Claude Code can build an entire feature while you’re still reading the ticket. Checking that feature for security holes is now the slowest part of shipping, and it’s the step most of us quietly postpone.
This guide is about making Claude run DAST against your live, running app. By the end, Claude Code will scan your local application, fix the vulnerabilities it finds, and prove the fixes with a clean rescan, all without leaving the terminal.
What Are StackHawk Agent Skills for Claude Code?
StackHawk agent skills are instruction sets that teach AI coding agents how to run security scans, parse findings, fix vulnerabilities, and verify the fixes. They’re structured markdown rather than a running service: installing them adds no runtime dependencies, and no code runs in the background.
Once installed, the skill teaches Claude a five-step loop:
- Configure: generate a
stackhawk.ymlbased on your app type, host, and auth pattern - Scan: run HawkScan against your running application
- Parse: read structured JSON findings with vulnerability type, severity, path, and method
- Fix: remediate vulnerabilities directly in your codebase
- Verify: rescan to confirm the fixes are effective
Two skills ship together. HawkScan configures, runs, and interprets scans, then fixes findings and verifies the fixes. StackHawk API queries the StackHawk platform for security posture, findings reports, and scan history. The scanning side isn’t limited to REST; it also handles GraphQL, gRPC, and similar API types, with auth patterns ranging from bearer tokens to form login.
This is the idea behind Agentic StackHawk: security testing becomes part of how the agent builds, so “done” means “done and secure”.
Prerequisites
Here are a few prerequisites to check off before the steps below:
- Claude Code installed and working in your project
- A StackHawk account on a Secure, Scale, or Wingman plan
- Java 17+ (a JDK, not just a JRE) if you’re installing on Linux; the macOS and Windows installers bundle Java
- Your application running locally, with its source code, on a port between 1024 and 65535
Set Up Claude Code Security Scanning with StackHawk
Step 1: Get a StackHawk API Key
To get an API key, log in to the StackHawk console in the browser and click Settings in the left-side menu, then click API Keys in the menu that appears. On the API Keys screen, click the Create API Key button in the top right corner.
Give your API key a descriptive name, such as “Claude Code Agent,” and click Continue.
The API key has now been created. Leave this screen open or temporarily copy the key somewhere secure so it’s ready for the next step. If you exit before copying it, you’ll need to delete the key and create a new one.
Step 2: Install the hawk and hawkop CLIs
On macOS or Linux, Homebrew installs both:
brew tap stackhawk/cli && brew install hawk hawkop
hawk init
hawkop initOn Windows, download the MSI installers from the downloads page (the hawk MSI includes bundled Java), then run the same two init commands in PowerShell.
hawk init prompts for the API key from Step 1, which looks like hawk.xxxxxxxxxx.xxxxxxxxxx, validates it, and stores it in $HOME/.hawk/hawk.properties.
hawkop init automatically picks up the key and asks for your default organization. The division of labor matters here: hawk runs scans, while hawkop operates on the results. You’ll install both because the two skills handle different workloads.
Step 3: Install the StackHawk agent skills in Claude Code
To get the StackHawk agent skills in place, first open Claude Code, then add the StackHawk marketplace, and install both plugins (the Claude Code skill docs cover the same setup):
/plugin marketplace add stackhawk/agent-skills
/plugin install hawkscan@stackhawk
/plugin install stackhawk-api@stackhawkIf the /plugin commands are new to you, Anthropic’s plugin documentation explains how marketplaces and installs work under the hood.
Step 4: Verify the skills are active
Ask Claude directly:
What StackHawk skills do you have?It should describe the HawkScan scanning skill and the API reporting skill. If the skills don’t show up, confirm the plugins installed in Step 3 and check that hawk init ran successfully, since ~/.hawk/hawk.properties needs to exist.
Step 5: Ask Claude to scan your app
With your app running locally, give Claude the exact prompt from StackHawk’s docs:
Set up security scanning for my app and scan it for vulnerabilitiesClaude checks that your app is running (and starts it if needed), generates a stackhawk.yml, validates it, and kicks off the scan. The generated config is small. Every stackhawk.yml needs just three fields:
app:
applicationId: xxxx-xxxx-xxxx-xxxx # Your app ID from app.stackhawk.com
env: Development
host: http://localhost:8080That applicationId is the one value that lives outside your codebase: every scan runs against an application record in the StackHawk platform. Creating the app is part of the multi-step workflow that the skills walk Claude through. If you’d prefer to set it up yourself, add the app at app.stackhawk.com under Applications and grab the generated ID; the add an application guide covers it.
When the scan completes, the results land in your terminal, ordered with High-risk findings first, and also appear in the StackHawk platform.
Step 6: Let Claude fix the findings and verify
Once the findings are on the board, Claude should prompt you about next steps:
If it doesn’t automatically ask about next steps, one more prompt can kick off remediation:
Fix all of these security findingsClaude reads your code, understands the vulnerability context, and makes idiomatic fixes: parameterized queries for SQLi, output encoding for XSS, security headers for missing protections. After fixing, it rescans to verify every issue is resolved, and the job isn’t finished until the findings stop reproducing.
The verification rescan is the part to watch since it confirms that the running app actually changed, not just the source.
Reviewing and Triaging Findings in the StackHawk Platform
One of the best parts of using StackHawk skills with a coding agent is that the skill can automatically review and triage findings. The agent will then decide whether something should be fixed and add a note. All of this happens without any intervention (as shown above).
If you still want to review scans and triage manually, that’s also possible in the StackHawk console in the browser.
In the console, unprocessed findings are marked New, and the Finding Details page provides each one with three triage paths: Assigned, Risk Accepted, or False Positive. Whichever you pick, the platform asks for a comment, which is how a triage decision survives team turnover.
When a finding looks questionable, the Validate action generates a ready-to-run curl command that reproduces the attack, including the correct verb, headers, and data. Fire it at your local app and trace exactly what the scanner saw.
You don’t have to leave the terminal for any of this, either. Ask Claude, “Show me findings for payment-api,” and the StackHawk API skill pulls the report for you. That’s why the hawkop CLI is used in the API skill to communicate with the platform, so everything can be done directly in the IDE or terminal.
Wrap-Up
Agents need help shipping secure code. Install the skills, and Claude Code security scanning becomes part of how features get finished, not a separate review you schedule later. Start scanning with a free StackHawk trial and put the loop to work on your own app. The Agentic StackHawk Setup Guide covers the full end-to-end setup whenever you want the docs-native reference.
