Scan Policy Management

This feature is available on the StackHawk Enterprise plan.

When you run a security test with HawkScan, the scanner uses a default selection of plugins that correspond to common vulnerability tests. This set of plugins is a scan policy. StackHawk offers multiple scan policies that include different plugins depending on the type of application you are testing. The scan policy used during a scan on your application is determined by the configuration in your stackhawk.yml.

Organization Policy Management

New! Scan policies can now be configured across all Applications using the Organization Policy Management feature found within Settings -> Org Settings -> Policy Management. We recommend using this approach to ensure scan policies can be applied across multiple applications.

StackHawk supports creating organization-level policies that can be assigned directly from the stackhawk.yml configuration. This feature is designed to enforce consistent security standards across all your applications.

Org Policy Management

Creating and Applying Policies

To create a new organization policy:

  1. Choose one of the default StackHawk policies to duplicate based on your application or API technology. See Policy Management Defaults for a description of each default policy.
  2. Give it a name and description.
  3. Adjust the plugins and tech flags as needed for your applications.

To apply the policy to all applications, include the following configuration in your stackhawk.yml file:

app:
  scanPolicy:
    name: CUSTOM_OPENAPI_POLICY

NOTE: Use the generated Slug ID (e.g. CUSTOM_OPENAPI_POLICY) for the scan policy name when specifying it in the configuration file.

Customizing Policies for Specific Applications

If specific plugins are required or not applicable for a particular application, adjust the configuration file to include and exclude plugins as follows:

app:
  scanPolicy:
    name: CUSTOM_HAWKSCAN_POLICY
    includePluginIds:
      - 90036
    excludePluginIds:
      - 90035

Viewing Applied Scan Policy

To confirm which policy was applied for a particular scan, check the Scan Details screen which will indicate the name of the Scan Policy as well as whether or not it was modified from it’s defined configuration.

Viewing Scan Policy

Benefits

Organization policies provide a streamlined approach to managing security across multiple applications, ensuring a unified security posture that aligns with organizational standards.

Application Policy Management

For more information on managing scan policies at the application level, see Application Policy Management.