Pull Request Checks

github

Part of StackHawk’s official GitHub App integration.

Overview

StackHawk with GitHub helps teams understand the state of their DAST scans at a glance, directly in their pull requests or from commit statuses. View a high level summary of your latest HawkScan in your pull request, and see HawkScan statuses tied to commits.

Features

  • HawkScan can be tied to commits so that scan statuses can be associated with specific commits.
  • Pull requests can be decorated with summaries of your latest HawkScans, based on the commit. View high level scan details directly in the pull request while reviewing the code.

Requirements

You must have the official StackHawk GitHub app installed, with a GitHub repo mapped to the StackHawk application you are trying to get PR comments and commit statuses on. For detailed installation and configuration docs, check out the main GitHub App page.

Usage

Once the GitHub Integration is installed and a StackHawk Application is connected to a GitHub repository, you must make a few updates to your stackhawk.yml to start seeing commit statuses and PR comments.

This feature makes use of the open scan tags beta, by specifying a reserved tag that tells the StackHawk platform which commit the given scan is associated with.

It is recommended to use HawkScan’s environment variable resolution for the values of these tags, so that the environment variables can be injected by your CI/CD pipeline.

stackhawk.yml

tags:
  - name: _STACKHAWK_GIT_COMMIT_SHA
    value: <your-cicd-variable-for-commit-sha>
  - name: _STACKHAWK_GIT_BRANCH
    value: <your-cicd-variable-for-branch>

NOTE: Only the commit sha is required, however for additional metadata in the StackHawk Platform you may provide the Git Branch to see additional information about where a scan came from.

Commit Statuses

Once a commit sha has been provided on a StackHawk application linked to a GitHub repo, StackHawk will post commit statuses to that commit sha so that GitHub can provide a link to the last scan associated to that commit, and also provide a quick glance as to the overall result (success or failure) of that scan.

Successful commit status: Successful commit status

Unsuccessful commit status: Unsuccessful commit status

Pull Request Comments

Once a commit sha has been provided on a StackHawk application linked to a GitHub repo, if there is an open pull request where that commit sha is the last commit, StackHawk will post a PR comment when the scan has completed with an overview of the scan along with a link to the scan details.

Example of a pull request comment: Successful pull request comment

If for any reason the scan fails, a brief error message will be posted to the PR, along with a link to the failed scan.

Example of an error pull request comment: Successful pull request comment

Blocking Pull Request Merges

Because this integration has the ability to create commit statuses, you have the option to configure HawkScan as a required check after your first successful scan with commit statuses. Then GitHub can enforce not allowing the merge of Pull Requests without a successful HawkScan. The default behavior is to show commit statuses as Pull Request checks, but not require successful completion of these checks before merging. For more information, check out this GitHub article on required checks.

Commit SHA and Branch in the StackHawk Platform

When these 2 reserved tags are provided, they will show up on specific scan details in the StackHawk platform as an easy way to see where a given scan came from.

Commit Sha and Branch in Platform

Hovering over these fields will reveal the entire value. The commit box shows the value of the _STACKHAWK_GIT_COMMIT_SHA tag, and the branch box shows the value of the _STACKHAWK_GIT_BRANCH tag.

Troubleshooting

  • No commit statuses or Pull Request comments? Verify that the commit sha shown in the StackHawk platform for the scan matches the last commit sha shown in the pull request or commit tree. CI providers can have various ways of exposing these commit shas, and some providers can have multiple variables that provide different things.

Feedback

Have any suggestions, feature requests, or feedback to share? Drop us a line at support@stackhawk.com.