API Discovery Now Uses Code Context to Infer REST API Structure — With Full Transparency and Control

We’re excited to share a new capability in HawkAI: it now analyzes small, relevant portions of source code to infer how REST APIs are structured — enabling faster, smarter API specification generation. This functionality currently supports:

• Java/Spring
• Node/Express

This update boosts your team’s ability to test early and often — with zero manual spec work.

Just as important: StackHawk remains deeply committed to protecting your source code, PII, and proprietary data. Here’s exactly how that works — and what’s changing (and not changing).

What’s New: Code Context for REST API Spec Generation

To build API specifications automatically, HawkAI now sends minimal, targeted slices of source code to our trusted AI provider. These slices are limited to what’s necessary to understand how detected REST APIs are constructed — such as route definitions, controller logic, and request structure.

• ✅ Only applies to REST APIs built in Java/Spring or Node/Express (today, more language framework pairs coming soon)
• ✅ Only small, relevant code fragments are shared
• ❌ Never full files, repositories, or sensitive logic

These snippets are used only for real-time analysis and are never stored or used for training.

What Hasn’t Changed: No Code Sharing in Attack Surface Discovery or Sensitive Data Detection

StackHawk’s Attack Surface Discovery and Sensitive Data Detection features continue to operate entirely within StackHawk systems. These features:

• Do not send any source code to AI providers
• Do not use external AI inference
• Analyze patterns and metadata only, not source code contents

This means your sensitive logic, secrets, and proprietary app structure remain completely private when using these detection features.

Our Updated Data Privacy Commitments

We’ve refined our AI principles to match the new functionality:

Approved Vendors Only: We currently use OpenAI, which meets StackHawk’s rigorous security and privacy review requirements.

Minimal & Controlled Code Sharing: Only the smallest possible slices of relevant code are sent — and only for supported REST APIs.

No PII: PII and sensitive data are never included in the shared context.

No Code Retention or LLM Training: Code sent to the AI provider is not stored or used to train models.

Where Is Code Sent?

REST API spec generation involves secure transmission of code fragments to a selected AI provider (currently OpenAI) via encrypted channels from StackHawk’s infrastructure. All data handling aligns with our Third-Party Risk Management Policy as well as aligning with StackHawk’s data privacy and security commitment.

Only shared when the Repository integration and API Discovery are enabled, Rest API is detected and supported frameworks are used.

Code is used exclusively for real-time inference.

Never retained or reused.

Which AI provider are you leveraging?

StackHawk currently utilizes OpenAI, but our system is designed to be adaptable, allowing the integration of other large language models as needed. This flexibility ensures we continuously evaluate and implement the most effective AI solutions based on research and testing to enhance our functionality.

Can I opt out of AI usage?

Yes, API Discovery is enabled by default only through source code repository integration. If you would like to utilize other SCM integration features without allowing AI access, read the docs for instructions on how to disable HawkAI on your account.

Why This Matters

Legacy DAST and API testing tools require manual specs, brittle recordings, or slow onboarding. With API Discovery:

• You get faster setup with accurate, auto-generated API specs
• Your code and customer data stay safe
• You maintain full control and visibility