Note: StackHawk Vibe is currently in beta. Features may change as we improve the product based on user feedback.
StackHawk Vibe integrates StackHawk’s dynamic application security testing (DAST) capabilities into AI coding environments through the Model Context Protocol (MCP). This allows developers to run security tests using natural language commands within their AI-powered editors.
How It Works
Conversational Security Testing Type “test my app for vulnerabilities” in your AI editor, and Vibe runs real security tests on your application. Unlike static analysis tools, Vibe tests your running app to find vulnerabilities that only appear during execution—the same issues attackers would exploit.
Your AI as Security Assistant Your coding assistant handles everything: generating scan configurations, running tests, explaining findings, and creating fixes. The entire security workflow happens through natural conversation, keeping you in your development flow.
Key Features
Runtime Application Testing Tests how your app actually behaves when running, catching real vulnerabilities that static tools miss—SQL injections that only occur with specific inputs, authentication bypasses in actual user flows, and data exposures during API calls.
AI-Powered Fix Generation Your AI assistant doesn’t just find problems—it generates specific fixes for your code, explains why the vulnerability matters, and helps you verify the fix worked. Security remediation becomes as simple as accepting suggested changes.
Configuration on Autopilot While StackHawk requires YAML configuration behind the scenes, your AI assistant generates and manages it automatically. You focus on building; your AI handles the security testing details.
Natural Language Interface Security testing through conversation, not commands. Ask questions like “Is my login secure?” or “Check my API for vulnerabilities,” and get answers in plain language with actionable fixes.
Getting Started
Prerequisites
- A StackHawk Vibe Account - Sign up here
- Cursor IDE, Claude Code, or Windsurf Editor installed
- Python 3.10 or later
Step 1: Get your API Key
- Log in to your StackHawk Vibe dashboard
- Your API key is displayed on the main page. You can also generate a new key from your account settings.
- Click “Copy” to copy it to your clipboard
Add your API key to your environment:
export STACKHAWK_API_KEY="your-api-key-here"
** Windows users, set as system environment variable
Step 2: Configure Your AI Editor
Setting up with Cursor
Step 1: Install uv
curl -LsSf https://astral.sh/uv/install.sh | sh
Step 2: Install the StackHawk MCP Server
Click this link:
Or, manually add this to your configuration:
"mcpServers": {
{
"stackhawk": {
"command": "uvx stackhawk-mcp",
"env": {
"STACKHAWK_API_KEY": "${env:STACKHAWK_API_KEY}"
}
}
}
Add your API key to your mcp.json file in your project root. If you don’t have a mcp.json file, create one. Keep this key secure—it’s your personal access to StackHawk Vibe.
Step 3: Restart Cursor to load the configuration
In Cursor, navigate to Dashboard > Tools & Integrations and verify the StackHawk MCP shows as enabled (green dot)
Setting up with Claude Code
Step 1: Install uv
curl -LsSf https://astral.sh/uv/install.sh | sh
Step 2: Add the StackHawk MCP Server
claude mcp add stackhawk "uvx" "stackhawk-mcp"
Step 3: Restart Claude Code and verify setup
# Check it was added
claude mcp list
# Should show:
# Checking MCP server health...
# stackhawk: uvx stackhawk-mcp - ✓ Connected
Available Tools and Capabilities
StackHawk Vibe provides security testing and remediation capabilities through natural language commands in your AI editor.
Configuration Management
Automatic Configuration AI generates StackHawk YAML configuration based on your app automatically, eliminating the need for manual YAML editing. Update your scan configuration through natural conversation as your application evolves, without touching configuration files.RetryClaude can make mistakes. Please double-check responses.
Example commands:
- “Create a scan configuration for my Node.js app”
- “Update the scan timeout to 15 minutes”
- “Configure scanning for authenticated endpoints”
- “Set up testing for my React app”
Security Testing
Run Security Tests
Execute runtime security tests on your applications with simple conversational commands. You can test local development or staging environments, and choose to scan specific endpoints or your entire app based on your needs.
Example commands:
- “Scan my app for vulnerabilities”
- “Test my API endpoints for vulnerabilities”
- “Check the security of my login page”
- “Run a security test on staging.myapp.com”
- “Scan the new feature I just built”
- “Test my latest changes for vulnerabilities”
- “Check if my refactoring is still secure”
- “Run a quick security check”
Find Vulnerabilities
Detect common security issues including SQL injection, XSS, and authentication vulnerabilities. Vibe identifies broken access controls and authorization flaws, while also finding security misconfigurations and exposed data that could put your application at risk.
Example commands:
- “Check for SQL injection vulnerabilities”
- “Test if my authentication can be bypassed”
- “Look for XSS vulnerabilities in my app”
- “Find authorization issues in my API”
AI-Powered Fixing
Understand Vulnerabilities
Get clear explanations of what was found during security scans, understand the security impact of each issue, and learn why it matters for your specific application. Your AI assistant provides context to help you prioritize fixes effectively.
Example commands:
- “Explain this SQL injection finding”
- “What does this XSS vulnerability mean?”
- “How serious is this authentication issue?”
- “Why is this a security problem?”
Fix Vulnerabilities
Receive code-specific remediation that’s tailored to your framework and application structure. Your AI assistant generates contextual fixes that you can review and apply directly in your editor, keeping you in your development flow.
Example commands:
- “Fix this SQL injection vulnerability”
- “Show me how to prevent this XSS attack”
- “Generate a secure version of this code”
- “Update my authentication to be secure”
Verify Fixes
Rescan to confirm vulnerabilities are resolved after applying changes. Test specific fixes before deploying to ensure they work as expected, giving you confidence that your security improvements are effective and haven’t introduced new issues.
Example commands:
- “Rescan to verify the fix worked”
- “Test if the SQL injection is fixed”
- “Check if my authentication is secure now”
- “Verify all vulnerabilities are resolved”
Using Vibe in Your Workflow
Continuous Security Testing
Integrate security testing seamlessly into your development process. Test as you code, checking new features for vulnerabilities before they reach production. Run quick scans after making changes to ensure you haven’t introduced new security issues. The entire security workflow happens in your AI editor—see results, apply fixes, and verify changes without switching contexts or interrupting your flow.
Example workflow commands:
- “Scan the new feature I just built”
- “Quick security check before I commit”
- “Test my latest changes for vulnerabilities”
- “Show me the most critical issue to fix first”
- “Run a focused scan on my authentication updates”
Troubleshooting
Most issues with StackHawk Vibe relate to installation, API key configuration, or network connectivity. If you encounter problems, work through these common solutions in order, as each builds on the previous step.
MCP server not found:
- Verify
stackhawk-mcpis installed:pip show stackhawk-mcp - Check your Python is in PATH
- Try using the full path to the Python executable
Authentication failed:
- Verify your API key is set:
echo $STACKHAWK_API_KEY - Check for typos in the API key
- Ensure you’re using a valid Vibe subscription
MCP connection errors:
- Restart your AI editor after configuration changes
- Check MCP server status with
claude mcp list(Claude Code) - Try removing and re-adding the MCP server
- Enable debug mode to see detailed error messages