Webhook
The Webhook integration sends HTTP POST requests to your API endpoints when HawkScan events occur. Use webhooks to connect StackHawk with internal tools, custom dashboards, or any service that accepts HTTP callbacks.
Overview
Configure webhooks to receive notifications for any of these scan events:
| Event | Description |
|---|---|
| Scan Started | Fires when a scan begins |
| Scan Completed | Fires when a scan finishes successfully, includes findings data |
| Scan Errored | Fires when a scan encounters an error |
Each webhook request includes a JSON payload with scan metadata and findings. You can configure custom authentication headers and test webhooks before enabling them for production use.
Requirements
- A StackHawk account
- A plan with the Webhook Integration enabled. Contact StackHawk Support to enable it.
Setup
- Log into StackHawk and navigate to the Webhook Integration page.
- Click Add Webhook. In the panel that opens, configure:
- Webhook name and description
- API endpoint URL (HTTPS required)
- Authentication headers (optional)
- Target application(s)
- Scan event(s) to trigger the webhook
- Click Save. StackHawk sends a test payload and displays the response. Use Test to send additional test requests for debugging.
- Toggle the webhook to Enabled to start receiving live scan events.
Allowed IP Addresses
If your Webhook Consumer has access restricted by IP address, please add the following IP addresses to the allowed list:
44.227.38.18954.69.98.3344.227.81.160
Webhook Management
Click the … menu on any webhook to access management options:
| Action | Description |
|---|---|
| Edit | Modify webhook settings, endpoint, or event triggers |
| Enable/Disable | Toggle whether the webhook receives live events |
| Delete | Remove the webhook permanently |
Payload
Enabled webhooks receive a JSON payload via HTTP POST for each triggered scan event. If you configured authentication headers, they are included in the request.
Scan Completed
The Scan Completed payload includes:
- Scan metadata (ID, application, environment, timestamps)
- Findings with vulnerability details and affected paths
- CompletedScanStats summary of findings by severity and triage status
Example payload:
{
"service": "StackHawk",
"scanCompleted": {
"scan": {
"id": "21a4f2da-740b-40d9-9557-696d8aca6a76",
"hawkscanVersion": "4.0.0",
"env": "Development",
"status": "COMPLETED",
"application": "Contosso",
"startedTimestamp": "2021-05-18T00:26:41.892Z",
"scanURL": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76",
"tags": [
{
"name": "category",
"value": "${CATEGORY_FROM_ENV:default}"
}
]
},
"scanDuration": "1",
"spiderDuration": "33",
"completedScanStats": {
"urlsCount": "5",
"duration": "34",
"scanResultsStats": {
"totalCount": "3",
"lowCount": "2",
"mediumCount": "0",
"highCount": "0",
"lowTriagedCount": "0",
"mediumTriagedCount": "1",
"highTriagedCount": "0"
}
},
"findings": [
{
"pluginId": "10106",
"pluginName": "HTTP Only Site",
"severity": "Medium",
"host": "http://localhost:8080",
"paths": [
{
"path": "/test",
"method": "GET",
"status": "FALSE_POSITIVE",
"pathURL": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76/finding/10106/path/61036/message/49"
}
],
"pathStats": [
{
"status": "FALSE_POSITIVE",
"count": 1
}
],
"totalCount": "1",
"category": "HTTP Data Stream Protection",
"findingURL": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76/finding/10106"
},
{
"pluginId": "10021",
"pluginName": "X-Content-Type-Options Header Missing",
"severity": "Low",
"host": "http://localhost:8080",
"paths": [
{
"path": "",
"method": "GET",
"status": "NEW",
"pathURL": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76/finding/10021/path/32294/message/8"
},
{
"path": "/",
"method": "GET",
"status": "NEW",
"pathURL": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76/finding/10021/path/31943/message/1"
}
],
"pathStats": [
{
"status": "NEW",
"count": 2
}
],
"totalCount": "2",
"category": "Information Leakage",
"findingURL": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76/finding/10021"
}
]
}
}Scan
Metadata for a HawkScan run.
{
"id": "21a4f2da-740b-40d9-9557-696d8aca6a76", // The scan id
"hawkscanVersion": "4.0.0", // The version of HawkScan used for this scan
"env": "Development", // The name of the scanned application
"status": "COMPLETED", // one of either STARTED COMPLETED or ERROR
"application": "Contosso", // scanned application
"startedTimestamp": "2021-05-18T00:26:41.892Z", // ISO-8601 timestamp of when the scan was started
"scanURL": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76", // link to the StackHawk Platform for this specific scanned path
"tags": [
{
"name": "category", // Tag names
"value": "${CATEGORY_FROM_ENV:default}" // Tag value interpolated from environment
}
]
}CompletedScanStats
Summary of scan results including finding counts by severity and triage status.
{
"urlsCount": 27, // Number of scanned urls
"duration": 44, // Time in seconds for the scan to run
"scanResultsStats": {
"totalCount": 12, // Total number of findings
"lowCount": 5, // Total number of low findings
"mediumCount": 4, // Total number of medium findings
"highCount": 3, // Total number of high findings
"lowTriagedCount": 2, // Total number of low findings that have been triaged
"mediumTriagedCount": 0, // Total number of medium findings that have been triaged
"highTriagedCount": 1 // Total number of high findings that have been triaged
}
}Finding
An individual vulnerability detected during the scan. Each finding includes Paths (specific endpoints affected) and PathStats (triage status counts).
{
"pluginId": "40012", // The Id of the scanner extension that reported the finding
"pluginName": "Cross Site Scripting (Reflected)", // Name of the plugin or vulnerability found
"category": "Input Sanitization", // What vulnerability category this corresponds to
"severity": "High", // High, Medium or Low criticality of the finding
"host": "http://localhost:3333", // The web application host that was scanned
"paths": [ ... ], // a list of all paths
"pathStats": [ ... ], // a list of statistics for the found paths
"totalCount": 4, // how many scanned paths correspond with this finding
"findingURL": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76/finding/40012" // link to the StackHawk Platform for this finding's overview.
}PathStats
Count of paths grouped by triage status.
{
"status": "NEW", // one of either NEW, FALSE_POSITIVE, RISK_ACCEPTED or PROMOTED
"count": "1" // how many of the paths are triaged with that status
}Path
A specific endpoint where the vulnerability was detected.
{
"path": "/?option=javascript:alert(1);&search=ZAP&utf8=✓", // The specific path relative to the hostname
"method": "POST", // HTTP method or GraphQL operation
"status": "NEW", // one of either NEW, FALSE_POSITIVE, RISK_ACCEPTED or PROMOTED
"pathUrl": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76/finding/40012/path/595936/message/258" // link to the StackHawk Platform for this scanned path
}Feedback
Have any suggestions, feature requests, or feedback to share? Contact StackHawk Support.