Login Start Free Trial Login Start Free Trial
 

Hosted Scanner

The Hosted Scanner enables AppSec teams to run scans directly from StackHawk’s infrastructure, eliminating the need for local setup or CI/CD integration. As an add-on feature, it serves as a bridge for teams that require flexibility beyond a pipeline-first approach, enabling them to quickly scan legacy systems, inherited applications, or compliance-driven environments.

By removing setup barriers, Hosted Scanner provides security teams with a fast and familiar way to initiate scanning, review results within the platform, and extend coverage to applications that would otherwise be difficult or time-consuming to test.

NOTE: Hosted Scanner is not intended to replace CI/CD workflows. Instead, it supplements them by giving security teams independence in environments where pipeline integration is not possible.

Use Hosted Scanner in situations where pipeline-based scanning is not feasible:

  • Legacy applications without pipelines.
  • Acquired or inherited systems that require validation.
  • Compliance-driven production scans.
  • Early onboarding when teams want to scan before CI/CD integration is complete.

Prerequisites

  • A StackHawk account with Hosted Scanner enabled.
  • The URL of the application you want to scan.
  • Access to add DNS records (or another supported verification method).

How It Works

Hosted Scanner runs on StackHawk’s managed infrastructure, allowing you to point the scanner at a target application without requiring local setup or pipeline integration.

The process begins by creating a target in the StackHawk platform. A target represents the application you want to scan and includes the base URL along with verification details to confirm ownership, typically through DNS records.

Once the target is created and verified, the platform automatically generates a YAML configuration for it and hosts that configuration within StackHawk. This YAML contains the defaults needed to run a scan and can be edited directly in the Hosted Config Editor. Users can fine-tune scan settings just as they would with a locally managed YAML file, but without needing to handle setup or file management on their own systems.

When a scan is launched, StackHawk provisions and runs the scanner from its managed infrastructure. The scanner crawls and tests the target application according to the hosted configuration, and the results are streamed back into the StackHawk platform. Findings appear in the same results viewer used for pipeline-driven scans, ensuring a consistent experience across different workflows.

Key Features

  • Familiar UI: A streamlined version of the core StackHawk interface for fast adoption.
  • Hosted Config Editor: Modify YAML-based configurations directly in the platform without local setup.
  • Step-by-Step Guidance: Clear instructions for URL submission, DNS verification, and scan execution.
  • Getting Started Page: Provides context, links to documentation, and an immediate way to launch scans.

Verification Process

To prove ownership of your domain, you will create a TXT record in your DNS settings with the details similar to the following. The specifics for your domain will be shown in StackHawk when you add your Hosted Scanner Target for the domain. Once you’ve added these details to your record, click “Verify” in our platform to complete the domain verification process. If you run into any issues, please contact support for assistance.

We do support multiple TXT records with the same key if you need to list multiple specific domains rather than using a wildcard.

  • Name (Host): sh-UNIQUE-DOMAIN-KEY-FROM-STACKHAWK.example.com
  • Value (Record Content): *.example.com or subdomain.example.com
  • TTL (default or) : 3600