StackHawk Scanner Configuration

Define key settings for the application to be scanned, including properties like the application's host URL, authentication methods, API type, and custom paths. This section includes essential parameters, such as:

• applicationId: Required. The unique identifier for the application in the StackHawk platform.
• env: Required. The environment name used to organize scan results (e.g., "Production" or "Staging").
• host: Required. The base URL of the application to scan, e.g., http://localhost:8000. The scan will not proceed if the URL is unreachable.

Additionally, specify other optional details such as session tokens, CSRF parameters, API-specific configurations (e.g., GraphQL, OpenAPI, SOAP, gRPC), and any paths to exclude or include in the scan.

Define global HawkScan settings, independent of the scanned application:

• spider: Configure application crawling and scan discovery. Enable base and ajax crawlers, set maxDurationMinutes, add seedPaths, use custom commands, or import har files.
• startupTimeoutMinutes: Maximum time to wait for the scanner to start (default: 5).
• failureThreshold: Alert severity level to fail a scan (high, medium, or low).
• scan: Set runtime behavior like max duration, request throttling, and concurrency.
• config: Advanced scanner configuration overrides.
• outboundProxy: Configure an outbound proxy, including host, credentials, and CA certificate.

For more details, see HawkScan Configuration Documentation.

Extend HawkScan functionality with add-ons and custom scripts:

• replacer: Modify or replace HTTP request headers using rules with properties like matchString, replacement, isRegex, and replaceOnly.
• scripts: Configure custom scripts to customize scan behavior with name, type (e.g., active, authentication), path, language (KOTLIN, JAVASCRIPT), and vars.

For more detail, see HawkScan Configuration Documentation.

Searchable keywords to associate with this scan.

Configuration block for the application crawling and Discovery Phase aka Spider. See the Scan Discovery page for more details.

Maximum time in minutes to wait for the scanner process to start.

The lowest alert level that returns a failed scan status. Accepted values: high, medium, or low.

Configuration block for HawkScan runtime.

Scanner configuration overrides, provided as a list of key=value strings. A list of strings in the form of key=value pairs passed to the scanner as scanner configuration overrides.

This is an advanced feature to configure HawkScan plugins and override their default behavior.

Configuration block for a proxy. This enables HawkScan to traffic scanner requests through an outbound network proxy.

Enable the basic web crawler for discovering your application's routes. This spider is appropriate for most traditional web applications.

Enable the ajax web crawler for discovering your application’s routes. This spider is appropriate for single-page web applications.

Maximum allowed time for enabled spiders to crawl your web application.

The browser type and style to use when running the AjaxSpider. When running the stackhawk/hawkscan docker container, this setting is ignored and will use the default CHROME_HEADLESS. The options are CHROME_HEADLESS and CHROME. FIREFOX_HEADLESS and FIREFOX are deprecated.

List of paths to supplement the spider. These paths will be used as additional starting points for crawling your application. Useful for paths that are not crawlable from the root of your application. For example, /admin. Note: this configuration is NOT a replacement for an API spec and provides no benefit to pure REST API's.

Configuration for the Postman Collection.

Configuration for using a HAR file as the discovery for a scan. HAR files often contain requests including urls from many hosts, but only URLs matching the app.host or replaceHost will be included in the scan.

Disable smart crawling for openApiConf to enable legacy openapi import process.

Provide a command to run as part of the scan discovery phase. This command will be split from its arguments and execute on its own thread in a context with additional environment variables set with the proxy configuration for HawkScan to intercept http traffic.

The absolute path working directory these commands are run from.

Command arguments provided as an array of strings. These arguments can be used in addition to or instead of the command. This should be used if the command is sufficiently complex or is exceptionally whitespace sensitive.

Only provide the environment variables and credentials as configured. By default also includes the environment from the parent process environment for convenience.

This command prints the stdout and stderr of the command to the foreground.

API key to authenticated the user with Postman.

Id of the collection to be pulled from Postman.

File path of the Postman collection.

The hostname of URLs in the HAR file that will be replaced with the host defined in app.host. Leave blank if the app.host is then same hostname in the HAR file.

Paths to .har HTTP Archive formatted files, for use with HARImportConfig.

Paths to directories, for use with HARImportConfig.

Paths to HAR files to import. Files will be loaded in order provided.

Path to directory containing .har files. Only files with the .har extension will be loaded in alphanumeric order.

Content types to include in response body uploads. If specified, replaces the default include list. Supports wildcards (e.g., application/*+json, image/*).

Content types to exclude from response body uploads. If specified, adds to the default exclude list. Exclusions take precedence over inclusions. Supports wildcards (e.g., image/*).

Maximum duration that a scan will run.

Maximum duration that a scan will spend on a rule.

Delay time between sending requests.

Number of request threads. If you need that little extra push. defaults to 20.

Pause active scan when passive backlog is greater than this value, resumes once backlog is empty. defaults to 50.

How often the throttle check is run, in seconds.

The max number of temp records allowed before pruning of temp records begins.

The percentage of throttleTempRecordMax records to delete on each throttleIntervalSeconds.

Name of a specific named scan policy to use. This field is optional, and an applicable scan policy will be selected if omitted.

Specify to only scan with these listed plugins.

The host of the outbound explicit proxy, including port (e.g. https://localhost:8888).

Credential details for the outbound proxy behavior.

Path to root CA Certificate for transparent outbound proxies. This can be used without specifying host or credentials.

Required. The username for proxy credentials.

Required. The password for proxy credentials.

Realm for proxy credentials.

Scheme of proxy authentication. Currently BASIC, NTLM are supported.

Required. The base url of the application to scan ex: http://localhost:8000. If the url cannot be reached, the scan will not proceed.

Required. Your StackHawk application UUID. Create an application in the StackHawk platform to obtain this identifier.

Required. The env environment name to organize Scan Results.

The names of any session tokens used by your application, provided as an array of strings (Hint: these are the names of session cookies used by your application).

The name of your CSRF security parameter used in any application form inputs. Globally set, HawkScan will parse this parameter value from form responses to use in subsequent requests.

Configuration block for application authentication to enable scanning as the provided user of your application. If provided, HawkScan will first attempt to sign into your web application with the provided login credentials. Only after successfully verifying will scanning occur. For more information, see the Authenticated Scanning section.

An array of strings, used as regexes to match against routes that should be ignored entirely by HawkScan. If populated, paths that match any supplied regex will be excluded from the scan. This field is useful for prohibiting asset directories or other resources that don't require vulnerability scanning.

Configure how HawkScan interacts with GraphQL APIs.

One of the following is Required:

• schemaPath: Relative path to the introspection endpoint (based on the host address).
• filePath: Relative path to a GraphQL schema file (SDL format).

The following are Optional:

• operation: Adjust the operation requests generated by the spider (QUERY or MUTATION, defaults to both).
• excludeOperations: Exclude particular GraphQL operations from being scanned.

For full details, see GraphQL Configuration Documentation.

An array of strings, used as regexes to limit which application routes HawkScan will specifically visit. If populated, paths must match at least one supplied regex to be included as part of the scan. This field is useful for constraining the reach of the HawkScan scanner and spider.

Set to true to enable an optimized policy when scanning specific APIs like GraphQL and OpenAPI. Defaults to True.

Set to true to automatically enabled the correct input data types when scanning APIs like GraphQL and OpenAPI. This can increase scan accuracy and reduce false positives. Defaults to True.

Define how HawkScan scans OpenAPI endpoints.

One of the following is Required:

• filePath: Path to a local OpenAPI specification file (JSON or YAML).
• path: URL path to fetch the OpenAPI spec from the scanned host.

For full details such as custom variable injection, see OpenAPI Configuration Documentation.

Set parameters for scanning SOAP APIs.

One of the following is Required:

• path: Relative URL to fetch the SOAP API WSDL from the scanned host.
• filePath: Path to a local SOAP API WSDL specification file.

For full details, see SOAP Configuration Documentation.

Configure HawkScan for gRPC API scanning.

One of the following is Required:

• path: Reflection endpoint for reading gRPC schema.
• filePath: Relative path to a protobuf descriptor_set file.

For full details such as custom variable injection, see gRPC Configuration Documentation.

Fine-grained configuration of HawkScan input vectors. This configuration is how and where testable inputs are applied on http requests.

Configuration specifying how to determine if the web application is up, responsive and ready for scanning.

Redaction policy of scan logs and stdout when scanning this application.

HawkScan maintains a list of redacted tokens; strings that are sensitive and should be scrubbed preemptively from logs and collected messages. By default, HawkScan redacts app.authentication credentials, and any provided script / discovery credentials.

Configure the policy to be applied for the scan, optionally specifying which plugins to include or exclude. Note: Applies to scan policies created with Organization Policy Management.

Configure HawkScan for JSON-RPC 2.0 API scanning.

One of the following is Required:

• endpoint: The JSON-RPC endpoint path (e.g., /jsonrpc or /api/rpc).
• path: Host path to a hosted OpenRPC specification (e.g., /openrpc.json).
• filePath: Relative path to a local OpenRPC schema file (JSON format).

For full details such as custom variable injection, see JSON-RPC Configuration Documentation.

A configuration specifying how to verify if Scan authentication and authorization is working before running a scan.

An example configuration of app.authentication.testPath:

 app:
  authentication:
    testPath:
      type: HEADER
      path: /user/profile
      success: ".*200.*"
      requestMethod: POST
      requestBody: '{"feeling": "KaaKaww!"}'
      requestHeaders:
        Content-Type: "application/json"

This uses either success or fail criteria to determine if authorized access is working correctly.

Optional configuration specifying a username and password based authentication configuration. Currently POSTing the credentials via FORM or JSON type is supported. Use in conjunction cookieAuthorization or tokenAuthorization to maintain authorized access to your application.

Optional configuration block for specifying an externally supplied authorization token, HawkScan will attempt to access a protected path in your web application with the supplied token before scanning. For more information, see the Authenticated Scanning section.

Configuration for a custom authentication script. HawkScan will run the provided authentication script until a request matches the loggedInIndicator, or if the loggedOutIndicator is tripped on a request. The authentication script name should also be included in the hawkAddOn.scripts.name

Optional configuration block allowing HawkScan to run a specified command line process. HawkScan will attempt to access a protected path in your web application with the supplied headers or cookies before scanning. For more information, see the Authenticated Scanning section.

Optional configuration block allowing HawkScan to authorize requests with a 3rd party OAuth 2.0 auth provider.

Token extraction is optional unless you're using the tokenAuthorization in combination with usernamePassword authentication. This configuration specifies how to extract the authorization token from the authentication response.

An optional configuration specifying if authorization is maintained via a cookie session.

An optional configuration telling HawkScan how to pass the authorization token to your application on each request to maintain authorized access.

Optional configuration block for specifying a custom session management script. To learn more about session scripts, reference the HawkScan Examples{:target="_blank"} repository.

A regex to match against http responses from pages in the web application to determine if the scanned pages user session is still logged in to the app, provided as a string (ex. ".*signed in as.*"). Required if authorization token is not a JWT.

A regex to match against http responses from pages in the web application to determine if the scanned pages user session is logged out of the app, provided as a string. Required if authorization token is not a JWT.

If set to true HawkScan will not try to autorenew a JWT.

Optional extra creds

Required. login route to POST credentials for a user in the application (ex. /login). An http POST request using the type specified will be made to this path.

Required. the username html field used in your application form or json, provided as a string.

Required. The password html field used in your application form or json, provided as a string.

Required*. The username credentials provided to authentication when attempting to login to the web application, provided as a string. HawkScan best practices recommend using environment variable runtime overrides for this value (ex. "${SCAN_USERNAME:admin}" will use the $SCAN_USERNAME environment variable as the scanUsername, or fallback to admin).

Required*. The password credentials provided to authentication when attempting to login to the web application, provided as a string. HawkScan best practices recommend using environment variable runtime overrides for this value (ex. "${SCAN_PASSWORD}" will use the $SCAN_PASSWORD environment variable as the scanPassword).

The path to your login form, if applicable. This is an optional path but is often required if the POST to the loginPath requires an anti csrf token to be passed as part of the POST. The app.antiCsrfParam will be extracted from the response body of a GET request to this page.

An enum value describing the type of POST data expected by the loginPath

Other request parameters required by your login payload, provided as an array of objects with name and value string keys. This setting is helpful if your authentication process requires other parameters included in the form POST besides the username and password parameters. If in doubt, this setting can be safely left unconfigured.

Realm for NTLM authentication

The JSON-RPC method name to call for authentication (e.g., "auth.login"). Required when type is JSON_RPC.

The gRPC method path for authentication (e.g., "/auth.AuthService/Login"). Required when type is GRPC. Uses grpcConf for descriptor.

Param name.

Param value.

Specifies the type of token being supplied. If COOKIE is specified the .external.value should be in the form of a cookie value = . Defaults to TOKEN.

The value pairs containing the token that will authorize requests. How the token is passed to your application is determined by the assigned type.

Specifies the type of token being supplied, either TOKEN or COOKIE. Defaults to TOKEN.

If specified tokenType will be prepended the header value e.g. tokenType: Bearer -> "Bearer xxxxxxxxx"

General name / value parameter.

The name of the authentication script, as specified in the hawkAddOn.scripts.name.

The command to start the process e.g. bash, python

Parameters required to run the script e.g. -c, --verbose

Maximum time in seconds to wait for the process to complete. Defaults to 60 seconds.

Credential parameters sent to an OAuth/3rd party provider.

Configuration parameters sent to an OAuth/3rd party provider.

Username which will be posted in the request body to the token endpoint with the field name of username.

Password which will be posted in the request body to the token endpoint with the field name of password.

The client id of your application registered with your OAuth provider which will be posted n the request body to the token endpoint with the field name of client_id.

The client secret of your application registered with your OAuth provider which will be posted n the request body to the token endpoint with the field name of client_secret.

URL of the endpoint to get a token

Grant type of token request, this will be passed to the request body of the token endpoint as grant_type.

Scope type of token request, this will be passed to the request body of the token endpoint as scope.

Http method for accessing the token endpoint. The default is POST.

Required*. String containing the path to the token in the JSON payload authentication response or the name of the response header containing the token. Example: if the authentication response JSON payload looks like {"auth" : {"token": "<my-auth-token>"}} the value would be auth.token. If the authentication response has a header named AuthToken: <my-token>, then the value should be AuthToken.

Specifying TOKEN_PATH tells HawkScan to extract the token from the JSON payload of the response from authentication. HEADER tells HawkScan to extract the token from a header in the response from authentication. defaults to TOKEN_PATH.

A list of strings that are the names of cookies used for maintaining a session. Typically this is one value like jsessionid or PHPSESS. When used in combination with authentication HawkScan will use this value to persist authenticated session state with your application.

Required. The name of the HEADER or QUERY_PARAM the token should be passed as.

An enum value representing how to pass the authorization token to your application. HEADER indicates that each request should have the authorization token header added to the requests. QUERY_PARAM indicates that the token should be passed as a query parameter.

TokenType will be prepended the header value e.g. tokenType: TOKEN -> "TOKEN xxxxxxxxx"

If the token is a JWT, mark this field as true

If isJWT is set to true, this field will determine the time in milliseconds before expiration to auto renew the JWT.

Required The name of the session script defined in hawkAddons.scripts. The script type must be session, and match the hawkAddOn.scripts.name field.

Required. The path to a protected route in your application that requires authorization. For example /mysettings. A GET request will be made to this path using the configured authentication.

An enum value representing what to match against in the response from issuing a request to the testPath.path. The supported values are HEADER and BODY.

A regex that will match against the response header or body, specified by type, of the GET request to the path. A match of the regex supplied will indicate that scanning should proceed with the specified authentication.

HawkScan requires that either success OR fail be configured (do not configure both).

A regex that will match against the response header or body, specified by type, of the GET request to the path. A match of the regex supplied will indicate that scanning should halt and enter an error state.

HawkScan requires that either success OR fail be configured (do not configure both).

Request method to use for queries. Will generate GraphQL queries as either POST payloads or GET uri strings.

The request content to send along with POST or PUT requests for authentication verification.

The gRPC method path to call for authentication validation (e.g., "/auth.AuthService/ValidateToken"). Only used when authentication type is GRPC.

Required. A unique identifier name for this user profile to distinguish between different users during multi-user scans.

Username and password credentials for basic authentication similar to the primary authentication configuration.

External authentication tokens for this user profile using pre-obtained tokens (e.g., JWT tokens, API keys, or session cookies).

Custom authentication script configuration for this user profile requiring custom authentication logic.

Indicates whether this user profile has elevated privileges (true for admin/privileged users, false for standard users).

Required. The username for this user profile. Use environment variable interpolation (e.g., ${USER2_USERNAME}).

Required. The password for this user profile. Use environment variable interpolation (e.g., ${USER2_PASSWORD}).

List of authentication tokens to use for this user profile. Can include multiple tokens or cookies.

Required. The name of the authentication script defined in hawkAddOn.scripts to use for this profile.

Path to the GraphQL introspection endpoint, relative to the target URI.

Request method to use for queries. Will generate GraphQL queries as either POST payloads or GET uri strings.

Max length of URIs when generation queries for GET requests.

Maximum depth for generated query graphs.

Enable GraphQL scan support. HawkScan will enumerate all possible field types and input values for GraphQL Queries and Mutations. Provide relative path to the API endpoint.

GraphQL operation to enumerate and scan. Defaults to find all Query and Mutation operations. Options are All, QUERY and MUTATION.

Path to a local GraphQL schema file (SDL format) to use instead of introspection.

GraphQL operations to exclude from the spider.

Enables faker for a GraphQL scan to generate more realistic values when format is provided on the API spec or custom variables.

Define custom variables and values for use in GraphQL scanning.

GraphQL operation name.

Graphql operation type. Options are All, QUERY and MUTATION.

The field name of the param to inject values into.

A list of possible values to be randomly selected for the given field.

An optional operationName that will only inject custom values if the name of the operation on the request matches.

An optional GraphQL operation type (MUTATION or QUERY) that will inject custom values only when the request matches the operation type.

A string relative path to an OpenAPI specification file (JSON or YAML) from the scanned host.

Path to a local OpenAPI specification file (JSON or YAML format).

Whether to enable strict parsing of the OpenAPI.

Define custom variables and values for use in REST API scanning.

When custom variables are provided, DELETE's are skipped for injection. Set this to true to override this default and include all methods in variable injection.

List of methods to include in custom variable injection. Note: if 'includeAllMethods' is set to true, this list is ignored and all methods will be used for custom variable injection.

Enables faker for a REST API scan to generate more realistic values when format is provided on the API spec or custom variables.

Maximum number of aliases for a collection when parsing YAML. Increase this value if you see the "Number of aliases for non-scalar nodes exceeds the specified max=100" error.

Custom variables that the user should not see for tenancy checks.

A list of relative path to specification file(s) (JSON or YAML) for the open api generation for specs with multiple open api files.

Use the OpenApi Specifications mapped to this application from the StackHawk Platform for this scan.

The field name of the param to inject values into.

A list of possible values to be randomly selected for the given field.

An optional path regex that will only inject custom values if the path of the request matches.

A list of optional HTTP request methods that will inject custom values only when the request matches one of those methods.

Host path to the SOAP WSDL, prefixed with a / .

Relative path to the SOAP WSDL schema definition file.

Host path for the grpc reflection endpoint.

Path to a local gRPC protobuf descriptor_set file.

Define custom variables and values for use in gRPC scanning.

Maximum depth for resolving nested protobuf.

A list of paths to the grpc protobuf descriptor_set file.

The field name of the param to inject values into. Using object notation will resolve nested objects for request bodies e.g. myobject.id

A list of possible values to be randomly selected for the given field.

Optional path for the endpoint or gRPC service to hit e.g. /myservice/myfunction

Allow injection of testable inputs url query parameter values.

Allow injections of testable inputs url query parameter names.

Allow injection of testable inputs request body inputs on POST requests.

Allow injection of testable inputs url paths.

Allow injection of testable inputs for http headers.

Allow injection of testable inputs for cookie data.

Support for multipart/form-data request bodies.

Support for xml request bodies.

Support for json request bodies.

Support for GWT request bodies. Deprecated.

Support for Odata request bodies. Deprecated.

Support for direct web remoting request bodies. Deprecated.

The maximum amount of time in milliseconds that HawkScan will wait for your app to be available before it starts scanning

The maximum amount of time in milliseconds in between requests to your application to see if it's running

The path to a public reachable route in your application. For example /index. A GET request will be made to this path to confirm the host is up and ready to receive traffic.

Request method to use for queries. Will generate GraphQL queries as either POST payloads or GET uri strings.

The request content to send along with POST or PUT requests for target verification.

List of string header names: the values of HTTP headers matching these names will be redacted from alerts and logs.

List of string static values: the values here will be added to the redacted token list. This is best used with ${ENV_VAR:default} interpolation.

Required. The unique name of the organization scan policy.

Plugin ids to exclude from the named scan policy.

Plugin ids to include in the scan that are not in the named scan policy.

Enable JSON-RPC scan support.

The JSON-RPC endpoint path relative to the target host (e.g., /jsonrpc). Defaults to /.

Path to a local OpenRPC schema file (JSON format) to use instead of network discovery.

Maximum depth for generated nested objects. Defaults to 3.

Enables faker for JSON-RPC scanning to generate more realistic values when format is provided on the schema or custom variables.

HTTP request timeout in milliseconds. Defaults to 30000 (30 seconds).

Regex patterns for JSON-RPC method names to exclude from scanning.

Define custom variables and values for use in JSON-RPC scanning.

MCP (Model Context Protocol) server configuration for JSON-RPC scanning.

Host path to a hosted OpenRPC specification, relative to the target host (e.g., /openrpc.json).

The field name of the param to inject values into. Using dot notation will resolve nested objects for request bodies (e.g., user.address.id).

A list of possible values to be randomly selected for the given field.

An optional regex pattern that will only inject custom values if the JSON-RPC method name matches.

MCP server endpoint path relative to target host. Defaults to /mcp.

MCP tool names to exclude from scanning.

Define custom variables and values for use in MCP tool scanning.

MCP tool name this variable applies to.

Parameter name within the tool's inputSchema. Using dot notation resolves nested objects (e.g., user.address.id).

A list of possible values to be randomly selected for the given parameter.

Configuration block for header value replacement. These rules support manipulating request headers, useful for modifying requests to web applications running behind a proxy.

List of configurations for custom scripts.

List of regex match and replace rules for request headers.

If replaceOnly is false, only match the header name. If replaceOnly is true, matches the exact string on the header line.

If false, replace existing header value or add the missing header using replacement as the value. If true, only replace the matchString of an existing header line.

Replacer rule initiators.

If false, replace existing header value or add the missing header using replacement as the value. If true, only replace the matchString of an existing header line.

Enable regex search for matchString. Useful when replaceOnly is true (e.g. Referer:.* will replace the entire Referer: header line).

The name of this custom script.

The type of this script. One of active, authentication, httpsender, passive, proxy, session.

Path to the file location for the custom script.

Named variables to expose to the script.

Required. The language of this script. Either KOTLIN or JAVASCRIPT.

Plugin Id for script.

The name of the tag.

An arbitrary value to associate with the keyword.

The StackHawk tag id.