test nginx

      - name: Run HawkScan
        uses: stackhawk/hawkscan-action@v2.2.0
        with:
          apiKey: ${{ secrets.HAWK_API_KEY }}

Configure stackhawk.yml to target localhost:

app:
  applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  host: http://localhost:8080
  env: Development

Scanning with Docker Compose

Use Docker Compose for complex environments with multiple services. Publish your app’s port to make it accessible on localhost.

Example docker-compose.yml:

version: "3.9"

services:
  myapp:
    image: myapp
    ports:
      - "8080:80"

  db:
    image: postgres
    restart: always
    ports:
      - "5432:5432"

HawkScan configuration:

app:
  applicationId: xxxxxxxx-XXXX-xxxx-XXXX-xxxxxxxxxxxx
  env: Development
  host: http://localhost:8080

Workflow file:

name: HawkScan

on:
  push:

jobs:
  hawkscan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - run: docker compose up -d

      - uses: stackhawk/hawkscan-action@v2.2.0
        with:
          apiKey: ${{ secrets.HAWK_API_KEY }}

Next Steps

Your privacy settings

We use first and third party cookies to ensure that we give you the best experience on our website and in our products.

Privacy Policy