Secrets Management

StackHawk supports a secrets manager that can be used to provide sensitive values to the HawkScan runtime, without needing to define those secrets as environment variables on the scanner host.

Secrets defined in the Secrets Manager can be used just like environment variables when interpolated from the HawkScan configuration. Any defined user secrets will be applied to a scan if a matching environment variable name is specified, and added as a redacted field.

Stored secrets are unique per user account, and are not shared among members of an organization.

Creating a new User Secret

Define a new secret. Ideally name this secret as an environment variable you do not intend to normally find in your scan environment variables, so it can be easier to track and supply.

You cannot view the value of a supplied user secret after it has been uploaded. You can always update or delete user secrets.

Using Secrets

As long as the user account authenticating the scan has defined user secrets, those values will be used as environment variable runtime overrides when interpolating the HawkScan configuration. Additionally the secret values will be specified as redacted tokens in the scan logs, so they will be replaced if written out.

When running the hawk cli, the --env/-e and --env-file arguments can be used to supply variable values to the stackhawk.yml files. Passed environment variables can be used to override values supplied in the hawkscan configuration.

For example if your stackhawk.yml file had host: ${APP_HOST:http://localhost:3000} in it using -e APP_HOST=http://dev.example.com that would set the host to http://dev.example.com. In this way the scan command’s -e works similarly to the docker command’s -e.