Integrating StackHawk with your CircleCI pipelines for better application security

Find out your applications’ dirty little secrets with dynamic scanning with the dynamic security application testing tool, StackHawk.

by karl /

Introducing StackHawk

StackHawk is an open-source dynamic security application testing tool (DAST). It performs penetration tests on your application and workloads on your hardware and hosts the data on your behalf.

You can then scan as often as you like and automate the process for regular feedback, with the only constraint being the resources used to scan the application.

What StackHawk can do for you

StackHawk provides opportunities to harden your security by bringing information to your attention! A proactive approach to these security issues allows you to strengthen your position before your application becomes exposed or is reported as having security issues requiring attention.

Using StackHawk will also enable you to spend more time developing content and features for your applications and less worrying about security issues.

A screenshot of the user interface in StackHawk with redacted details

How can I integrate it with my pipelines?

We've put together an orb for CircleCI users so they can start adding it to their pipelines. Here's what the implementation would look like:

  • Project maintainers generate an Application ID in StackHawk's interface.
  • Information gets passed onto the orb by parameters.
  • A configuration file is generated.
  • Finally, the scan starts!

For those wanting to take advantage of additional guidance, we've created an example workflow to add to your CircleCI configuration. Please keep in mind the configuration values will be slightly different for your needs, and values hidden from visibility can be stored in environment variables or similar.

version: 2.1
orbs:
 stackhawk: skpr/stackhawk@1

workflows:
  dast_weekly:
   jobs:
     - dast:
         context: global-org
   triggers:
     - schedule:
         cron: "0 0 * * 1"
         filters:
           branches:
             only:
               - master

jobs:
  dast:
    machine:
      image: ubuntu-2204:2022.10.2
    steps:
     - checkout
     - stackhawk/configure:
         app_id: "${STACKHAWK_APPID}"
         env: "${STACKHAWK_ENV}"
         host: http://127.0.0.1:8080
     - stackhawk/scan:
         api_key: ${STACKHAWK_API_KEY}
         timeout: 3h

In conclusion

You can put yourself in the driver’s seat with an up-to-date report on the security of your application by integrating StackHawk with your CircleCI pipelines. 

Our orb provides a simple and clean way for everybody to take advantage of the DAST. This simplified approach can help you in your quest to become more proactive in improving your security posture.