Scans

Scan Results

The StackHawk Platform Scan Results view displays the results of all of your organizations scan activity. By default scans are ordered by the most recently completed scans. Each scan displays the number of paths and findings that were identified during the scan.

StackHawk Platform - Scan Results

Paths

HawkScan results are populated in the scan list page. Metadata associated with your scan includes URI count. This is the number of paths the scanner was able to find and test. If this number is low, it is unlikely the scanner has found much of your application.

Read about adding authentication instructions to the yml or feeding an OpenAPI spec to ensure greater app coverage.

Finding Severity

High

  • Findings with significant impact and likelihood of exploit, usually with a known corresponding CWE or CVE attached to the vulnerability.

Medium

  • Findings with significant impact or ease of exploit.

Low

  • Informational and low-impact discoveries, as well as security suggestions.

Triaged

Findings are marked as New when they do not yet have another status assigned. These are items to be fixed or processed with another action to update the status. Triaged findings include Assigned, Risk Accepted and False Positive.

Scan Details

The Scan Details view displays the list of Findings identified by HawkScan. Each Finding displays the Criticality of the Finding and the current status of each path identified in the Finding. The Paths tab will allow you to view a list of all identified paths that were scanned. Typically if this number is low, it is unlikely the scanner has found much of your application.

StackHawk Platform - Scan Details

Finding Details

The Finding Details view is the primary display for the specific finding. In addition to the list of identified paths, you will see a detailed description of the Finding along with a link to any available Cheet Sheets. For the selected path, you will see details of the Request and Response payloads for a particular finding.

StackHawk Platform - Finding Details

Finding Actions

By default Findings are marked as New. On future scan runs, the processed findings will still be tracked, but they will not be pushed as actionable items. On the Scans page, you will see processed findings denoted in gray, while actionable (new and unprocessed) findings will be called out. Finding Actions allow you to update a status on a specific path to one of the following:

StackHawk Platform - Finding Actions

Assigned

  • These are findings that have been assigned for review and/or fix in whatever issue tracking tool your team uses. These are items that are in a backlog or are in process for investigation or fix. Deeper integrations with workflow tools such as Jira are coming soon. As you mark a finding as assigned, you can include a link to the associated ticket in the comments.

Risk Accepted

  • Some findings are technically potential security bugs or risks, but for one reason or another, you are electing not to fix them. In our previous example of Cross-Domain JavaScript Source File Inclusion, you may have chosen to include trusted vendors such as New Relic for APM or Segment for event tracking. In this case, you would mark all paths with the included script as Risk Accepted.

False Positive

  • Scan results may include findings that are actually false positives, and thus do not require a fix. These can be marked as false positives to quiet future noise.

When you take action on a particular finding, you will be prompted to enter comments. This process creates documentation on why the action was taken and allows you to tie it to workflow tools like Jira

StackHawk Platform - Finding Notes

Validate Finding

In addtion to the Request and Response payloads, you can utilize the Validate action to generate a curl command to recreate the attack. This curl command will have the correct HTTP verb, headers and data fields to recreate the potential attack. By running this curl command in debug mode in your IDE, you can step through the requests to identify where the bug lives in code.

StackHawk Platform - Validate Finding