{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://catalog.lintel.tools/schemas/schemastore/stackhawk-scanner-configuration/latest.json", "title": "HawkScan Configuration", "description": "JSON schema for StackHawk HawkScan configuration files.", "x-lintel": { "source": "https://download.stackhawk.com/hawk/jsonschema/hawkconfig.json", "sourceSha256": "592f809d2e05aeab84d8cac540efbd8b55f9cd41ad28af6e5ff20c2e471e055b", "fileMatch": [ "stackhawk.yml", "stackhawk.yaml", "stackhawk-*.yml", "stackhawk-*.yaml" ], "parsers": [ "yaml" ] }, "type": "object", "properties": { "hawk": { "markdownDescription": "Parameters for scanner runtime and how it should look for vulnerabilities.", "type": "object", "$ref": "#/$defs/HawkConf", "description": "Parameters for scanner runtime and how it should look for vulnerabilities." }, "app": { "markdownDescription": "**Required**. Parameters for the target application and specifics for how it should be scanned.", "type": "object", "$ref": "#/$defs/AppConf", "description": "**Required**. Parameters for the target application and specifics for how it should be scanned." }, "hawkAddOn": { "markdownDescription": "Parameters for additional HawkScan add-ons and custom scripts.", "type": "object", "$ref": "#/$defs/HawkAddOnConf", "description": "Parameters for additional HawkScan add-ons and custom scripts." }, "tags": { "markdownDescription": "Searchable keywords to associate with this scan.", "type": "array", "items": { "$ref": "#/$defs/Tag" }, "description": "Searchable keywords to associate with this scan." } }, "$defs": { "HawkscanConf": { "required": [ "app" ], "type": "object", "description": "The HawkScan configuration. The `stackhawk.yml` file follows this structure.\nA run of HawkScan will use this configuration to inform the scanner how to operate.\n\nThe minimum stackhawk.yml required is the following:\n```yaml\n app:\n applicationId: kkAAAKAW-kAWW-kkAA-WWwW-kAAkkAAAAwWW\n env: Test\n host: \n```\n\n[Signup for a StackHawk account](https://auth.stackhawk.com/signup) and [Get Started](https://docs.stackhawk.com/getting-started).", "markdownDescription": "The HawkScan configuration. The `stackhawk.yml` file follows this structure.\nA run of HawkScan will use this configuration to inform the scanner how to operate.\n\nThe minimum stackhawk.yml required is the following:\n```yaml\n app:\n applicationId: kkAAAKAW-kAWW-kkAA-WWwW-kAAkkAAAAwWW\n env: Test\n host: http://localhost:1337\n```\n\n[Signup for a StackHawk account](https://auth.stackhawk.com/signup) and [Get Started](https://docs.stackhawk.com/getting-started).", "properties": { "hawk": { "$ref": "#/$defs/HawkConf", "description": "Parameters for scanner runtime and how it should look for vulnerabilities.", "markdownDescription": "Parameters for scanner runtime and how it should look for vulnerabilities." }, "app": { "$ref": "#/$defs/AppConf", "description": "**Required**. Parameters for the target application and specifics for how it should be scanned.", "markdownDescription": "**Required**. Parameters for the target application and specifics for how it should be scanned." }, "hawkAddOn": { "$ref": "#/$defs/HawkAddOnConf", "description": "Parameters for additional HawkScan add-ons and custom scripts.", "markdownDescription": "Parameters for additional HawkScan add-ons and custom scripts." }, "tags": { "type": "array", "description": "Searchable keywords to associate with this scan.", "markdownDescription": "Searchable keywords to associate with this scan.", "items": { "$ref": "#/$defs/Tag" } } }, "additionalProperties": false }, "HawkConf": { "properties": { "spider": { "$ref": "#/$defs/Spider", "description": "Configuration for the application web crawler & scan discovery.", "markdownDescription": "Configuration for the application web crawler & scan discovery." }, "startupTimeoutMinutes": { "type": "number", "description": "Maximum time in minutes to wait for the scanner process to start.", "markdownDescription": "Maximum time in minutes to wait for the scanner process to start.", "exclusiveMinimum": 0, "default": 5 }, "failureThreshold": { "type": "string", "description": "The lowest alert level that returns a failed scan status. Accepted values: high, medium, or low.", "markdownDescription": "The lowest alert level that returns a failed scan status. Accepted values: high, medium, or low.", "pattern": "\\b(?:high|medium|low|HIGH|MEDIUM|LOW)\\b" }, "scan": { "$ref": "#/$defs/ScanConf", "description": "Configuration for the HawkScan runtime.", "markdownDescription": "Configuration for the HawkScan runtime." }, "config": { "type": "array", "description": "Scanner configuration overrides, provided as a list of key=value strings.\nA list of strings in the form of key=value pairs passed to the scanner as scanner configuration overrides.\n\nThis is an advanced feature to configure HawkScan plugins and override their default behavior.", "markdownDescription": "Scanner configuration overrides, provided as a list of key=value strings.\nA list of strings in the form of key=value pairs passed to the scanner as scanner configuration overrides.\n\nThis is an advanced feature to configure HawkScan plugins and override their default behavior.", "items": { "type": "string", "pattern": "^([a-zA-Z0-9]*\\.)*([a-zA-Z_$0-9])+=.*$" } }, "outboundProxy": { "$ref": "#/$defs/Proxy", "description": "Configuration for an outbound proxy.", "markdownDescription": "Configuration for an outbound proxy." } }, "type": "object", "description": "Define global HawkScan settings, independent of the scanned application:\n\n- `spider`: Configure application crawling and scan discovery. Enable `base` and `ajax` crawlers, set `maxDurationMinutes`, add `seedPaths`, use `custom` commands, or import `har` files.\n- `startupTimeoutMinutes`: Maximum time to wait for the scanner to start (default: 5).\n- `failureThreshold`: Alert severity level to fail a scan (`high`, `medium`, or `low`).\n- `scan`: Set runtime behavior like max duration, request throttling, and concurrency.\n- `config`: Advanced scanner configuration overrides.\n- `outboundProxy`: Configure an outbound proxy, including host, credentials, and CA certificate.\n\nFor more details, see [HawkScan Configuration Documentation](https://docs.stackhawk.com/hawkscan/configuration/).", "markdownDescription": "Define global HawkScan settings, independent of the scanned application:\n\n- `spider`: Configure application crawling and scan discovery. Enable `base` and `ajax` crawlers, set `maxDurationMinutes`, add `seedPaths`, use `custom` commands, or import `har` files.\n- `startupTimeoutMinutes`: Maximum time to wait for the scanner to start (default: 5).\n- `failureThreshold`: Alert severity level to fail a scan (`high`, `medium`, or `low`).\n- `scan`: Set runtime behavior like max duration, request throttling, and concurrency.\n- `config`: Advanced scanner configuration overrides.\n- `outboundProxy`: Configure an outbound proxy, including host, credentials, and CA certificate.\n\nFor more details, see [HawkScan Configuration Documentation](https://docs.stackhawk.com/hawkscan/configuration/).", "additionalProperties": false }, "Spider": { "properties": { "base": { "type": "boolean", "description": "Enable the basic web crawler for discovering your application's routes. This spider is appropriate for most traditional web applications.", "markdownDescription": "Enable the basic web crawler for discovering your application's routes. This spider is appropriate for most traditional web applications.", "default": true }, "ajax": { "type": "boolean", "description": "Enable the ajax web crawler for discovering your application’s routes. This spider is appropriate for single-page web applications.", "markdownDescription": "Enable the ajax web crawler for discovering your application’s routes. This spider is appropriate for single-page web applications.", "default": false }, "maxDurationMinutes": { "type": "number", "description": "Maximum allowed time for enabled spiders to crawl your web application.", "markdownDescription": "Maximum allowed time for enabled spiders to crawl your web application.", "exclusiveMinimum": 0, "default": 2 }, "ajaxBrowser": { "type": "string", "description": "The browser type and style to use when running the AjaxSpider. When running the `stackhawk/hawkscan` docker container, this setting is ignored and will use the default CHROME_HEADLESS. The options are CHROME_HEADLESS and CHROME. FIREFOX_HEADLESS and FIREFOX are deprecated.", "markdownDescription": "The browser type and style to use when running the AjaxSpider. When running the `stackhawk/hawkscan` docker container, this setting is ignored and will use the default CHROME_HEADLESS. The options are CHROME_HEADLESS and CHROME. FIREFOX_HEADLESS and FIREFOX are deprecated.", "enum": [ "FIREFOX_HEADLESS", "CHROME_HEADLESS", "FIREFOX", "CHROME" ] }, "seedPaths": { "type": "array", "description": "List of paths to supplement the spider. These paths will be used as additional starting points for crawling your application. Useful for paths that are not crawlable from the root of your application. For example, `/admin`. **Note**: this configuration is NOT a replacement for an API spec and provides no benefit to pure REST API's.", "markdownDescription": "List of paths to supplement the spider. These paths will be used as additional starting points for crawling your application. Useful for paths that are not crawlable from the root of your application. For example, `/admin`. **Note**: this configuration is NOT a replacement for an API spec and provides no benefit to pure REST API's.", "items": { "type": "string" } }, "custom": { "$ref": "#/$defs/CustomDiscovery", "description": "Discover paths in your application with the assistance of a complimentary developer tool or software command. This is appropriate if your team already implements other application testing tools in their CI/CD pipeline, for a more thorough and repeatable scan.", "markdownDescription": "Discover paths in your application with the assistance of a complimentary developer tool or software command. This is appropriate if your team already implements other application testing tools in their CI/CD pipeline, for a more thorough and repeatable scan." }, "postmanConfig": { "$ref": "#/$defs/PostmanConfig", "description": "Configuration for postman.", "markdownDescription": "Configuration for postman." }, "har": { "$ref": "#/$defs/HARImportConfig", "description": "Import a HAR file as the API discovery method for the scan.", "markdownDescription": "Import a HAR file as the API discovery method for the scan." }, "disableSmartCrawling": { "type": "boolean", "description": "Disable smart crawling for openApiConf to enable legacy openapi import process.", "markdownDescription": "Disable smart crawling for openApiConf to enable legacy openapi import process.", "default": false }, "responseBodyFilter": { "$ref": "#/$defs/SpiderResponseBodyFilter", "description": "Filter which response bodies are included in spider HTTP message uploads. Useful for excluding large binary responses or including additional text formats.", "markdownDescription": "Filter which response bodies are included in spider HTTP message uploads. Useful for excluding large binary responses or including additional text formats." } }, "type": "object", "description": "Configuration block for the application crawling and Discovery Phase aka Spider. See the [Scan Discovery](https://docs.stackhawk.com/hawkscan/scan-discovery/) page for more details.", "markdownDescription": "Configuration block for the application crawling and Discovery Phase aka Spider. See the [Scan Discovery](https://docs.stackhawk.com/hawkscan/scan-discovery/) page for more details." }, "CustomDiscovery": { "properties": { "command": { "type": "string", "description": "Provide a command to run as part of the scan discovery phase. This command will be split from its arguments and execute on its own thread in a context with additional environment variables set with the proxy configuration for HawkScan to intercept http traffic.", "markdownDescription": "Provide a command to run as part of the scan discovery phase. This command will be split from its arguments and execute on its own thread in a context with additional environment variables set with the proxy configuration for HawkScan to intercept http traffic." }, "environment": { "$ref": "#/$defs/EnvironmentEntry", "description": "Key-Value map of environment variable names and values to pass along into the execution of the command.", "markdownDescription": "Key-Value map of environment variable names and values to pass along into the execution of the command." }, "workingDir": { "type": "string", "description": "The absolute path working directory these commands are run from.", "markdownDescription": "The absolute path working directory these commands are run from." }, "credentials": { "$ref": "#/$defs/CredentialsEntry", "description": "Key-Value map of additional environment variables or secrets to pass along into the execution of the command. These values will be redacted from the logs.", "markdownDescription": "Key-Value map of additional environment variables or secrets to pass along into the execution of the command. These values will be redacted from the logs." }, "arguments": { "type": "array", "description": "Command arguments provided as an array of strings. These arguments can be used in addition to or instead of the command. This should be used if the command is sufficiently complex or is exceptionally whitespace sensitive.", "markdownDescription": "Command arguments provided as an array of strings. These arguments can be used in addition to or instead of the command. This should be used if the command is sufficiently complex or is exceptionally whitespace sensitive.", "items": { "type": "string" } }, "excludeParentEnvironment": { "type": "boolean", "description": "Only provide the environment variables and credentials as configured. By default also includes the environment from the parent process environment for convenience.", "markdownDescription": "Only provide the environment variables and credentials as configured. By default also includes the environment from the parent process environment for convenience." }, "logOutputToForeground": { "type": "boolean", "description": "This command prints the stdout and stderr of the command to the foreground.", "markdownDescription": "This command prints the stdout and stderr of the command to the foreground." } }, "type": "object" }, "EnvironmentEntry": { "type": "object", "additionalProperties": { "type": "string" } }, "CredentialsEntry": { "type": "object", "additionalProperties": { "type": "string" } }, "PostmanConfig": { "properties": { "apikey": { "type": "string", "description": "API key to authenticated the user with Postman.", "markdownDescription": "API key to authenticated the user with Postman." }, "collectionUID": { "type": "string", "description": "Id of the collection to be pulled from Postman.", "markdownDescription": "Id of the collection to be pulled from Postman." }, "filePath": { "type": "string", "description": "File path of the Postman collection.", "markdownDescription": "File path of the Postman collection." } }, "type": "object", "description": "Configuration for the Postman Collection.", "markdownDescription": "Configuration for the Postman Collection.", "additionalProperties": false }, "HARImportConfig": { "additionalProperties": false, "type": "object", "description": "Configuration for using a HAR file as the discovery for a scan.\nHAR files often contain requests including urls from many hosts, but only URLs matching the `app.host` or\n`replaceHost` will be included in the scan.", "markdownDescription": "Configuration for using a HAR file as the discovery for a scan.\nHAR files often contain requests including urls from many hosts, but only URLs matching the `app.host` or\n`replaceHost` will be included in the scan.", "properties": { "replaceHost": { "type": "string", "description": "The hostname of URLs in the HAR file that will be replaced with the host defined in `app.host`. Leave blank if the `app.host` is then same hostname in the HAR file.", "markdownDescription": "The hostname of URLs in the HAR file that will be replaced with the host defined in `app.host`. Leave blank if the `app.host` is then same hostname in the HAR file." }, "file": { "$ref": "#/$defs/HARImportFiles", "description": "Use individual HAR files.", "markdownDescription": "Use individual HAR files." }, "dir": { "$ref": "#/$defs/HARImportDirectory", "description": "Use a directory of HAR files.", "markdownDescription": "Use a directory of HAR files." } }, "required": [], "allOf": [ { "oneOf": [ { "required": [ "file" ] }, { "required": [ "dir" ] } ] } ], "unevaluatedProperties": false }, "HARImportFiles": { "properties": { "paths": { "type": "array", "description": "Paths to HAR files to import. Files will be loaded in order provided.", "markdownDescription": "Paths to HAR files to import. Files will be loaded in order provided.", "items": { "type": "string" } } }, "type": "object", "description": "Paths to .har HTTP Archive formatted files, for use with HARImportConfig.", "markdownDescription": "Paths to .har HTTP Archive formatted files, for use with HARImportConfig.", "additionalProperties": false }, "HARImportDirectory": { "properties": { "path": { "type": "string", "description": "Path to directory containing .har files. Only files with the .har extension will be loaded in alphanumeric order.", "markdownDescription": "Path to directory containing .har files. Only files with the .har extension will be loaded in alphanumeric order." } }, "type": "object", "description": "Paths to directories, for use with HARImportConfig.", "markdownDescription": "Paths to directories, for use with HARImportConfig.", "additionalProperties": false }, "SpiderResponseBodyFilter": { "properties": { "includeContentTypes": { "type": "array", "description": "Content types to include in response body uploads. If specified, replaces the default include list. Supports wildcards (e.g., `application/*+json`, `image/*`).", "markdownDescription": "Content types to include in response body uploads. If specified, replaces the default include list. Supports wildcards (e.g., `application/*+json`, `image/*`).", "items": { "type": "string" } }, "excludeContentTypes": { "type": "array", "description": "Content types to exclude from response body uploads. If specified, adds to the default exclude list. Exclusions take precedence over inclusions. Supports wildcards (e.g., `image/*`).", "markdownDescription": "Content types to exclude from response body uploads. If specified, adds to the default exclude list. Exclusions take precedence over inclusions. Supports wildcards (e.g., `image/*`).", "items": { "type": "string" } } }, "type": "object" }, "ScanConf": { "properties": { "maxDurationMinutes": { "type": [ "number", "string" ], "description": "Maximum duration that a scan will run.", "markdownDescription": "Maximum duration that a scan will run.", "minimum": 0, "pattern": "^([0-9][0-9]+|[1-9]|0)$" }, "maxRuleDurationMinutes": { "type": [ "number", "string" ], "description": "Maximum duration that a scan will spend on a rule.", "markdownDescription": "Maximum duration that a scan will spend on a rule.", "minimum": 0, "pattern": "^([0-9][0-9]+|[1-9]|0)$" }, "requestDelayMillis": { "type": [ "number", "string" ], "description": "Delay time between sending requests.", "markdownDescription": "Delay time between sending requests.", "minimum": 0, "pattern": "^([0-9][0-9]+|[1-9]|0)$" }, "concurrentRequests": { "type": [ "number", "string" ], "description": "Number of request threads. _If you need that little extra push._ defaults to 20.", "markdownDescription": "Number of request threads. _If you need that little extra push._ defaults to 20.", "exclusiveMinimum": 0, "pattern": "^([0-9][0-9]+|[1-9])$" }, "throttlePassiveBacklog": { "type": [ "number", "string" ], "description": "Pause active scan when passive backlog is greater than this value, resumes once backlog is empty. defaults to 50.", "markdownDescription": "Pause active scan when passive backlog is greater than this value, resumes once backlog is empty. defaults to 50.", "exclusiveMinimum": 0, "pattern": "^([0-9][0-9]+|[1-9])$" }, "throttleIntervalSeconds": { "type": [ "number", "string" ], "description": "How often the throttle check is run, in seconds.", "markdownDescription": "How often the throttle check is run, in seconds.", "exclusiveMinimum": 0, "pattern": "^([0-9][0-9]+|[1-9])$" }, "throttleTempRecordMax": { "type": [ "number", "string" ], "description": "The max number of temp records allowed before pruning of temp records begins.", "markdownDescription": "The max number of temp records allowed before pruning of temp records begins.", "exclusiveMinimum": 0, "pattern": "^([0-9][0-9]+|[1-9])$" }, "throttleTempRecordDeleteQuota": { "type": [ "number", "string" ], "description": "The percentage of throttleTempRecordMax records to delete on each throttleIntervalSeconds.", "markdownDescription": "The percentage of throttleTempRecordMax records to delete on each throttleIntervalSeconds.", "minimum": 1, "maximum": 100, "pattern": "^([0-9][0-9]+|[1-9])$" }, "policyName": { "type": "string", "description": "Name of a specific named scan policy to use. This field is optional, and an applicable scan policy will be selected if omitted.", "markdownDescription": "Name of a specific named scan policy to use. This field is optional, and an applicable scan policy will be selected if omitted." }, "includedPlugins": { "type": "array", "description": "Specify to only scan with these listed plugins.", "markdownDescription": "Specify to only scan with these listed plugins.", "items": { "type": "string" } } }, "type": "object", "description": "Configuration block for HawkScan runtime.", "markdownDescription": "Configuration block for HawkScan runtime." }, "Proxy": { "properties": { "host": { "type": "string", "description": "The host of the outbound explicit proxy, including port (e.g. .", "markdownDescription": "The host of the outbound explicit proxy, including port (e.g. https://localhost:8888)." }, "credentials": { "$ref": "#/$defs/ProxyCredentials", "description": "Credentials for logging into the outbound explicit proxy.", "markdownDescription": "Credentials for logging into the outbound explicit proxy." }, "rootCACertPath": { "type": "string", "description": "Path to root CA Certificate for transparent outbound proxies. This can be used without specifying host or credentials.", "markdownDescription": "Path to root CA Certificate for transparent outbound proxies. This can be used without specifying host or credentials." } }, "type": "object", "description": "Configuration block for a proxy. This enables HawkScan to traffic scanner requests through an outbound network proxy.", "markdownDescription": "Configuration block for a proxy. This enables HawkScan to traffic scanner requests through an outbound network proxy.", "additionalProperties": false }, "ProxyCredentials": { "properties": { "username": { "type": "string", "description": "**Required**. The username for proxy credentials.", "markdownDescription": "**Required**. The username for proxy credentials." }, "password": { "type": "string", "description": "**Required**. The password for proxy credentials.", "markdownDescription": "**Required**. The password for proxy credentials." }, "realm": { "type": "string", "description": "Realm for proxy credentials.", "markdownDescription": "Realm for proxy credentials." }, "scheme": { "type": "string", "description": "Scheme of proxy authentication. Currently `BASIC`, `NTLM` are supported.", "markdownDescription": "Scheme of proxy authentication. Currently `BASIC`, `NTLM` are supported." } }, "type": "object", "description": "Credential details for the outbound proxy behavior.", "markdownDescription": "Credential details for the outbound proxy behavior.", "additionalProperties": false }, "AppConf": { "additionalProperties": false, "type": "object", "description": "Define key settings for the application to be scanned, including properties like the application's host URL, authentication methods, API type, and custom paths. This section includes essential parameters, such as:\n\n- `applicationId`: **Required**. The unique identifier for the application in the StackHawk platform.\n- `env`: **Required**. The environment name used to organize scan results (e.g., \"Production\" or \"Staging\").\n- `host`: **Required**. The base URL of the application to scan, e.g., ``. The scan will not proceed if the URL is unreachable.\n\nAdditionally, specify other optional details such as session tokens, CSRF parameters, API-specific configurations (e.g., GraphQL, OpenAPI, SOAP, gRPC), and any paths to exclude or include in the scan.", "markdownDescription": "Define key settings for the application to be scanned, including properties like the application's host URL, authentication methods, API type, and custom paths. This section includes essential parameters, such as:\n\n- `applicationId`: **Required**. The unique identifier for the application in the StackHawk platform.\n- `env`: **Required**. The environment name used to organize scan results (e.g., \"Production\" or \"Staging\").\n- `host`: **Required**. The base URL of the application to scan, e.g., `http://localhost:8000`. The scan will not proceed if the URL is unreachable.\n\nAdditionally, specify other optional details such as session tokens, CSRF parameters, API-specific configurations (e.g., GraphQL, OpenAPI, SOAP, gRPC), and any paths to exclude or include in the scan.", "properties": { "host": { "type": "string", "description": "**Required**. The base url of the application to scan ex: ``. If the url cannot be reached, the scan will not proceed.", "markdownDescription": "**Required**. The base url of the application to scan ex: `http://localhost:8000`. If the url cannot be reached, the scan will not proceed.", "pattern": "(?:\\$\\{[^}]+\\}|(?:https?|ftp|file):\\/\\/|www\\.|ftp\\.)(?:\\([-\\w0-9+&@#\\/%=~_|$?!:,.]*\\)|[-\\w0-9+&@#\\/%=~_|$?!:,.])*(?:\\([-\\w0-9+&@#\\/%=~_|$?!:,.]*\\)|[\\w0-9+&@#\\/%=~_|$])" }, "sessionTokens": { "type": "array", "description": "The names of any session tokens used by your application, provided as an array of strings (Hint: these are the names of session cookies used by your application).", "markdownDescription": "The names of any session tokens used by your application, provided as an array of strings (Hint: these are the names of session cookies used by your application).", "items": { "type": "string" } }, "antiCsrfParam": { "type": "string", "description": "The name of your CSRF security parameter used in any application form inputs. Globally set, HawkScan will parse this parameter value from form responses to use in subsequent requests.", "markdownDescription": "The name of your CSRF security parameter used in any application form inputs. Globally set, HawkScan will parse this parameter value from form responses to use in subsequent requests." }, "authentication": { "$ref": "#/$defs/Authentication", "description": "Define how HawkScan authenticates as a user to your application. Options include `usernamePassword`, `external` tokens, `oauth`, or custom `script`. Configure `loggedInIndicator`/`loggedOutIndicator` regex patterns, `tokenExtraction`, `tokenAuthorization`, and `testPath` to verify authentication. See [Authenticated Scanning Documentation](https://docs.stackhawk.com/hawkscan/authenticated-scanning/).", "markdownDescription": "Define how HawkScan authenticates as a user to your application. Options include `usernamePassword`, `external` tokens, `oauth`, or custom `script`. Configure `loggedInIndicator`/`loggedOutIndicator` regex patterns, `tokenExtraction`, `tokenAuthorization`, and `testPath` to verify authentication. See [Authenticated Scanning Documentation](https://docs.stackhawk.com/hawkscan/authenticated-scanning/)." }, "excludePaths": { "type": "array", "description": "An array of strings, used as regexes to match against routes that should be ignored entirely by HawkScan.\nIf populated, paths that match any supplied regex will be excluded from the scan.\nThis field is useful for prohibiting asset directories or other resources that don't require vulnerability scanning.", "markdownDescription": "An array of strings, used as regexes to match against routes that should be ignored entirely by HawkScan.\nIf populated, paths that match any supplied regex will be excluded from the scan.\nThis field is useful for prohibiting asset directories or other resources that don't require vulnerability scanning.", "items": { "type": "string" } }, "applicationId": { "type": "string", "description": "**Required**. Your StackHawk application UUID. Create an application in the [StackHawk platform](https://app.stackhawk.com) to obtain this identifier.", "markdownDescription": "**Required**. Your StackHawk application UUID. Create an application in the [StackHawk platform](https://app.stackhawk.com) to obtain this identifier.", "pattern": "\\b[0-9a-f]{8}\\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\\b[0-9a-f]{12}\\b" }, "env": { "type": "string", "description": "**Required**. The `env` environment name to organize Scan Results.", "markdownDescription": "**Required**. The `env` environment name to organize Scan Results." }, "graphqlConf": { "$ref": "#/$defs/GraphQLConf", "description": "GraphQL API scanner parameters.", "markdownDescription": "GraphQL API scanner parameters." }, "includePaths": { "type": "array", "description": "An array of strings, used as regexes to limit which application routes HawkScan will specifically visit. If populated, paths must match at least one supplied regex to be included as part of the scan. This field is useful for constraining the reach of the HawkScan scanner and spider.", "markdownDescription": "An array of strings, used as regexes to limit which application routes HawkScan will specifically visit. If populated, paths must match at least one supplied regex to be included as part of the scan. This field is useful for constraining the reach of the HawkScan scanner and spider.", "items": { "type": "string" } }, "autoPolicy": { "type": "boolean", "description": "Set to `true` to enable an optimized policy when scanning specific APIs like GraphQL and OpenAPI. Defaults to True.", "markdownDescription": "Set to `true` to enable an optimized policy when scanning specific APIs like GraphQL and OpenAPI. Defaults to True." }, "autoInputVectors": { "type": "boolean", "description": "Set to `true` to automatically enabled the correct input data types when scanning APIs like GraphQL and OpenAPI. This can increase scan accuracy and reduce false positives. Defaults to True.", "markdownDescription": "Set to `true` to automatically enabled the correct input data types when scanning APIs like GraphQL and OpenAPI. This can increase scan accuracy and reduce false positives. Defaults to True." }, "openApiConf": { "$ref": "#/$defs/OpenApiConf", "description": "OpenApi scanner parameters.", "markdownDescription": "OpenApi scanner parameters." }, "soapConf": { "$ref": "#/$defs/SoapConf", "description": "SOAP API scanner parameters.", "markdownDescription": "SOAP API scanner parameters." }, "grpcConf": { "$ref": "#/$defs/GrpcConf", "description": "gRPC scanner parameters.", "markdownDescription": "gRPC scanner parameters." }, "inputVectors": { "$ref": "#/$defs/InputVectorParams", "description": "Fine grained control of injectable input vectors (`injectableParam`, `enabledRpcParam`). Input vectors are managed automatically and should only be modified for advanced scenarios under guidance from StackHawk Support.", "markdownDescription": "Fine grained control of injectable input vectors (`injectableParam`, `enabledRpcParam`). Input vectors are managed automatically and should only be modified for advanced scenarios under guidance from StackHawk Support." }, "waitForAppTarget": { "$ref": "#/$defs/WaitForAppTarget", "description": "Optional configuration for waiting for the host to be up and ready for scanning. Configure `path`, `requestMethod`, `waitTimeoutMillis`, and `pollDelay` to control readiness checks.", "markdownDescription": "Optional configuration for waiting for the host to be up and ready for scanning. Configure `path`, `requestMethod`, `waitTimeoutMillis`, and `pollDelay` to control readiness checks." }, "redact": { "$ref": "#/$defs/AppRedactions", "description": "Specification for additional redaction of sensitive data in scan logs. Configure `headers` (header names to redact) and `values` (static strings to redact). HawkScan automatically redacts `app.authentication` credentials.", "markdownDescription": "Specification for additional redaction of sensitive data in scan logs. Configure `headers` (header names to redact) and `values` (static strings to redact). HawkScan automatically redacts `app.authentication` credentials." }, "scanPolicy": { "$ref": "#/$defs/OrganizationPolicy", "description": "Organization scan policy configuration. Specify `name` (required), `excludePluginIds`, and `includePluginIds`. Works with policies created via [Organization Policy Management](https://docs.stackhawk.com/web-app/policy-management/#organization-policy-management).", "markdownDescription": "Organization scan policy configuration. Specify `name` (required), `excludePluginIds`, and `includePluginIds`. Works with policies created via [Organization Policy Management](https://docs.stackhawk.com/web-app/policy-management/#organization-policy-management)." }, "jsonRpcConf": { "$ref": "#/$defs/JsonRpcConf", "description": "JSON-RPC API scanner parameters.", "markdownDescription": "JSON-RPC API scanner parameters." } }, "required": [ "host", "applicationId", "env" ], "allOf": [ { "oneOf": [ { "required": [ "authentication" ] }, { "not": { "anyOf": [ { "required": [ "authentication" ] } ] } } ] } ], "unevaluatedProperties": false }, "Authentication": { "additionalProperties": false, "type": "object", "description": "Configuration block for application authentication to enable scanning as the provided user of your application.\nIf provided, HawkScan will first attempt to sign into your web application with the provided login credentials.\nOnly after successfully verifying will scanning occur.\nFor more information, see the Authenticated Scanning section.", "markdownDescription": "Configuration block for application authentication to enable scanning as the provided user of your application.\nIf provided, HawkScan will first attempt to sign into your web application with the provided login credentials.\nOnly after successfully verifying will scanning occur.\nFor more information, see the Authenticated Scanning section.", "properties": { "usernamePassword": { "$ref": "#/$defs/UsernamePasswordCredentials", "description": "Optional configuration specifying a username and password based authentication configuration. Do not configure if using `external`.", "markdownDescription": "Optional configuration specifying a username and password based authentication configuration. Do not configure if using `external`." }, "external": { "$ref": "#/$defs/ExternalCredentials", "description": "Optional configuration block for specifying an externally supplied authorization token. Do not configure if using `usernamePassword`.", "markdownDescription": "Optional configuration block for specifying an externally supplied authorization token. Do not configure if using `usernamePassword`." }, "script": { "$ref": "#/$defs/AuthenticationScript", "description": "Optional configuration block for using an authentication script.", "markdownDescription": "Optional configuration block for using an authentication script." }, "externalCommand": { "$ref": "#/$defs/ExternalCommandCredentials", "description": "Optional configuration block for running an external command process.", "markdownDescription": "Optional configuration block for running an external command process." }, "oauth": { "$ref": "#/$defs/OAuth", "description": "Optional configuration block for 3rd Party/OAuth.", "markdownDescription": "Optional configuration block for 3rd Party/OAuth." }, "tokenExtraction": { "$ref": "#/$defs/TokenExtraction", "description": "Optional configuration block for extracting the authorization token from the authentication response.", "markdownDescription": "Optional configuration block for extracting the authorization token from the authentication response." }, "cookieAuthorization": { "$ref": "#/$defs/CookieAuthorization", "description": "Optional configuration specifying if authorization is maintained via a cookie session. Do not configure if using `tokenAuthorization`.", "markdownDescription": "Optional configuration specifying if authorization is maintained via a cookie session. Do not configure if using `tokenAuthorization`." }, "tokenAuthorization": { "$ref": "#/$defs/TokenAuthorization", "description": "Optional configuration telling HawkScan how to pass the authorization token to your application on each request to maintain authorized access. Do not configure if using `cookieAuthorization`.", "markdownDescription": "Optional configuration telling HawkScan how to pass the authorization token to your application on each request to maintain authorized access. Do not configure if using `cookieAuthorization`." }, "sessionScript": { "$ref": "#/$defs/SessionScript", "description": "Optional configuration for using a session management script.", "markdownDescription": "Optional configuration for using a session management script." }, "loggedInIndicator": { "type": "string", "description": "A regex to match against http responses from pages in the web application to determine if the scanned pages user session is still logged in to the app, provided as a string (ex. `\".*signed in as.*\"`). Required if authorization token is not a JWT.", "markdownDescription": "A regex to match against http responses from pages in the web application to determine if the scanned pages user session is still logged in to the app, provided as a string (ex. `\".*signed in as.*\"`). Required if authorization token is not a JWT." }, "loggedOutIndicator": { "type": "string", "description": "A regex to match against http responses from pages in the web application to determine if the scanned pages user session is logged out of the app, provided as a string. Required if authorization token is not a JWT.", "markdownDescription": "A regex to match against http responses from pages in the web application to determine if the scanned pages user session is logged out of the app, provided as a string. Required if authorization token is not a JWT." }, "testPath": { "$ref": "#/$defs/AuthTestPath", "description": "A configuration block specifying how to verify authentication/authorization is working.", "markdownDescription": "A configuration block specifying how to verify authentication/authorization is working." }, "overrideJWTAutoRenew": { "type": "boolean", "description": "If set to true HawkScan will not try to autorenew a JWT.", "markdownDescription": "If set to true HawkScan will not try to autorenew a JWT." }, "profiles": { "type": "array", "description": "Optional extra creds", "markdownDescription": "Optional extra creds", "items": { "$ref": "#/$defs/UserProfile" } } }, "required": [ "testPath" ], "allOf": [ { "oneOf": [ { "required": [ "usernamePassword" ] }, { "required": [ "external" ] }, { "required": [ "script" ] }, { "required": [ "externalCommand" ] }, { "required": [ "oauth" ] }, { "not": { "anyOf": [ { "required": [ "usernamePassword" ] }, { "required": [ "external" ] }, { "required": [ "script" ] }, { "required": [ "externalCommand" ] }, { "required": [ "oauth" ] } ] } } ] }, { "oneOf": [ { "required": [ "cookieAuthorization" ] }, { "required": [ "tokenAuthorization" ] }, { "required": [ "sessionScript" ] }, { "not": { "anyOf": [ { "required": [ "cookieAuthorization" ] }, { "required": [ "tokenAuthorization" ] }, { "required": [ "sessionScript" ] } ] } } ] } ], "title": "Authentication Configuration", "unevaluatedProperties": false }, "UsernamePasswordCredentials": { "title": "Username/Password Authentication", "type": "object", "description": "Optional configuration specifying a username and password based authentication configuration.\nCurrently POSTing the credentials via `FORM` or `JSON` type is supported. Use in conjunction `cookieAuthorization` or `tokenAuthorization` to maintain authorized access to your application.", "markdownDescription": "Optional configuration specifying a username and password based authentication configuration.\nCurrently POSTing the credentials via `FORM` or `JSON` type is supported. Use in conjunction `cookieAuthorization` or `tokenAuthorization` to maintain authorized access to your application.", "properties": { "loginPagePath": { "type": "string", "description": "The path to your login form, if applicable. This is an optional path but is often required if the `POST` to the loginPath requires an anti csrf token to be passed as part of the `POST`. The `app.antiCsrfParam` will be extracted from the response body of a GET request to this page.", "markdownDescription": "The path to your login form, if applicable. This is an optional path but is often required if the `POST` to the loginPath requires an anti csrf token to be passed as part of the `POST`. The `app.antiCsrfParam` will be extracted from the response body of a GET request to this page.", "pattern": "^(https?://[^\\s]+|\\/(([A-z0-9\\-\\%]+\\/)*[A-z0-9\\-\\%]+)?(\\?[^\\s]*)?)$" }, "loginPath": { "type": "string", "description": "**Required**. login route to `POST` credentials for a user in the application (ex. `/login`). An http `POST` request using the type specified will be made to this path.", "markdownDescription": "**Required**. login route to `POST` credentials for a user in the application (ex. `/login`). An http `POST` request using the type specified will be made to this path.", "pattern": "^(https?://[^\\s]+|\\/(([A-z0-9\\-\\%]+\\/)*[A-z0-9\\-\\%]+)?(\\?[^\\s]*)?)$" }, "usernameField": { "type": "string", "description": "**Required**. the username html field used in your application form or json, provided as a string.", "markdownDescription": "**Required**. the username html field used in your application form or json, provided as a string." }, "passwordField": { "type": "string", "description": "**Required**. The password html field used in your application form or json, provided as a string.", "markdownDescription": "**Required**. The password html field used in your application form or json, provided as a string." }, "scanUsername": { "type": "string", "description": "*Required**. The username credentials provided to authentication when attempting to login to the web application, provided as a string.\nHawkScan best practices recommend using [environment variable runtime overrides](https://docs.stackhawk.com/hawkscan/configuration/#environment-variable-runtime-overrides) for this value (ex. \"${SCAN_USERNAME:admin}\" will use the $SCAN_USERNAME environment variable as the scanUsername, or fallback to admin).", "markdownDescription": "*Required**. The username credentials provided to authentication when attempting to login to the web application, provided as a string.\nHawkScan best practices recommend using [environment variable runtime overrides](https://docs.stackhawk.com/hawkscan/configuration/#environment-variable-runtime-overrides) for this value (ex. \"${SCAN_USERNAME:admin}\" will use the $SCAN_USERNAME environment variable as the scanUsername, or fallback to admin)." }, "scanPassword": { "type": "string", "description": "*Required**. The password credentials provided to authentication when attempting to login to the web application, provided as a string.\nHawkScan best practices recommend using [environment variable runtime overrides](https://docs.stackhawk.com/hawkscan/configuration/#environment-variable-runtime-overrides) for this value (ex. \"${SCAN_PASSWORD}\" will use the $SCAN_PASSWORD environment variable as the scanPassword).", "markdownDescription": "*Required**. The password credentials provided to authentication when attempting to login to the web application, provided as a string.\nHawkScan best practices recommend using [environment variable runtime overrides](https://docs.stackhawk.com/hawkscan/configuration/#environment-variable-runtime-overrides) for this value (ex. \"${SCAN_PASSWORD}\" will use the $SCAN_PASSWORD environment variable as the scanPassword)." }, "type": { "type": "string", "description": "An enum value describing the type of `POST` data expected by the `loginPath`", "markdownDescription": "An enum value describing the type of `POST` data expected by the `loginPath`", "enum": [ "FORM", "JSON", "HTTP", "JSON_RPC", "GRPC" ] }, "otherParams": { "type": "array", "description": "Other request parameters required by your login payload, provided as an array of objects with `name` and `value` string keys. This setting is helpful if your authentication process requires other parameters included in the form POST besides the username and password parameters. If in doubt, this setting can be safely left unconfigured.", "markdownDescription": "Other request parameters required by your login payload, provided as an array of objects with `name` and `value` string keys. This setting is helpful if your authentication process requires other parameters included in the form POST besides the username and password parameters. If in doubt, this setting can be safely left unconfigured.", "items": { "$ref": "#/$defs/NameValParam" } }, "realm": { "type": "string", "description": "Realm for NTLM authentication", "markdownDescription": "Realm for NTLM authentication" }, "jsonrpcMethod": { "type": "string", "description": "The JSON-RPC method name to call for authentication (e.g., \"auth.login\"). Required when type is JSON_RPC.", "markdownDescription": "The JSON-RPC method name to call for authentication (e.g., \"auth.login\"). Required when type is JSON_RPC." }, "grpcMethod": { "type": "string", "description": "The gRPC method path for authentication (e.g., \"/auth.AuthService/Login\"). Required when type is GRPC. Uses grpcConf for descriptor.", "markdownDescription": "The gRPC method path for authentication (e.g., \"/auth.AuthService/Login\"). Required when type is GRPC. Uses grpcConf for descriptor." } }, "required": [ "loginPath", "usernameField", "passwordField", "scanUsername", "scanPassword" ], "additionalProperties": false }, "NameValParam": { "properties": { "name": { "type": "string", "description": "Param name.", "markdownDescription": "Param name." }, "val": { "type": "string", "description": "Param value.", "markdownDescription": "Param value." } }, "type": "object", "description": "General name / value parameter.", "markdownDescription": "General name / value parameter.", "additionalProperties": false }, "ExternalCredentials": { "title": "External Token/Cookie Credentials", "type": "object", "description": "Optional configuration block for specifying an externally supplied authorization token, HawkScan will attempt to access a protected path in your web application with the supplied token before scanning. For more information, see the [Authenticated Scanning section](https://docs.stackhawk.com/hawkscan/configuration/authenticated-scanning.html).", "markdownDescription": "Optional configuration block for specifying an externally supplied authorization token, HawkScan will attempt to access a protected path in your web application with the supplied token before scanning. For more information, see the [Authenticated Scanning section](https://docs.stackhawk.com/hawkscan/configuration/authenticated-scanning.html).", "properties": { "type": { "type": "string", "description": "Specifies the type of token being supplied. If `COOKIE` is specified the .external.value should be in the form of a cookie value = . Defaults to `TOKEN`.", "markdownDescription": "Specifies the type of token being supplied. If `COOKIE` is specified the .external.value should be in the form of a cookie value = . Defaults to `TOKEN`.", "enum": [ "TOKEN", "COOKIE" ] }, "values": { "type": "array", "description": "The value pairs containing the token that will authorize requests. How the token is passed to your application is determined by the assigned `type`.", "markdownDescription": "The value pairs containing the token that will authorize requests. How the token is passed to your application is determined by the assigned `type`.", "items": { "$ref": "#/$defs/AuthTokens" } } }, "additionalProperties": false }, "AuthTokens": { "properties": { "type": { "type": "string", "description": "Specifies the type of token being supplied, either `TOKEN` or `COOKIE`. Defaults to `TOKEN`.", "markdownDescription": "Specifies the type of token being supplied, either `TOKEN` or `COOKIE`. Defaults to `TOKEN`.", "enum": [ "TOKEN", "COOKIE" ] }, "tokenType": { "type": "string", "description": "If specified tokenType will be prepended the header value e.g. tokenType: Bearer -> \"Bearer xxxxxxxxx\"", "markdownDescription": "If specified tokenType will be prepended the header value e.g. tokenType: Bearer -> \"Bearer xxxxxxxxx\"" }, "value": { "$ref": "#/$defs/NameValParam", "description": "Name and value of token. If token is specified it will be appended `Name: Val`.", "markdownDescription": "Name and value of token. If token is specified it will be appended `Name: Val`." } }, "type": "object", "description": "Configuration for Token Authentication.", "markdownDescription": "Configuration for Token Authentication.", "additionalProperties": false }, "AuthenticationScript": { "required": [ "name" ], "type": "object", "description": "Configuration for a custom authentication script.\nHawkScan will run the provided authentication script until a request matches the `loggedInIndicator`, or if the `loggedOutIndicator` is tripped on a request.\nThe authentication script name should also be included in the `hawkAddOn.scripts.name`", "markdownDescription": "Configuration for a custom authentication script.\nHawkScan will run the provided authentication script until a request matches the `loggedInIndicator`, or if the `loggedOutIndicator` is tripped on a request.\nThe authentication script name should also be included in the `hawkAddOn.scripts.name`", "properties": { "name": { "type": "string", "description": "The name of the authentication script, as specified in the `hawkAddOn.scripts.name`.", "markdownDescription": "The name of the authentication script, as specified in the `hawkAddOn.scripts.name`." }, "parameters": { "$ref": "#/$defs/ParametersEntry", "description": "The parameters required for the authentication script.", "markdownDescription": "The parameters required for the authentication script." }, "credentials": { "$ref": "#/$defs/CredentialsEntry", "description": "The credentials required for the authentication script. These values will be redacted.", "markdownDescription": "The credentials required for the authentication script. These values will be redacted." } }, "additionalProperties": false }, "ParametersEntry": { "type": "object", "additionalProperties": { "type": "string" } }, "ExternalCommandCredentials": { "required": [ "command" ], "type": "object", "description": "Optional configuration block allowing HawkScan to run a specified command line process. HawkScan will attempt to access a protected path in your web application with the supplied headers or cookies before scanning. For more information, see the [Authenticated Scanning section](https://docs.stackhawk.com/hawkscan/configuration/authenticated-scanning.html).", "markdownDescription": "Optional configuration block allowing HawkScan to run a specified command line process. HawkScan will attempt to access a protected path in your web application with the supplied headers or cookies before scanning. For more information, see the [Authenticated Scanning section](https://docs.stackhawk.com/hawkscan/configuration/authenticated-scanning.html).", "properties": { "command": { "type": "string", "description": "The command to start the process e.g. `bash`, `python`", "markdownDescription": "The command to start the process e.g. `bash`, `python`" }, "parameters": { "type": "array", "description": "Parameters required to run the script e.g. `-c`, `--verbose`", "markdownDescription": "Parameters required to run the script e.g. `-c`, `--verbose`", "items": { "type": "string" } }, "timeoutSeconds": { "type": [ "number", "string" ], "description": "Maximum time in seconds to wait for the process to complete. Defaults to 60 seconds.", "markdownDescription": "Maximum time in seconds to wait for the process to complete. Defaults to 60 seconds.", "default": 60, "minimum": 0, "pattern": "^([0-9][0-9]+|[1-9]|0)$" } }, "additionalProperties": false }, "OAuth": { "properties": { "credentials": { "$ref": "#/$defs/OAuthCredentials", "description": "Credentials needed to authenticate with an OAuth/3rd party provider e.g. password, clientSecret, etc.", "markdownDescription": "Credentials needed to authenticate with an OAuth/3rd party provider e.g. password, clientSecret, etc." }, "parameters": { "$ref": "#/$defs/OAuthParameters", "description": "Non sensitive parameters to use with an OAuth/3rd party provider e.g. tokenEndpoint, scope, etc.", "markdownDescription": "Non sensitive parameters to use with an OAuth/3rd party provider e.g. tokenEndpoint, scope, etc." } }, "type": "object", "description": "Optional configuration block allowing HawkScan to authorize requests with a 3rd party [OAuth 2.0](https://oauth.net/2/) auth provider.", "markdownDescription": "Optional configuration block allowing HawkScan to authorize requests with a 3rd party [OAuth 2.0](https://oauth.net/2/) auth provider.", "additionalProperties": false }, "OAuthCredentials": { "properties": { "username": { "type": "string", "description": "Username which will be posted in the request body to the token endpoint with the field name of `username`.", "markdownDescription": "Username which will be posted in the request body to the token endpoint with the field name of `username`." }, "password": { "type": "string", "description": "Password which will be posted in the request body to the token endpoint with the field name of `password`.", "markdownDescription": "Password which will be posted in the request body to the token endpoint with the field name of `password`." }, "clientId": { "type": "string", "description": "The client id of your application registered with your OAuth provider which will be posted n the request body to the token endpoint with the field name of `client_id`.", "markdownDescription": "The client id of your application registered with your OAuth provider which will be posted n the request body to the token endpoint with the field name of `client_id`." }, "clientSecret": { "type": "string", "description": "The client secret of your application registered with your OAuth provider which will be posted n the request body to the token endpoint with the field name of `client_secret`.", "markdownDescription": "The client secret of your application registered with your OAuth provider which will be posted n the request body to the token endpoint with the field name of `client_secret`." }, "additionalCreds": { "$ref": "#/$defs/AdditionalCredsEntry", "description": "A list of name/value pairs of any additional fields or credentials that need to be posted to the OAuth provider token endpoint.", "markdownDescription": "A list of name/value pairs of any additional fields or credentials that need to be posted to the OAuth provider token endpoint." } }, "type": "object", "description": "Credential parameters sent to an OAuth/3rd party provider.", "markdownDescription": "Credential parameters sent to an OAuth/3rd party provider." }, "AdditionalCredsEntry": { "type": "object", "additionalProperties": { "type": "string" } }, "OAuthParameters": { "properties": { "tokenEndpoint": { "type": "string", "description": "URL of the endpoint to get a token", "markdownDescription": "URL of the endpoint to get a token" }, "grantType": { "type": "string", "description": "Grant type of token request, this will be passed to the request body of the token endpoint as `grant_type`.", "markdownDescription": "Grant type of token request, this will be passed to the request body of the token endpoint as `grant_type`." }, "scope": { "type": "string", "description": "Scope type of token request, this will be passed to the request body of the token endpoint as `scope`.", "markdownDescription": "Scope type of token request, this will be passed to the request body of the token endpoint as `scope`." }, "additionalQueryParams": { "$ref": "#/$defs/AdditionalQueryParamsEntry", "description": "A list of optional additional name/value pairs to be passed to the query string.", "markdownDescription": "A list of optional additional name/value pairs to be passed to the query string." }, "additionalBodyParams": { "$ref": "#/$defs/AdditionalBodyParamsEntry", "description": "A list of optional additional name/value pairs to be included in the request body of the post.\n **NOTE:** These values are not redacted, if you need additional sensitive values please use `outhCredentials.additionalCreds`", "markdownDescription": "A list of optional additional name/value pairs to be included in the request body of the post.\n **NOTE:** These values are not redacted, if you need additional sensitive values please use `outhCredentials.additionalCreds`" }, "requestMethod": { "type": "string", "description": "Http method for accessing the token endpoint. The default is POST.", "markdownDescription": "Http method for accessing the token endpoint. The default is POST.", "enum": [ "POST", "PUT", "DELETE", "GET", "OPTIONS", "PATCH", "HEAD" ] }, "requestHeaders": { "$ref": "#/$defs/RequestHeadersEntry", "description": "Additional headers to be sent along with the request to the token endpoint", "markdownDescription": "Additional headers to be sent along with the request to the token endpoint" } }, "type": "object", "description": "Configuration parameters sent to an OAuth/3rd party provider.", "markdownDescription": "Configuration parameters sent to an OAuth/3rd party provider." }, "AdditionalQueryParamsEntry": { "type": "object", "additionalProperties": { "type": "string" } }, "AdditionalBodyParamsEntry": { "type": "object", "additionalProperties": { "type": "string" } }, "RequestHeadersEntry": { "type": "object", "additionalProperties": { "type": "string" } }, "TokenExtraction": { "title": "Token Extraction Configuration", "type": "object", "description": "Token extraction is optional unless you're using the `tokenAuthorization` in combination with `usernamePassword` authentication. This configuration specifies how to extract the authorization token from the authentication response.", "markdownDescription": "Token extraction is optional unless you're using the `tokenAuthorization` in combination with `usernamePassword` authentication. This configuration specifies how to extract the authorization token from the authentication response.", "properties": { "type": { "type": "string", "description": "Specifying `TOKEN_PATH` tells HawkScan to extract the token from the JSON payload of the response from authentication. `HEADER` tells HawkScan to extract the token from a header in the response from authentication. defaults to `TOKEN_PATH`.", "markdownDescription": "Specifying `TOKEN_PATH` tells HawkScan to extract the token from the JSON payload of the response from authentication. `HEADER` tells HawkScan to extract the token from a header in the response from authentication. defaults to `TOKEN_PATH`.", "enum": [ "TOKEN_PATH", "HEADER_NAME" ] }, "value": { "type": "string", "description": "*Required**. String containing the path to the token in the JSON payload authentication response or the name of the response header containing the token.\nExample: if the authentication response JSON payload looks like `{\"auth\" : {\"token\": \"\"}}` the value would be `auth.token`. If the authentication response has a header named `AuthToken: `, then the value should be `AuthToken`.", "markdownDescription": "*Required**. String containing the path to the token in the JSON payload authentication response or the name of the response header containing the token.\nExample: if the authentication response JSON payload looks like `{\"auth\" : {\"token\": \"\"}}` the value would be `auth.token`. If the authentication response has a header named `AuthToken: `, then the value should be `AuthToken`." } }, "required": [ "value" ], "additionalProperties": false }, "CookieAuthorization": { "properties": { "cookieNames": { "type": "array", "description": "A list of strings that are the names of cookies used for maintaining a session. Typically this is one value like `jsessionid` or `PHPSESS`. When used in combination with authentication HawkScan will use this value to persist authenticated session state with your application.", "markdownDescription": "A list of strings that are the names of cookies used for maintaining a session. Typically this is one value like `jsessionid` or `PHPSESS`. When used in combination with authentication HawkScan will use this value to persist authenticated session state with your application.", "items": { "type": "string" } } }, "type": "object", "description": "An optional configuration specifying if authorization is maintained via a cookie session.", "markdownDescription": "An optional configuration specifying if authorization is maintained via a cookie session.", "additionalProperties": false }, "TokenAuthorization": { "title": "Token Authorization Configuration", "type": "object", "description": "An optional configuration telling HawkScan how to pass the authorization token to your application on each request to maintain authorized access.", "markdownDescription": "An optional configuration telling HawkScan how to pass the authorization token to your application on each request to maintain authorized access.", "properties": { "type": { "type": "string", "description": "An enum value representing how to pass the authorization token to your application.\n`HEADER` indicates that each request should have the authorization token header added to the requests.\n`QUERY_PARAM` indicates that the token should be passed as a query parameter.", "markdownDescription": "An enum value representing how to pass the authorization token to your application.\n`HEADER` indicates that each request should have the authorization token header added to the requests.\n`QUERY_PARAM` indicates that the token should be passed as a query parameter.", "enum": [ "HEADER", "QUERY_PARAM" ] }, "value": { "type": "string", "description": "**Required**. The name of the `HEADER` or `QUERY_PARAM` the token should be passed as.", "markdownDescription": "**Required**. The name of the `HEADER` or `QUERY_PARAM` the token should be passed as." }, "tokenType": { "type": "string", "description": "TokenType will be prepended the header value e.g. tokenType: TOKEN -> \"TOKEN xxxxxxxxx\"", "markdownDescription": "TokenType will be prepended the header value e.g. tokenType: TOKEN -> \"TOKEN xxxxxxxxx\"", "default": "Bearer" }, "isJWT": { "type": "boolean", "description": "If the token is a JWT, mark this field as true", "markdownDescription": "If the token is a JWT, mark this field as true", "default": false }, "renewMillis": { "type": [ "number", "string" ], "description": "If isJWT is set to true, this field will determine the time in milliseconds before expiration to auto renew the JWT.", "markdownDescription": "If isJWT is set to true, this field will determine the time in milliseconds before expiration to auto renew the JWT.", "exclusiveMinimum": 0, "pattern": "^([0-9][0-9]+|[1-9])$" } }, "required": [ "value" ], "additionalProperties": false }, "SessionScript": { "required": [ "name" ], "type": "object", "description": "Optional configuration block for specifying a custom session management script. To learn more about session scripts, reference the [HawkScan Examples](https://github.com/kaakaww/hawkscan-examples){:target=\"_blank\"} repository.", "markdownDescription": "Optional configuration block for specifying a custom session management script. To learn more about session scripts, reference the [HawkScan Examples](https://github.com/kaakaww/hawkscan-examples){:target=\"_blank\"} repository.", "properties": { "name": { "type": "string", "description": "*Required* The name of the session script defined in `hawkAddons.scripts`. The script `type` must be `session`, and match the `hawkAddOn.scripts.name` field.", "markdownDescription": "*Required* The name of the session script defined in `hawkAddons.scripts`. The script `type` must be `session`, and match the `hawkAddOn.scripts.name` field." }, "parameters": { "$ref": "#/$defs/ParametersEntry", "description": "A map of key/value pairs that will be passed to your session script, which can be accessed via `sessionWrapper.getParam()` function.", "markdownDescription": "A map of key/value pairs that will be passed to your session script, which can be accessed via `sessionWrapper.getParam()` function." } }, "additionalProperties": false }, "AuthTestPath": { "additionalProperties": false, "type": "object", "description": "A configuration specifying how to verify if Scan authentication and authorization is working before running a scan.\n\nAn example configuration of `app.authentication.testPath`:\n```yaml\n app:\n authentication:\n testPath:\n type: HEADER\n path: /user/profile\n success: \".*200.*\"\n requestMethod: POST\n requestBody: '{\"feeling\": \"KaaKaww!\"}'\n requestHeaders:\n Content-Type: \"application/json\"\n```\n\nThis uses either `success` or `fail` criteria to determine if authorized access is working correctly.", "markdownDescription": "A configuration specifying how to verify if Scan authentication and authorization is working before running a scan.\n\nAn example configuration of `app.authentication.testPath`:\n```yaml\n app:\n authentication:\n testPath:\n type: HEADER\n path: /user/profile\n success: \".*200.*\"\n requestMethod: POST\n requestBody: '{\"feeling\": \"KaaKaww!\"}'\n requestHeaders:\n Content-Type: \"application/json\"\n```\n\nThis uses either `success` or `fail` criteria to determine if authorized access is working correctly.", "properties": { "type": { "type": "string", "description": "An enum value representing what to match against in the response from issuing a request to the `testPath.path`. The supported values are `HEADER` and `BODY`.", "markdownDescription": "An enum value representing what to match against in the response from issuing a request to the `testPath.path`. The supported values are `HEADER` and `BODY`.", "enum": [ "HEADER", "BODY" ] }, "path": { "type": "string", "description": "**Required**. The path to a protected route in your application that requires authorization. For example `/mysettings`. A `GET` request will be made to this path using the configured authentication.", "markdownDescription": "**Required**. The path to a protected route in your application that requires authorization. For example `/mysettings`. A `GET` request will be made to this path using the configured authentication.", "pattern": "^\\/(([A-z0-9\\-\\%]+\\/)*[A-z0-9\\-\\%]+$)?" }, "success": { "type": "string", "description": "A regex that will match against the response header or body, specified by `type`, of the GET request to the `path`.\nA match of the regex supplied will indicate that scanning should proceed with the specified authentication.\n\nHawkScan requires that either `success` OR `fail` be configured (do not configure both).", "markdownDescription": "A regex that will match against the response header or body, specified by `type`, of the GET request to the `path`.\nA match of the regex supplied will indicate that scanning should proceed with the specified authentication.\n\nHawkScan requires that either `success` OR `fail` be configured (do not configure both)." }, "fail": { "type": "string", "description": "A regex that will match against the response header or body, specified by `type`, of the GET request to the `path`.\nA match of the regex supplied will indicate that scanning should halt and enter an error state.\n\nHawkScan requires that either `success` OR `fail` be configured (do not configure both).", "markdownDescription": "A regex that will match against the response header or body, specified by `type`, of the GET request to the `path`.\nA match of the regex supplied will indicate that scanning should halt and enter an error state.\n\nHawkScan requires that either `success` OR `fail` be configured (do not configure both)." }, "requestMethod": { "type": "string", "description": "Request method to use for queries. Will generate GraphQL queries as either POST payloads or GET uri strings.", "markdownDescription": "Request method to use for queries. Will generate GraphQL queries as either POST payloads or GET uri strings.", "enum": [ "GET", "POST", "PUT", "PATCH" ] }, "requestBody": { "type": "string", "description": "The request content to send along with POST or PUT requests for authentication verification.", "markdownDescription": "The request content to send along with POST or PUT requests for authentication verification." }, "requestHeaders": { "$ref": "#/$defs/RequestHeadersEntry", "description": "List of key/value pairs to be included as headers in the request to the `path`.\nHeaders that match the following pattern are unable to be added or modified `'^(Host|Origin|Proxy-.*|Sec-.*|Content-Length)'`.", "markdownDescription": "List of key/value pairs to be included as headers in the request to the `path`.\nHeaders that match the following pattern are unable to be added or modified `'^(Host|Origin|Proxy-.*|Sec-.*|Content-Length)'`." }, "grpcTestMethod": { "type": "string", "description": "The gRPC method path to call for authentication validation (e.g., \"/auth.AuthService/ValidateToken\"). Only used when authentication type is GRPC.", "markdownDescription": "The gRPC method path to call for authentication validation (e.g., \"/auth.AuthService/ValidateToken\"). Only used when authentication type is GRPC." } }, "required": [ "path" ], "allOf": [ { "oneOf": [ { "required": [ "success" ] }, { "required": [ "fail" ] } ] } ], "title": "Authentication Test Path", "unevaluatedProperties": false }, "UserProfile": { "allOf": [ { "oneOf": [ { "required": [ "userNamePassword" ] }, { "required": [ "external" ] }, { "required": [ "authScript" ] }, { "not": { "anyOf": [ { "required": [ "userNamePassword" ] }, { "required": [ "external" ] }, { "required": [ "authScript" ] } ] } } ] } ], "type": "object", "description": "Configuration for additional user profiles used in multi-user scanning scenarios for testing multi-tenancy isolation and access control.", "markdownDescription": "Configuration for additional user profiles used in multi-user scanning scenarios for testing multi-tenancy isolation and access control.", "properties": { "name": { "type": "string", "description": "**Required**. A unique identifier name for this user profile to distinguish between different users during multi-user scans.", "markdownDescription": "**Required**. A unique identifier name for this user profile to distinguish between different users during multi-user scans." }, "userNamePassword": { "$ref": "#/$defs/UserNamePassword", "description": "Username and password based authentication for this profile.", "markdownDescription": "Username and password based authentication for this profile." }, "external": { "$ref": "#/$defs/External", "description": "External token based authentication for this profile.", "markdownDescription": "External token based authentication for this profile." }, "authScript": { "$ref": "#/$defs/ProfileScript", "description": "Custom authentication script for this profile.", "markdownDescription": "Custom authentication script for this profile." }, "isPrivileged": { "type": "boolean", "description": "Indicates whether this user profile has elevated privileges (true for admin/privileged users, false for standard users).", "markdownDescription": "Indicates whether this user profile has elevated privileges (true for admin/privileged users, false for standard users)." }, "globalParameters": { "$ref": "#/$defs/GlobalParametersEntry", "description": "Use this for parameters for individual users that can't be discovered by smart crawling.", "markdownDescription": "Use this for parameters for individual users that can't be discovered by smart crawling." } }, "unevaluatedProperties": false }, "UserNamePassword": { "properties": { "username": { "type": "string", "description": "**Required**. The username for this user profile. Use environment variable interpolation (e.g., `${USER2_USERNAME}`).", "markdownDescription": "**Required**. The username for this user profile. Use environment variable interpolation (e.g., `${USER2_USERNAME}`)." }, "password": { "type": "string", "description": "**Required**. The password for this user profile. Use environment variable interpolation (e.g., `${USER2_PASSWORD}`).", "markdownDescription": "**Required**. The password for this user profile. Use environment variable interpolation (e.g., `${USER2_PASSWORD}`)." } }, "type": "object", "description": "Username and password credentials for basic authentication similar to the primary authentication configuration.", "markdownDescription": "Username and password credentials for basic authentication similar to the primary authentication configuration." }, "External": { "properties": { "authTokens": { "type": "array", "description": "List of authentication tokens to use for this user profile. Can include multiple tokens or cookies.", "markdownDescription": "List of authentication tokens to use for this user profile. Can include multiple tokens or cookies.", "items": { "$ref": "#/$defs/AuthTokens" } } }, "type": "object", "description": "External authentication tokens for this user profile using pre-obtained tokens (e.g., JWT tokens, API keys, or session cookies).", "markdownDescription": "External authentication tokens for this user profile using pre-obtained tokens (e.g., JWT tokens, API keys, or session cookies)." }, "ProfileScript": { "properties": { "name": { "type": "string", "description": "**Required**. The name of the authentication script defined in `hawkAddOn.scripts` to use for this profile.", "markdownDescription": "**Required**. The name of the authentication script defined in `hawkAddOn.scripts` to use for this profile." }, "credentials": { "$ref": "#/$defs/CredentialsEntry", "description": "Key-value pairs of sensitive credentials required by the authentication script that will be redacted from logs.", "markdownDescription": "Key-value pairs of sensitive credentials required by the authentication script that will be redacted from logs." } }, "type": "object", "description": "Custom authentication script configuration for this user profile requiring custom authentication logic.", "markdownDescription": "Custom authentication script configuration for this user profile requiring custom authentication logic." }, "GlobalParametersEntry": { "type": "object", "additionalProperties": { "type": "string" } }, "GraphQLConf": { "properties": { "schemaPath": { "type": "string", "description": "Path to the GraphQL introspection endpoint, relative to the target URI.", "markdownDescription": "Path to the GraphQL introspection endpoint, relative to the target URI.", "pattern": "^\\/(([A-z0-9\\-\\%]+\\/)*[A-z0-9\\-\\%]+$)?" }, "requestMethod": { "type": "string", "description": "Request method to use for queries. Will generate GraphQL queries as either `POST` payloads or `GET` uri strings.", "markdownDescription": "Request method to use for queries. Will generate GraphQL queries as either `POST` payloads or `GET` uri strings.", "enum": [ "POST", "GET" ] }, "uriMaxLength": { "type": [ "number", "string" ], "description": "Max length of URIs when generation queries for GET requests.", "markdownDescription": "Max length of URIs when generation queries for GET requests.", "minimum": 0, "pattern": "^([0-9][0-9]+|[1-9]|0)$" }, "maxDepth": { "type": [ "number", "string" ], "description": "Maximum depth for generated query graphs.", "markdownDescription": "Maximum depth for generated query graphs.", "exclusiveMinimum": 0, "maximum": 50, "pattern": "^([0-9][0-9]+|[1-9]|0)$" }, "enabled": { "type": "boolean", "description": "Enable GraphQL scan support. HawkScan will enumerate all possible field types and input values for GraphQL Queries and Mutations. Provide relative path to the API endpoint.", "markdownDescription": "Enable GraphQL scan support. HawkScan will enumerate all possible field types and input values for GraphQL Queries and Mutations. Provide relative path to the API endpoint." }, "operation": { "type": "string", "description": "GraphQL operation to enumerate and scan. Defaults to find all Query and Mutation operations. Options are `All`, `QUERY` and `MUTATION`.", "markdownDescription": "GraphQL operation to enumerate and scan. Defaults to find all Query and Mutation operations. Options are `All`, `QUERY` and `MUTATION`.", "enum": [ "ALL", "QUERY", "MUTATION" ] }, "filePath": { "type": "string", "description": "Path to a local GraphQL schema file (SDL format) to use instead of introspection.", "markdownDescription": "Path to a local GraphQL schema file (SDL format) to use instead of introspection." }, "excludeOperations": { "type": "array", "description": "GraphQL operations to exclude from the spider.", "markdownDescription": "GraphQL operations to exclude from the spider.", "items": { "$ref": "#/$defs/GraphQLExcludeOperationParam" } }, "fakerEnabled": { "type": "boolean", "description": "Enables faker for a GraphQL scan to generate more realistic values when format is provided on the API spec or custom variables.", "markdownDescription": "Enables faker for a GraphQL scan to generate more realistic values when format is provided on the API spec or custom variables." }, "customVariables": { "type": "array", "description": "Define custom variables and values for use in GraphQL scanning.", "markdownDescription": "Define custom variables and values for use in GraphQL scanning.", "items": { "$ref": "#/$defs/GraphQLCustomVariable" } } }, "type": "object", "description": "Configure how HawkScan interacts with [GraphQL](https://spec.graphql.org/June2018/) APIs.\n\nOne of the following is **Required**:\n- `schemaPath`: Relative path to the introspection endpoint (based on the host address).\n- `filePath`: Relative path to a GraphQL schema file (SDL format).\n\nThe following are **Optional**:\n- `operation`: Adjust the operation requests generated by the spider (`QUERY` or `MUTATION`, defaults to both).\n- `excludeOperations`: Exclude particular GraphQL operations from being scanned.\n\nFor full details, see [GraphQL Configuration Documentation](https://docs.stackhawk.com/hawkscan/configuration/graphql-configuration.html).", "markdownDescription": "Configure how HawkScan interacts with [GraphQL](https://spec.graphql.org/June2018/) APIs.\n\nOne of the following is **Required**:\n- `schemaPath`: Relative path to the introspection endpoint (based on the host address).\n- `filePath`: Relative path to a GraphQL schema file (SDL format).\n\nThe following are **Optional**:\n- `operation`: Adjust the operation requests generated by the spider (`QUERY` or `MUTATION`, defaults to both).\n- `excludeOperations`: Exclude particular GraphQL operations from being scanned.\n\nFor full details, see [GraphQL Configuration Documentation](https://docs.stackhawk.com/hawkscan/configuration/graphql-configuration.html).", "additionalProperties": false }, "GraphQLExcludeOperationParam": { "properties": { "name": { "type": "string", "description": "GraphQL operation name.", "markdownDescription": "GraphQL operation name." }, "type": { "type": "string", "description": "Graphql operation type. Options are `All`, `QUERY` and `MUTATION`.", "markdownDescription": "Graphql operation type. Options are `All`, `QUERY` and `MUTATION`.", "enum": [ "ALL", "QUERY", "MUTATION" ] } }, "type": "object", "description": "A GraphQL operation to exclude from the spider by name and type.", "markdownDescription": "A GraphQL operation to exclude from the spider by name and type.", "additionalProperties": false }, "GraphQLCustomVariable": { "properties": { "field": { "type": "string", "description": "The field name of the param to inject values into.", "markdownDescription": "The field name of the param to inject values into." }, "values": { "type": "array", "description": "A list of possible values to be randomly selected for the given field.", "markdownDescription": "A list of possible values to be randomly selected for the given field.", "items": { "type": "string" } }, "operationName": { "type": "string", "description": "An optional operationName that will only inject custom values if the name of the operation on the request matches.", "markdownDescription": "An optional operationName that will only inject custom values if the name of the operation on the request matches." }, "operationType": { "type": "string", "description": "An optional GraphQL operation type (MUTATION or QUERY) that will inject custom values only when the request matches the operation type.", "markdownDescription": "An optional GraphQL operation type (MUTATION or QUERY) that will inject custom values only when the request matches the operation type.", "enum": [ "ALL", "QUERY", "MUTATION" ] } }, "type": "object", "description": "Custom variable data specific to OpenAPI schemas.", "markdownDescription": "Custom variable data specific to OpenAPI schemas.", "additionalProperties": false }, "OpenApiConf": { "properties": { "path": { "type": "string", "description": "A string relative path to an OpenAPI specification file (JSON or YAML) from the scanned host.", "markdownDescription": "A string relative path to an OpenAPI specification file (JSON or YAML) from the scanned host.", "pattern": "^\\/(([A-z0-9\\-\\%]+\\/)*[A-z0-9\\-\\%]+$)?" }, "filePath": { "type": "string", "description": "Path to a local OpenAPI specification file (JSON or YAML format).", "markdownDescription": "Path to a local OpenAPI specification file (JSON or YAML format)." }, "strict": { "type": "boolean", "description": "Whether to enable strict parsing of the OpenAPI.", "markdownDescription": "Whether to enable strict parsing of the OpenAPI." }, "customVariables": { "type": "array", "description": "Define custom variables and values for use in REST API scanning.", "markdownDescription": "Define custom variables and values for use in REST API scanning.", "items": { "$ref": "#/$defs/OpenApiCustomVariable" } }, "includeAllMethods": { "type": "boolean", "description": "When custom variables are provided, DELETE's are skipped for injection. Set this to true to override this default and include all methods in variable injection.", "markdownDescription": "When custom variables are provided, DELETE's are skipped for injection. Set this to true to override this default and include all methods in variable injection." }, "includedMethods": { "type": "array", "description": "List of methods to include in custom variable injection. Note: if 'includeAllMethods' is set to true, this list is ignored and all methods will be used for custom variable injection.", "markdownDescription": "List of methods to include in custom variable injection. Note: if 'includeAllMethods' is set to true, this list is ignored and all methods will be used for custom variable injection.", "items": { "type": "string", "enum": [ "POST", "PUT", "DELETE", "GET", "OPTIONS", "PATCH", "HEAD" ] } }, "fakerEnabled": { "type": "boolean", "description": "Enables faker for a REST API scan to generate more realistic values when format is provided on the API spec or custom variables.", "markdownDescription": "Enables faker for a REST API scan to generate more realistic values when format is provided on the API spec or custom variables." }, "maxAliasesForCollections": { "type": [ "number", "string" ], "description": "Maximum number of aliases for a collection when parsing YAML.\n Increase this value if you see the \"Number of aliases for non-scalar nodes exceeds the specified max=100\" error.", "markdownDescription": "Maximum number of aliases for a collection when parsing YAML.\n Increase this value if you see the \"Number of aliases for non-scalar nodes exceeds the specified max=100\" error.", "default": 100, "minimum": 0, "pattern": "^([0-9][0-9]+|[1-9]|0)$" }, "forbiddenVariables": { "type": "array", "description": "Custom variables that the user should not see for tenancy checks.", "markdownDescription": "Custom variables that the user should not see for tenancy checks.", "items": { "$ref": "#/$defs/OpenApiCustomVariable" } }, "filePaths": { "type": "array", "description": "A list of relative path to specification file(s) (JSON or YAML) for the open api generation for specs with multiple open api files.", "markdownDescription": "A list of relative path to specification file(s) (JSON or YAML) for the open api generation for specs with multiple open api files.", "items": { "type": "string" } }, "usePlatform": { "type": "boolean", "description": "Use the OpenApi Specifications mapped to this application from the StackHawk Platform for this scan.", "markdownDescription": "Use the OpenApi Specifications mapped to this application from the StackHawk Platform for this scan." }, "globalParameters": { "$ref": "#/$defs/GlobalParametersEntry", "description": "Use this for parameters for all users that can't be discovered by smart crawling.", "markdownDescription": "Use this for parameters for all users that can't be discovered by smart crawling." } }, "type": "object", "description": "Define how HawkScan scans [OpenAPI](https://swagger.io/specification/) endpoints.\n\nOne of the following is **Required**:\n- `filePath`: Path to a local OpenAPI specification file (JSON or YAML).\n- `path`: URL path to fetch the OpenAPI spec from the scanned host.\n\nFor full details such as custom variable injection, see [OpenAPI Configuration Documentation](https://docs.stackhawk.com/hawkscan/configuration/openapi-configuration.html).", "markdownDescription": "Define how HawkScan scans [OpenAPI](https://swagger.io/specification/) endpoints.\n\nOne of the following is **Required**:\n- `filePath`: Path to a local OpenAPI specification file (JSON or YAML).\n- `path`: URL path to fetch the OpenAPI spec from the scanned host.\n\nFor full details such as custom variable injection, see [OpenAPI Configuration Documentation](https://docs.stackhawk.com/hawkscan/configuration/openapi-configuration.html).", "additionalProperties": false }, "OpenApiCustomVariable": { "properties": { "field": { "type": "string", "description": "The field name of the param to inject values into.", "markdownDescription": "The field name of the param to inject values into." }, "values": { "type": "array", "description": "A list of possible values to be randomly selected for the given field.", "markdownDescription": "A list of possible values to be randomly selected for the given field.", "items": { "type": "string" } }, "path": { "type": "string", "description": "An optional path regex that will only inject custom values if the path of the request matches.", "markdownDescription": "An optional path regex that will only inject custom values if the path of the request matches." }, "requestMethods": { "type": "array", "description": "A list of optional HTTP request methods that will inject custom values only when the request matches one of those methods.", "markdownDescription": "A list of optional HTTP request methods that will inject custom values only when the request matches one of those methods.", "items": { "type": "string", "enum": [ "POST", "PUT", "DELETE", "GET", "OPTIONS", "PATCH", "HEAD" ] } } }, "type": "object", "description": "Custom variable data specific to OpenAPI schemas.", "markdownDescription": "Custom variable data specific to OpenAPI schemas.", "additionalProperties": false }, "SoapConf": { "properties": { "path": { "type": "string", "description": "Host path to the SOAP WSDL, prefixed with a `/` .", "markdownDescription": "Host path to the SOAP WSDL, prefixed with a `/` .", "pattern": "^\\/(([A-z0-9\\-\\%]+\\/)*[A-z0-9\\-\\%]+$)?" }, "filePath": { "type": "string", "description": "Relative path to the SOAP WSDL schema definition file.", "markdownDescription": "Relative path to the SOAP WSDL schema definition file." } }, "type": "object", "description": "Set parameters for scanning [SOAP](https://www.w3.org/TR/soap/) APIs.\n\nOne of the following is **Required**:\n- `path`: Relative URL to fetch the SOAP API WSDL from the scanned host.\n- `filePath`: Path to a local SOAP API WSDL specification file.\n\nFor full details, see [SOAP Configuration Documentation](https://docs.stackhawk.com/hawkscan/configuration/soap-configuration.html).", "markdownDescription": "Set parameters for scanning [SOAP](https://www.w3.org/TR/soap/) APIs.\n\nOne of the following is **Required**:\n- `path`: Relative URL to fetch the SOAP API WSDL from the scanned host.\n- `filePath`: Path to a local SOAP API WSDL specification file.\n\nFor full details, see [SOAP Configuration Documentation](https://docs.stackhawk.com/hawkscan/configuration/soap-configuration.html).", "additionalProperties": false }, "GrpcConf": { "properties": { "path": { "type": "string", "description": "Host path for the grpc reflection endpoint.", "markdownDescription": "Host path for the grpc reflection endpoint." }, "filePath": { "type": "string", "description": "Path to a local gRPC [protobuf descriptor_set](https://protobuf.com/docs/descriptors) file.", "markdownDescription": "Path to a local gRPC [protobuf descriptor_set](https://protobuf.com/docs/descriptors) file." }, "customVariables": { "type": "array", "description": "Define custom variables and values for use in gRPC scanning.", "markdownDescription": "Define custom variables and values for use in gRPC scanning.", "items": { "$ref": "#/$defs/CustomVariable" } }, "maxDepth": { "type": [ "number", "string" ], "description": "Maximum depth for resolving nested protobuf.", "markdownDescription": "Maximum depth for resolving nested protobuf.", "default": 10, "exclusiveMinimum": 0, "maximum": 50, "pattern": "^([0-9][0-9]+|[1-9]|0)$" }, "filePaths": { "type": "array", "description": "A list of paths to the grpc [protobuf descriptor_set](https://protobuf.com/docs/descriptors) file.", "markdownDescription": "A list of paths to the grpc [protobuf descriptor_set](https://protobuf.com/docs/descriptors) file.", "items": { "type": "string" } } }, "type": "object", "description": "Configure HawkScan for [gRPC](https://grpc.io/) API scanning.\n\nOne of the following is **Required**:\n- `path`: Reflection endpoint for reading gRPC schema.\n- `filePath`: Relative path to a [protobuf descriptor_set](https://protobuf.com/docs/descriptors) file.\n\nFor full details such as custom variable injection, see [gRPC Configuration Documentation](https://docs.stackhawk.com/hawkscan/configuration/gRPC-configuration.html).", "markdownDescription": "Configure HawkScan for [gRPC](https://grpc.io/) API scanning.\n\nOne of the following is **Required**:\n- `path`: Reflection endpoint for reading gRPC schema.\n- `filePath`: Relative path to a [protobuf descriptor_set](https://protobuf.com/docs/descriptors) file.\n\nFor full details such as custom variable injection, see [gRPC Configuration Documentation](https://docs.stackhawk.com/hawkscan/configuration/gRPC-configuration.html).", "additionalProperties": false }, "CustomVariable": { "properties": { "field": { "type": "string", "description": "The field name of the param to inject values into. Using object notation will resolve nested objects for request bodies e.g. myobject.id", "markdownDescription": "The field name of the param to inject values into. Using object notation will resolve nested objects for request bodies e.g. myobject.id" }, "values": { "type": "array", "description": "A list of possible values to be randomly selected for the given field.", "markdownDescription": "A list of possible values to be randomly selected for the given field.", "items": { "type": "string" } }, "path": { "type": "string", "description": "Optional path for the endpoint or gRPC service to hit e.g. /myservice/myfunction", "markdownDescription": "Optional path for the endpoint or gRPC service to hit e.g. /myservice/myfunction" } }, "type": "object", "description": "Generic custom variable for different API types.", "markdownDescription": "Generic custom variable for different API types.", "additionalProperties": false }, "InputVectorParams": { "properties": { "injectableParam": { "$ref": "#/$defs/InjectableParam", "description": "Configuration of where params are injectable in the request.", "markdownDescription": "Configuration of where params are injectable in the request." }, "enabledRpcParam": { "$ref": "#/$defs/EnabledRPCParam", "description": "Configuration of what RPC parts are injectable by configuration.", "markdownDescription": "Configuration of what RPC parts are injectable by configuration." } }, "type": "object", "description": "Fine-grained configuration of HawkScan input vectors. This configuration is how and where testable inputs are applied on http requests.", "markdownDescription": "Fine-grained configuration of HawkScan input vectors. This configuration is how and where testable inputs are applied on http requests." }, "InjectableParam": { "properties": { "urlQueryParam": { "type": "boolean", "description": "Allow injection of testable inputs url query parameter values.", "markdownDescription": "Allow injection of testable inputs url query parameter values." }, "urlQuery": { "type": "boolean", "description": "Allow injections of testable inputs url query parameter names.", "markdownDescription": "Allow injections of testable inputs url query parameter names." }, "postData": { "type": "boolean", "description": "Allow injection of testable inputs request body inputs on POST requests.", "markdownDescription": "Allow injection of testable inputs request body inputs on POST requests." }, "urlPath": { "type": "boolean", "description": "Allow injection of testable inputs url paths.", "markdownDescription": "Allow injection of testable inputs url paths." }, "httpHeaders": { "type": "boolean", "description": "Allow injection of testable inputs for http headers.", "markdownDescription": "Allow injection of testable inputs for http headers." }, "cookieData": { "type": "boolean", "description": "Allow injection of testable inputs for cookie data.", "markdownDescription": "Allow injection of testable inputs for cookie data." } }, "type": "object" }, "EnabledRPCParam": { "properties": { "multipartFormData": { "type": "boolean", "description": "Support for `multipart/form-data` request bodies.", "markdownDescription": "Support for `multipart/form-data` request bodies." }, "xmlTag": { "type": "boolean", "description": "Support for xml request bodies.", "markdownDescription": "Support for xml request bodies." }, "json": { "type": "boolean", "description": "Support for json request bodies.", "markdownDescription": "Support for json request bodies." }, "googleWebToolkit": { "type": "boolean", "description": "Support for GWT request bodies. Deprecated.", "markdownDescription": "Support for GWT request bodies. Deprecated." }, "odataId": { "type": "boolean", "description": "Support for Odata request bodies. Deprecated.", "markdownDescription": "Support for Odata request bodies. Deprecated." }, "directWebRemoting": { "type": "boolean", "description": "Support for direct web remoting request bodies. Deprecated.", "markdownDescription": "Support for direct web remoting request bodies. Deprecated." } }, "type": "object" }, "WaitForAppTarget": { "required": [ "waitTimeoutMillis", "pollDelay" ], "type": "object", "description": "Configuration specifying how to determine if the web application is up, responsive and ready for scanning.", "markdownDescription": "Configuration specifying how to determine if the web application is up, responsive and ready for scanning.", "properties": { "path": { "type": "string", "description": "The path to a public reachable route in your application. For example `/index`. A `GET` request will be made to this path to confirm the host is up and ready to receive traffic.", "markdownDescription": "The path to a public reachable route in your application. For example `/index`. A `GET` request will be made to this path to confirm the host is up and ready to receive traffic.", "default": "/", "pattern\"": "^\\/(([A-z0-9\\-\\%]+\\/)*[A-z0-9\\-\\%]+$)?" }, "requestMethod": { "type": "string", "description": "Request method to use for queries. Will generate GraphQL queries as either POST payloads or GET uri strings.", "markdownDescription": "Request method to use for queries. Will generate GraphQL queries as either POST payloads or GET uri strings.", "enum": [ "GET", "POST", "PUT", "PATCH" ] }, "requestBody": { "type": "string", "description": "The request content to send along with POST or PUT requests for target verification.", "markdownDescription": "The request content to send along with POST or PUT requests for target verification." }, "waitTimeoutMillis": { "type": [ "number", "string" ], "description": "The maximum amount of time in milliseconds that HawkScan will wait for your app to be available before it starts scanning", "markdownDescription": "The maximum amount of time in milliseconds that HawkScan will wait for your app to be available before it starts scanning", "minimum": 0, "pattern": "^([0-9][0-9]+|[1-9]|0)$" }, "pollDelay": { "type": [ "number", "string" ], "description": "The maximum amount of time in milliseconds in between requests to your application to see if it's running", "markdownDescription": "The maximum amount of time in milliseconds in between requests to your application to see if it's running", "minimum": 50, "pattern": "^([0-9][0-9]+|[1-9]|0)$" }, "requestHeaders": { "$ref": "#/$defs/RequestHeadersEntry", "description": "Key-value map of additional headers to be sent along with the request to the app target host.", "markdownDescription": "Key-value map of additional headers to be sent along with the request to the app target host." } }, "additionalProperties": false }, "AppRedactions": { "required": [], "type": "object", "description": "Redaction policy of scan logs and stdout when scanning this application.\n\nHawkScan maintains a list of redacted tokens; strings that are sensitive and should be scrubbed preemptively from logs and collected messages. By default, HawkScan redacts `app.authentication` credentials, and any provided script / discovery credentials.", "markdownDescription": "Redaction policy of scan logs and stdout when scanning this application.\n\nHawkScan maintains a list of redacted tokens; strings that are sensitive and should be scrubbed preemptively from logs and collected messages. By default, HawkScan redacts `app.authentication` credentials, and any provided script / discovery credentials.", "properties": { "headers": { "type": "array", "description": "List of string header names: the values of HTTP headers matching these names will be redacted from alerts and logs.", "markdownDescription": "List of string header names: the values of HTTP headers matching these names will be redacted from alerts and logs.", "items": { "type": "string" } }, "values": { "type": "array", "description": "List of string static values: the values here will be added to the redacted token list. This is best used with ${ENV_VAR:default} interpolation.", "markdownDescription": "List of string static values: the values here will be added to the redacted token list. This is best used with ${ENV_VAR:default} interpolation.", "items": { "type": "string" } } }, "additionalProperties": false }, "OrganizationPolicy": { "required": [ "name" ], "type": "object", "description": "Configure the policy to be applied for the scan, optionally specifying which plugins to include or exclude. **Note**: Applies to scan policies created with Organization Policy Management.", "markdownDescription": "Configure the policy to be applied for the scan, optionally specifying which plugins to include or exclude. **Note**: Applies to scan policies created with Organization Policy Management.", "properties": { "name": { "type": "string", "description": "**Required**. The unique name of the organization scan policy.", "markdownDescription": "**Required**. The unique name of the organization scan policy." }, "excludePluginIds": { "type": "array", "description": "Plugin ids to exclude from the named scan policy.", "markdownDescription": "Plugin ids to exclude from the named scan policy.", "items": { "type": "string" } }, "includePluginIds": { "type": "array", "description": "Plugin ids to include in the scan that are not in the named scan policy.", "markdownDescription": "Plugin ids to include in the scan that are not in the named scan policy.", "items": { "type": "string" } } }, "additionalProperties": false }, "JsonRpcConf": { "properties": { "enabled": { "type": "boolean", "description": "Enable JSON-RPC scan support.", "markdownDescription": "Enable JSON-RPC scan support." }, "endpoint": { "type": "string", "description": "The JSON-RPC endpoint path relative to the target host (e.g., `/jsonrpc`). Defaults to `/`.", "markdownDescription": "The JSON-RPC endpoint path relative to the target host (e.g., `/jsonrpc`). Defaults to `/`.", "default": "/", "pattern": "^\\/(([A-z0-9\\-\\%]+\\/)*[A-z0-9\\-\\%]+$)?" }, "filePath": { "type": "string", "description": "Path to a local OpenRPC schema file (JSON format) to use instead of network discovery.", "markdownDescription": "Path to a local OpenRPC schema file (JSON format) to use instead of network discovery." }, "maxDepth": { "type": [ "number", "string" ], "description": "Maximum depth for generated nested objects. Defaults to 3.", "markdownDescription": "Maximum depth for generated nested objects. Defaults to 3.", "default": 3, "exclusiveMinimum": 0, "maximum": 50, "pattern": "^([0-9][0-9]+|[1-9]|0)$" }, "fakerEnabled": { "type": "boolean", "description": "Enables faker for JSON-RPC scanning to generate more realistic values when format is provided on the schema or custom variables.", "markdownDescription": "Enables faker for JSON-RPC scanning to generate more realistic values when format is provided on the schema or custom variables." }, "requestTimeout": { "type": [ "number", "string" ], "description": "HTTP request timeout in milliseconds. Defaults to 30000 (30 seconds).", "markdownDescription": "HTTP request timeout in milliseconds. Defaults to 30000 (30 seconds).", "default": 30000, "exclusiveMinimum": 0, "pattern": "^([0-9][0-9]+|[1-9]|0)$" }, "excludeMethods": { "type": "array", "description": "Regex patterns for JSON-RPC method names to exclude from scanning.", "markdownDescription": "Regex patterns for JSON-RPC method names to exclude from scanning.", "items": { "type": "string" } }, "customVariables": { "type": "array", "description": "Define custom variables and values for use in JSON-RPC scanning.", "markdownDescription": "Define custom variables and values for use in JSON-RPC scanning.", "items": { "$ref": "#/$defs/JsonRpcCustomVariable" } }, "mcp": { "$ref": "#/$defs/McpConf", "description": "MCP (Model Context Protocol) server configuration. Presence of this field enables MCP scanning mode.", "markdownDescription": "MCP (Model Context Protocol) server configuration. Presence of this field enables MCP scanning mode." }, "path": { "type": "string", "description": "Host path to a hosted OpenRPC specification, relative to the target host (e.g., `/openrpc.json`).", "markdownDescription": "Host path to a hosted OpenRPC specification, relative to the target host (e.g., `/openrpc.json`)." } }, "type": "object", "description": "Configure HawkScan for [JSON-RPC 2.0](https://www.jsonrpc.org/specification) API scanning.\n\nOne of the following is **Required**:\n- `endpoint`: The JSON-RPC endpoint path (e.g., `/jsonrpc` or `/api/rpc`).\n- `path`: Host path to a hosted OpenRPC specification (e.g., `/openrpc.json`).\n- `filePath`: Relative path to a local OpenRPC schema file (JSON format).\n\nFor full details such as custom variable injection, see [JSON-RPC Configuration Documentation](https://docs.stackhawk.com/hawkscan/configuration/json-rpc-configuration.html).", "markdownDescription": "Configure HawkScan for [JSON-RPC 2.0](https://www.jsonrpc.org/specification) API scanning.\n\nOne of the following is **Required**:\n- `endpoint`: The JSON-RPC endpoint path (e.g., `/jsonrpc` or `/api/rpc`).\n- `path`: Host path to a hosted OpenRPC specification (e.g., `/openrpc.json`).\n- `filePath`: Relative path to a local OpenRPC schema file (JSON format).\n\nFor full details such as custom variable injection, see [JSON-RPC Configuration Documentation](https://docs.stackhawk.com/hawkscan/configuration/json-rpc-configuration.html).", "additionalProperties": false }, "JsonRpcCustomVariable": { "properties": { "field": { "type": "string", "description": "The field name of the param to inject values into. Using dot notation will resolve nested objects for request bodies (e.g., `user.address.id`).", "markdownDescription": "The field name of the param to inject values into. Using dot notation will resolve nested objects for request bodies (e.g., `user.address.id`)." }, "values": { "type": "array", "description": "A list of possible values to be randomly selected for the given field.", "markdownDescription": "A list of possible values to be randomly selected for the given field.", "items": { "type": "string" } }, "path": { "type": "string", "description": "An optional regex pattern that will only inject custom values if the JSON-RPC method name matches.", "markdownDescription": "An optional regex pattern that will only inject custom values if the JSON-RPC method name matches." } }, "type": "object", "description": "Custom variable data specific to JSON-RPC schemas.", "markdownDescription": "Custom variable data specific to JSON-RPC schemas.", "additionalProperties": false }, "McpConf": { "properties": { "endpoint": { "type": "string", "description": "MCP server endpoint path relative to target host. Defaults to `/mcp`.", "markdownDescription": "MCP server endpoint path relative to target host. Defaults to `/mcp`.", "default": "/mcp", "pattern": "^\\/(([A-z0-9\\-\\%]+\\/)*[A-z0-9\\-\\%]+$)?" }, "excludeTools": { "type": "array", "description": "MCP tool names to exclude from scanning.", "markdownDescription": "MCP tool names to exclude from scanning.", "items": { "type": "string" } }, "customValues": { "type": "array", "description": "Define custom variables and values for use in MCP tool scanning.", "markdownDescription": "Define custom variables and values for use in MCP tool scanning.", "items": { "$ref": "#/$defs/McpCustomVariable" } } }, "type": "object", "description": "MCP (Model Context Protocol) server configuration for JSON-RPC scanning.", "markdownDescription": "MCP (Model Context Protocol) server configuration for JSON-RPC scanning.", "additionalProperties": false }, "McpCustomVariable": { "properties": { "tool": { "type": "string", "description": "MCP tool name this variable applies to.", "markdownDescription": "MCP tool name this variable applies to." }, "param": { "type": "string", "description": "Parameter name within the tool's inputSchema. Using dot notation resolves nested objects (e.g., `user.address.id`).", "markdownDescription": "Parameter name within the tool's inputSchema. Using dot notation resolves nested objects (e.g., `user.address.id`)." }, "values": { "type": "array", "description": "A list of possible values to be randomly selected for the given parameter.", "markdownDescription": "A list of possible values to be randomly selected for the given parameter.", "items": { "type": "string" } } }, "type": "object", "description": "Custom variable data specific to MCP tool scanning.", "markdownDescription": "Custom variable data specific to MCP tool scanning.", "additionalProperties": false }, "HawkAddOnConf": { "properties": { "replacer": { "$ref": "#/$defs/Replacer", "description": "Configuration for the replacer addOn.", "markdownDescription": "Configuration for the replacer addOn." }, "scripts": { "type": "array", "description": "List of configurations for custom scripts.", "markdownDescription": "List of configurations for custom scripts.", "items": { "$ref": "#/$defs/Script" } } }, "type": "object", "description": "Extend HawkScan functionality with add-ons and custom scripts:\n\n- `replacer`: Modify or replace HTTP request headers using `rules` with properties like `matchString`, `replacement`, `isRegex`, and `replaceOnly`.\n- `scripts`: Configure custom scripts to customize scan behavior with `name`, `type` (e.g., active, authentication), `path`, `language` (KOTLIN, JAVASCRIPT), and `vars`.\n\nFor more detail, see [HawkScan Configuration Documentation](https://docs.stackhawk.com/hawkscan/configuration/#hawkaddon).", "markdownDescription": "Extend HawkScan functionality with add-ons and custom scripts:\n\n- `replacer`: Modify or replace HTTP request headers using `rules` with properties like `matchString`, `replacement`, `isRegex`, and `replaceOnly`.\n- `scripts`: Configure custom scripts to customize scan behavior with `name`, `type` (e.g., active, authentication), `path`, `language` (KOTLIN, JAVASCRIPT), and `vars`.\n\nFor more detail, see [HawkScan Configuration Documentation](https://docs.stackhawk.com/hawkscan/configuration/#hawkaddon).", "additionalProperties": false }, "Replacer": { "properties": { "rules": { "type": "array", "description": "List of regex match and replace rules for request headers.", "markdownDescription": "List of regex match and replace rules for request headers.", "items": { "$ref": "#/$defs/ReplacerRules" } } }, "type": "object", "description": "Configuration block for header value replacement. These rules support manipulating request headers, useful for modifying requests to web applications running behind a proxy.", "markdownDescription": "Configuration block for header value replacement. These rules support manipulating request headers, useful for modifying requests to web applications running behind a proxy.", "additionalProperties": false }, "ReplacerRules": { "required": [ "matchString", "replacement" ], "type": "object", "description": "A list of configuration blocks for the Replacer add-on rules.\nEach configuration block in the list is made up of the following elements.\nSee [Configuration Examples](https://docs.stackhawk.com/hawkscan/configuration/#replacer-plugin-configuration) for more information.", "markdownDescription": "A list of configuration blocks for the Replacer add-on rules.\nEach configuration block in the list is made up of the following elements.\nSee [Configuration Examples](https://docs.stackhawk.com/hawkscan/configuration/#replacer-plugin-configuration) for more information.", "properties": { "matchString": { "type": "string", "description": "If `replaceOnly` is false, only match the header name. If `replaceOnly` is true, matches the exact string on the header line.", "markdownDescription": "If `replaceOnly` is false, only match the header name. If `replaceOnly` is true, matches the exact string on the header line." }, "replacement": { "type": "string", "description": "If false, replace existing header value or add the missing header using replacement as the value. If true, only replace the matchString of an existing header line.", "markdownDescription": "If false, replace existing header value or add the missing header using replacement as the value. If true, only replace the matchString of an existing header line." }, "initiators": { "type": "array", "description": "Replacer rule initiators.", "markdownDescription": "Replacer rule initiators.", "items": { "type": "string", "enum": [ "PROXY", "ACTIVE_SCANNER", "SPIDER", "FUZZER", "AUTHENTICATION", "MANUAL_REQUEST", "CHECK_FOR_UPDATES", "BEAN_SHELL", "ACCESS_CONTROL_SCANNER", "AJAX_SPIDER", "FORCED_BROWSE", "TOKEN_GENERATOR", "WEB_SOCKET", "AUTHENTICATION_HELPER" ] } }, "replaceOnly": { "type": "boolean", "description": "If false, replace existing header value or add the missing header using replacement as the value. If true, only replace the matchString of an existing header line.", "markdownDescription": "If false, replace existing header value or add the missing header using replacement as the value. If true, only replace the matchString of an existing header line." }, "isRegex": { "type": "boolean", "description": "Enable regex search for `matchString`. Useful when `replaceOnly` is true (e.g. `Referer:.*` will replace the entire `Referer:` header line).", "markdownDescription": "Enable regex search for `matchString`. Useful when `replaceOnly` is true (e.g. `Referer:.*` will replace the entire `Referer:` header line)." } }, "additionalProperties": false }, "Script": { "properties": { "name": { "type": "string", "description": "The name of this custom script.", "markdownDescription": "The name of this custom script." }, "type": { "type": "string", "description": "The type of this script. One of `active`, `authentication`, `httpsender`, `passive`, `proxy`, `session`.", "markdownDescription": "The type of this script. One of `active`, `authentication`, `httpsender`, `passive`, `proxy`, `session`.", "enum": [ "active", "authentication", "httpsender", "passive", "proxy", "session" ] }, "path": { "type": "string", "description": "Path to the file location for the custom script.", "markdownDescription": "Path to the file location for the custom script." }, "vars": { "type": "array", "description": "Named variables to expose to the script.", "markdownDescription": "Named variables to expose to the script.", "items": { "$ref": "#/$defs/NameValParam" } }, "language": { "type": "string", "description": "**Required**. The language of this script. Either `KOTLIN` or `JAVASCRIPT`.", "markdownDescription": "**Required**. The language of this script. Either `KOTLIN` or `JAVASCRIPT`.", "enum": [ "KOTLIN", "JAVASCRIPT" ] }, "id": { "type": [ "number", "string" ], "description": "Plugin Id for script.", "markdownDescription": "Plugin Id for script." } }, "type": "object", "description": "Configuration block for custom scripts.", "markdownDescription": "Configuration block for custom scripts.", "additionalProperties": false }, "Tag": { "properties": { "name": { "type": "string", "description": "The name of the tag.", "markdownDescription": "The name of the tag." }, "value": { "type": "string", "description": "An arbitrary value to associate with the keyword.", "markdownDescription": "An arbitrary value to associate with the keyword.", "maxLength": 512, "minLength": 1 }, "stackHawkId": { "type": "string", "description": "The StackHawk tag id.", "markdownDescription": "The StackHawk tag id." } }, "type": "object", "description": "Scan tags are name value pairs that represent metadata of the scan, capturing additional state or context around a scan.\n\nExamples could include adding commit SHAs, branch names, or project management issue titles.\n\nTag names can use any combination of the following characters: `a-zA-Z-_`, and their values can be any string. Tag entries can also be interpolated from the environment.\n\n{:class=\"alert alert-info\"}\n> ℹ️ **NOTE:** Tag names beginning with `_STACKHAWK` are in a reserved tag name space.\n\nThe following selection of YAML is an example of how you can configure your `stackhawk.yml` file to include scan tags:\n\nstackhawk.yml\n{: .filename-tab}\n```yaml\napp:\napplicationId: \nenv: localhost\nhost: \ntags:\n- name: category\nvalue: hawksome\n- name: Another-Value\nvalue: ${SOMETHING_FROM_ENV:default}\n- name: _GIT_COMMIT_SHA\nvalue: ${MY_COMMIT_SHA_ENV:HEAD}\n```", "markdownDescription": "Scan tags are name value pairs that represent metadata of the scan, capturing additional state or context around a scan.\n\nExamples could include adding commit SHAs, branch names, or project management issue titles.\n\nTag names can use any combination of the following characters: `a-zA-Z-_`, and their values can be any string. Tag entries can also be interpolated from the environment.\n\n{:class=\"alert alert-info\"}\n> ℹ️ **NOTE:** Tag names beginning with `_STACKHAWK` are in a reserved tag name space.\n\nThe following selection of YAML is an example of how you can configure your `stackhawk.yml` file to include scan tags:\n\nstackhawk.yml\n{: .filename-tab}\n```yaml\napp:\napplicationId: \nenv: localhost\nhost: http://localhost:8080\ntags:\n- name: category\nvalue: hawksome\n- name: Another-Value\nvalue: ${SOMETHING_FROM_ENV:default}\n- name: _GIT_COMMIT_SHA\nvalue: ${MY_COMMIT_SHA_ENV:HEAD}\n```", "additionalProperties": false } }, "additionalProperties": false, "$comment": "https://www.stackhawk.com", "id": "com.stackhawk.nest.HawkScanMessages$HawkscanConf", "required": [ "app" ] }