StackHawk is always searching for ways to make application security testing easier for developers. That’s why we have created a new GitHub Action that integrates AppSec testing directly into your GitHub CI/CD pipeline.

If you aren’t familiar, GitHub Actions is a powerful platform for continuous integration and deployment. Using simple YAML workflow configuration files, you can trigger software builds, tests, and deployments from a variety of events such as merging code. With a free GitHub account, you have access to thousands of minutes of compute time per month for building, testing, and deploying your applications.

Our scanner, HawkScan, works by scanning your running application, finding all of its available API routes, and probing them with security tests. In the StackHawk web app, you can analyze the results of your scans and track the security profile of your application over time. StackHawk alerts you whenever new security bugs are found, and you can assign bugs to developers to track them to resolution.

The HawkScan Action makes it easy to add dynamic application security testing (DAST) to your GitHub Actions workflow. This means that every time a developer checks in code, you can automatically test your application and discover any new security issues as soon as they are introduced. Run those automated tests in a pre-production environment, and you can catch and resolve those bugs before they ever get exposed to your customers and the world.

Using the HawkScan Action

The HawkScan Action can run most scans with just a single parameter – your StackHawk API key. For example, to scan a Node.js app, your GitHub Actions workflow would be as simple as this:

# .github/workflows/hawkscan.yml

name: HawkScan

on:
  push:

jobs:
  hawkscan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - run: npm install
      - run: nohup node bin/www &
      - uses: stackhawk/hawkscan-action@v1.1
        with:
          apiKey: ${{ secrets.HAWK_API_KEY }}

This workflow has 4 steps:

  1. Checks out your code with the actions/checkout@v2 action
  2. Installs your Node.js app and its dependencies with npm install
  3. Runs your app in the background with nohup node bin/www &
  4. Scans your app with our stackhawk/hawkscan-action@v1.1 action using your StackHawk API key from GitHub secrets.

The rest of the configuration for HawkScan lives in your code repository in a stackhawk.yml file.

# stackhawk.yml

app:
  applicationId: xxxxxxxx-XXXX-xxxx-XXXX-xxxxxxxxxxxx
  env: Development
  host: http://localhost:3000

Other Configuration Options

The HawkScan Action exposes all of the features of HawkScan, so there are no limits to how you can run it in your pipeline.

Multiple Configuration Files

To support multiple HawkScan configurations in different environments, you can use multiple configuration files to override a base configuration. Just supply your configuration files in order using the configurationFiles input, like so.

# .github/workflows/hawkscan.yml

name: HawkScan

on:
  push:

jobs:
  hawkscan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: stackhawk/hawkscan-action@v1.1
        with:
          apiKey: ${{ secrets.HAWK_API_KEY }}
          configurationFiles: |
            stackhawk.yml
            stackhawk-overrides.yml

Environment Variables

The HawkScan configuration file supports environment variable interpolation, so you can dynamically set configuration options at runtime. For instance, you could set the value of your app.host parameter at run time using the APP_HOST environment variable. Your HawkScan configuration file would look like this.

# stackhawk.yml

app:
  applicationId: xxxxxxxx-XXXX-xxxx-XXXX-xxxxxxxxxxxx
  env: Development
  host: ${APP_HOST}

And to set your host entry to http://example.com at runtime, your GitHub Actions workflow would look like this:

# .github/workflows/hawkscan.yml

name: HawkScan

on:
  push:

jobs:
  hawkscan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: stackhawk/hawkscan-action@v1.1
        env:
          APP_HOST: http://example.com
        with:
          apiKey: ${{ secrets.HAWK_API_KEY }}
          environmentVariables: APP_HOST

Get Started with the HawkScan Action!

The HawkScan Action makes it easy to add DAST scanning to your build pipeline, so you can catch new security bugs before they end up in production. Even if you are brand new to StackHawk, you can be up and running inside of an hour. Here’s how:

  1. Sign up for a free StackHawk account
  2. Read our Getting Started guide and run your first scan
  3. Read our GitHub Actions integration guide to run your first scan GitHub Actions