Secrets Management
The Secrets Manager lets you store sensitive values—like API tokens and passwords—that HawkScan can use at runtime without exposing them as environment variables on your scanner host.
Secrets work just like environment variables when interpolated in your HawkScan configuration. Any defined secrets are automatically applied during scans and redacted in logs.
Stored secrets are unique per user account, and are not shared among members of an organization.
Creating a Secret
Navigate to Settings → Secrets to create a new secret:
- Click Add Secret
- Enter a name using environment variable convention (e.g.,
MY_API_TOKEN) - Enter the secret value
- Click Save
Use a name you wouldn’t normally find in your scan environment variables so secrets are easier to track.
You cannot view the value of a supplied user secret after it has been uploaded. You can always update or delete user secrets.
Using Secrets
Secrets are automatically applied when the authenticating user has defined them. They work as environment variable overrides when interpolating your HawkScan configuration, and are redacted in scan logs.
When running the hawk CLI, use --env/-e or --env-file to supply variable values. See environment variable runtime overrides for details.
For example, if your stackhawk.yml contains:
app:
host: ${APP_HOST:http://localhost:3000}Running with -e APP_HOST=http://dev.example.com sets the host to that value:
hawk scan -e APP_HOST=http://dev.example.comThis works similarly to Docker’s -e flag.