Scan Policy Management
This feature is available on the StackHawk Enterprise plan.
When you run a security test with HawkScan, the scanner uses a default selection of plugins that correspond to common vulnerability tests. This set of plugins is a scan policy. StackHawk offers multiple scan policies that include different plugins depending on the type of application you are testing. The scan policy used during a scan on your application is determined by the configuration in your stackhawk.yml.
Organization Policy Management
New! Scan policies can now be configured across all Applications using the Organization Policy Management feature found within Settings -> Org Settings -> Policy Management
. We recommend using this approach to ensure scan policies can be applied across multiple applications.
StackHawk supports creating organization-level policies that can be assigned directly from the stackhawk.yml
configuration. This feature is designed to enforce consistent security standards across all your applications.
Creating and Applying Policies
To create a new organization policy:
- Choose one of the default StackHawk policies to duplicate based on your application or API technology. See Policy Management Defaults for a description of each default policy.
- Give it a name and description.
- Adjust the plugins and tech flags as needed for your applications.
To apply the policy to all applications, include the following configuration in your stackhawk.yml
file:
app:
scanPolicy:
name: CUSTOM_OPENAPI_POLICY
NOTE: Use the generated Slug ID (e.g. CUSTOM_OPENAPI_POLICY
) for the scan policy name when specifying it in the configuration file.
Customizing Policies for Specific Applications
If specific plugins are required or not applicable for a particular application, adjust the configuration file to include and exclude plugins as follows:
app:
scanPolicy:
name: CUSTOM_HAWKSCAN_POLICY
includePluginIds:
- 90036
excludePluginIds:
- 90035
Viewing Applied Scan Policy
To confirm which policy was applied for a particular scan, check the Scan Details screen which will indicate the name of the Scan Policy as well as whether or not it was modified from it’s defined configuration.
Benefits
Organization policies provide a streamlined approach to managing security across multiple applications, ensuring a unified security posture that aligns with organizational standards.
Application Policy Management
For more information on managing scan policies at the application level, see Application Policy Management.