When we established StackHawk in 2019, we had a clear vision. Application security testing needed to be rethought to give engineers the capability to easily find and fix security bugs while writing code – not after that code has been deployed to production.
We have worked relentlessly to reshape how security testing is done over the past two years. We created a simple to configure dynamic application security testing (DAST) scanner that can be fully automated in CI/CD. We have provided developers with tools to understand and take action on findings immediately, and we provide industry leading testing coverage for APIs.
But today, I am excited to announce our biggest launch yet – the new StackHawk Scanner.
This scanner is full of amazing features, but at its core, it was designed to embed security in the developer workflow and to overcome the most common challenges that keep security from shifting left.
Making Application Security Testing Part of the Developer Workflow
With the latest version of the StackHawk scanner, or what we lovingly call “HawkScan,” we had one goal – to make our application and API security testing tool even more developer-friendly.
While the initial version of HawkScan was created to live in an ephemeral Docker container, we wanted the new version to provide developers with more flexible deployment options, while also giving them tools to be self-sufficient with both configuration and troubleshooting.
Here is how we are delivering on that vision:
The StackHawk CLI. We know not everyone loves Docker. Or maybe it just doesn’t fit your team’s deployment scenario. The new CLI gives developers a more familiar way to install and interact with the StackHawk scanner, right from the IDE. With a few simple commands users can initialize the scanner, validate the config, and get going with security testing.
Configuration Linting. The StackHawk scanner is now capable of identifying issues in both the StackHawk configuration YAML and OpenAPI specs before a user kicks off a scan. No more waiting for scan results just to see an error code that requires troubleshooting. Instead, misconfigurations are highlighted right in the IDE at the get-go.
Custom Auth Support. Authentication is notoriously difficult to get right for DAST. But, it is arguably the most important feature to automate, since so much of most applications live behind authentication. No matter what your authentication scenario, StackHawk can support it with just a few lines of YAML. This means better app coverage with fewer headaches for your team.
But, I Love Docker!
The Docker version of the StackHawk scanner isn’t going anywhere. In fact, configuration linting and custom auth support are now available in the Docker version of the scanner as well.
While the new CLI provides better flexibility for local testing, we know that for many CI/CD use cases the HawkScan Docker container is the best choice! Our engineering team has delivered a product strategy that will ensure feature parity between the CLI and Docker versions moving forward.
But, What About ZAP?
When we created our scanner, we proudly built on top of ZAP. And that hasn’t changed. StackHawk is still proudly partnered with the world’s most widely used application security testing tool, so you can have confidence in consistently updated tests from the open-source community, and associated scan results.
Make Security Testing Part of Your Workflow
If you are a developer or lead a development team and are interested in finding application security tooling that can be part of your development process, check out our new HawkScan Getting Started Guide.
You will be thrilled with how quickly you can get the YAML configured (even with auth!) and your OpenAPI spec validated. Then enter a quick
hawk scan command if you choose to use the CLI, and you are off to the races delivering more secure applications faster.
If you are looking for more resources, drop us a line at email@example.com, so we can get you going with your first scan.