Scan Policy Management

This feature is available on the StackHawk Enterprise plan.

When you run a HawkScan, the scanner uses a default selection of plugins that correspond to common vulnerability tests. This set of plugins is a scan policy. StackHawk offers multiple scan policies, that include different plugins depending on the type of application you are testing. Which scan policy runs during a scan on your application is determined by the configuration in your stackhawk.yml.

Scan policies and the plugins/tests that run during scans can now be explicitly configured for each application in the StackHawk Platform.

CAUTION: Log4Shell (plugin ID 40043) and order of priority defined in Prioritization section may NOT work as expected in versions of HawkScan before 2.11.

Scan Policy Selection

To select which policy runs during a scan:

  1. Go to the Applications Page.
  2. Click the application name to go to the Settings page.
  3. Under Application Scan Policies, use the Applied Policy dropdown menu to select a scan policy that will run during scans of this application. Application Scan Policies

Customize Scan Policy

An application scan policy can be customized to have more fine-grained control over which plugins/tests run as part of the policy. You may want to add or remove plugins/tests from a policy to decrease scan time or focus a scan on certain vulnerabilities.

NOTE: Cross Site Scripting (DOM Based) (plugin ID 40026) requires use of the ajax spider.

To customize an application scan policy:

  1. Select an application scan policy from the Applied Policy dropdown menu and click Customize Policy. Customize Scan Policy
  2. On the Policy Management page, click the checkboxes to enable or disable the plugins/tests you want to include or remove from your application scan policy.
  3. Your updates take immediate effect and a customized label is applied to the application scan policy.

The list of plugins on the Policy Management page contains two tabs for each plugin/test type. Active scan plugins attempt to exploit vulnerabilities while passive scan plugins make normal requests to an application and analyze the responses.

You can use the search bar above the plugins list to search for plugins by name, ID, criticality and release status.

Clicking an unchecked checkbox will enable the plugin/test while clicking a checked checkbox will disable the plugin/test.

Scan Policy Plugins List

After you customize the applied application scan policy, if you apply a different application scan policy, you will lose your customized configuration.

Permissions

Selecting and customizing scan policies from an application’s Settings page are only enabled for owners and admins whose organization is on an Enterprise Plan. Organization members will still be able to run scans against applications with scan policies that have been selected or customized from this page.

Prioritization

In addition to changing the applied policy and customizing a scan policy in Settings, there are two ways that scan policies may be applied in the stackhawk.yml configuration file.

  1. Configuring the hawk.scan.policyName parameter. Read more
  2. Configuring the app.openApiConf, app.graphqlConf or app.soapConf parameters. Using one of these parameters will normally cause HawkScan to automatically select a scan policy that is optimized for OpenAPI/REST, GraphQL or SOAP APIs. Read more about configurations for OpenAPI/REST, GraphQL or SOAP APIs.

The following list is the order of priority for the various methods of applying scan policies:

  1. Scan policy set with hawk.scan.policyName in the StackHawk YAML configuration file, stackhawk.yml.
  2. Customized applied policy on the application’s Settings page in the StackHawk Platform.
  3. Applied policy, other than HawkScan Default, in the application’s Settings page in the StackHawk Platform.
  4. OpenAPI/REST, GraphQL, or SOAP-optimized scan policies when:
    1. One of the app.openApiConf, app.graphqlConf, or app.soapConf parameters are configured in the StackHawk YAML configuration file, stackhawk.yml.
    2. The applied policy is HawkScan Default (or was never previously configured) on the application’s Settings page in the StackHawk Platform.
  5. HawkScan Default scan policy when the applied policy is HawkScan Default (or was never previously configured) on the application’s Settings page in the StackHawk Platform.

Best practice is to use one of these configurations at a time for each application.

Reset Scan Policy

To reset a scan policy back to its original enabled/disabled plugin selection, use the Reset Policy button on the Policy Management page.

Reset Scan Policy

Video Tutorial

Check out our video tutorial on Policy Management: