Scan Policies Available in HawkScan

StackHawk’s HawkScan offers a variety of policies tailored to meet the specific needs of your applications. This page provides an overview of all available policies, their unique identifiers, and their typical use cases.

Default Policies

These are the foundational policies applied by default, tailored according to the scan discovery settings specified in the stackhawk.yml file.

  • HawkScan Default (DEFAULT)
    The standard configuration for running general security tests across a wide range of applications.

    Automatically applied when an openapiConf or grpcConf is found, optimized for OpenAPI/REST and gRPC API security testing.

    Automatically applied when a graphqlConf is found, this policy is designed specifically for securing GraphQL APIs.

    Automatically applied when a soapConf is found, with specific tests for SOAP-based services.

Use-Case Specific Policies

These policies are designed for particular scenarios, environments or security requirements:

  • Production-Safe (DEFAULT_PASSIVE_ONLY)
    A non-intrusive scan suitable for use in production environments to minimize performance impact.

  • OpenAPI - Experimental (OPEN_API_EXPERIMENTAL)
    A cutting-edge policy focusing on the OWASP API Security Top 10, designed for OpenAPI.

  • Log4Shell (LOG4SHELL)
    Tailored to detect and assess vulnerabilities related to Log4Shell.

  • Spring4Shell (SPRING4SHELL_ONLY)
    Specifically targets Spring4Shell vulnerabilities.

  • Log4Shell + Spring4Shell (SPRINGnLOG4SHELL)
    Combines checks for both Log4Shell and Spring4Shell vulnerabilities.

  • HawkScan Default + Spring4Shell (DEFAULT_SPRING4SHELL)
    Integrates Spring4Shell checks with the standard HawkScan configuration.

Specifying Policies via HawkScan Config

To override an applications default policy or policy configured via the Policy Management feature, specify the desired policy name directly in your stackhawk.yml configuration file. This is particularly useful for tailoring scans to specific environments, such as during production testing, where a less intrusive policy may be necessary.

    policyName: "DEFAULT_PASSIVE_ONLY"


This document outlines the various scan policies available in HawkScan, providing you with the flexibility to select or customize policies according to the specific requirements of your applications. Whether applying default policies or tailoring scans for unique environments, HawkScan is equipped to ensure your applications are secure.

For further assistance or if you have questions about configuring policies specific to your needs, please do not hesitate to contact our support team at