api

StackHawk Agent Skills

Your AI coding agent is also your security team.

StackHawk agent skills teach your AI coding agent to find security vulnerabilities as you build, report your security posture across applications, and help you fix what it finds — all without leaving your workflow. No context switching, no tickets to another team. Your agent scans, reports, and remediates.

Works with Claude Code, Codex, Gemini CLI, GitHub Copilot, Cursor, and anywhere the Agent Skills standard is supported.

---

Two Skills, One Security Workflow

hawkscan — Scan & Fix

Embeds HawkScan DAST scanning directly into your coding loop. Your agent configures the scanner, runs it against your live app, parses the findings, and generates prioritized fix tasks — then re-scans to confirm the fix worked.

Code changes → Configure HawkScan → Run scan → Parse findings → Fix → Re-scan

Use it when: you're building features, finishing a PR, or setting up security testing for a new project.

api — Report & Analyze

Queries the StackHawk platform API to give you a picture of your security posture across all your applications. Your agent authenticates, pulls findings data, and presents actionable summaries.

Question → Authenticate → Query API → Present Results → Suggest Next Actions

Use it when: you want to know what needs attention, what changed since the last scan, or which apps are falling behind.

---

Quick Start

1. Get your API key

Sign up or log in at app.stackhawk.com, go to Settings → API Keys, and create a key.

export HAWK_API_KEY=hawk.xxxxxxxxxxxx.xxxxxxxxxxxx

2. Install for your platform

Claude Code

/plugin marketplace add stackhawk/agent-skills
/plugin install hawkscan@stackhawk
/plugin install api@stackhawk

Codex

/plugin marketplace add stackhawk/agent-skills
/plugin install hawkscan@stackhawk
/plugin install api@stackhawk

Gemini CLI

gemini extensions install https://github.com/stackhawk/agent-skills

GitHub Copilot

Skills are auto-discovered. Add to your project:

# Option A: Clone into .agents/skills/
mkdir -p .agents/skills
cp -r path/to/stackhawk-agent-skills/skills/* .agents/skills/

# Option B: If you have the Claude plugin installed, Copilot reads .claude/skills/ automatically

Cursor

Copy the generated Cursor rules into your project:

cp -r path/to/stackhawk-agent-skills/cursor/.cursor/rules/* .cursor/rules/

3. Try it

> "Scan my API for security vulnerabilities"

> "What's my security posture across all apps?"

---

What You Can Do

Scanning Workflows (hawkscan skill)

Say this...	Your agent will...
"Set up HawkScan for my Express API"	Generate a stackhawk.yml config based on your stack
"Scan my app for security issues"	Validate config, run hawk scan, parse findings
"Turn these scan findings into fix tasks"	Prioritize by severity, generate actionable fix guidance
"I'm finishing up this feature"	Proactively suggest a security scan before you merge
"My HawkScan auth is failing"	Debug your authentication configuration
"Set up HawkScan in my CI pipeline"	Generate CI-specific config with commit tagging

Reporting Workflows (api skill)

Say this...	Your agent will...
"What's my security posture?"	Pull untriaged findings across all apps, present as a summary table
"Show me findings for payment-api"	Drill down: scan → alerts → findings with severity, CWE, paths
"Which apps haven't been scanned recently?"	Flag stale apps with no scan in 30+ days
"What changed since the last scan?"	Diff two scans, show new and resolved findings

---

Supported Configurations

API & App Types: REST/OpenAPI, GraphQL, gRPC, SOAP, JSON-RPC, standard web apps

Authentication Patterns: Bearer token injection, form login (username/password), cookie sessions, OAuth2/external IdP (Auth0, Okta, Cognito), external command, custom scripts

Scan Runtimes: hawk CLI (recommended for local/agentic use), Docker (stackhawk/hawkscan)

Environments: Local development, CI/CD (GitHub Actions, GitLab CI, Jenkins, etc.)

---

How It Works

These are Agent Skills — they teach AI coding agents domain-specific knowledge through structured markdown files. No runtime dependencies are installed. No code runs in the background.