Stats
Actions
Tags
From hawkscan
Use this skill whenever a user or agent needs to configure, run, or interpret results from StackHawk's HawkScan DAST scanner. Triggers include: any mention of "hawkscan", "stackhawk", "stackhawk.yml", "hawk scan", "DAST", "dynamic security testing", "security scan", or "scan my API/app". Also trigger when a feature is being completed — phrases like "feature complete", "finishing up feature", "ready for review", "wrapping up", or "done with implementation" should proactively suggest running a security scan before the work is considered done. Use this skill for the full loop: config generation, scan execution, findings parsing, and producing actionable fix tasks for the agent.
How this skill is triggered — by the user, by Claude, or both
Slash command
/hawkscan:hawkscanThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
This skill enables Claude to act as the security testing orchestrator in an agentic
This skill enables Claude to act as the security testing orchestrator in an agentic coding loop. The core workflow is:
Code changes → Start Application/API → Configure HawkScan → Run scan → Parse findings → Generate fix tasks → Repeat
Before configuring or running a scan, gather:
stackhawk.yml? Check the project root. If missing, go to Step 2.
If present, go to Step 2b (tune).HAWK_API_KEY? Required. If missing, tell the user to generate one
at app.stackhawk.com → Settings → API Keys and set it as an env var.hawk). If neither is installed, see
→ references/installation.mdstackhawk.yml from ScratchAsk (or infer from codebase) the following, then generate the config:
applicationId — from StackHawk platform (required, looks like a UUID)env — environment name (e.g., Development, CI, Staging)host — base URL of the running app (e.g., http://localhost:8080)Minimum viable config:
app:
applicationId: ${APP_ID}
env: ${APP_ENV:Development}
host: ${APP_HOST:http://localhost:8080}
Always use env var interpolation (${VAR} or ${VAR:default}) for sensitive
values and anything that varies across environments. Note: HawkScan does NOT support
string interpolation inside larger strings like "https://${HOST}/api" — the entire
value must be the variable.
For API-type-specific config and auth patterns, see:
→ references/config-patterns.md
stackhawk.ymlReview the existing config against the current app state:
seedPaths. See spider tuning in
references/config-patterns.mdauthentication block; check app.authentication.testPathapp.excludePaths or app.includePaths, tune
hawk.spider.maxDurationMinutes and hawk.scan settingsgraphqlConf, openApiConf, etc.hawkAddOn.replacer for tenant headers, API version
headers, etc.app:
tags:
- name: Commit
value: ${GIT_COMMIT_SHA}
- name: Branch
value: ${GIT_BRANCH}
Always validate config before scanning — it's fast and catches problems without burning a full scan run.
# Validate stackhawk.yml structure and required fields
hawk validate config stackhawk.yml
# Validate OpenAPI specification referenced in stackhawk.yml
hawk validate api stackhawk.yml
# Validate authentication config (requires perch daemon — see below)
hawk perch start
hawk validate auth stackhawk.yml
hawk perch stop
Run hawk validate config stackhawk.yml every time the config changes.
Run hawk validate api stackhawk.yml when adding or modifying OpenAPI spec references.
Run hawk validate auth when the authentication block is new or modified — but note
that validate auth requires perch (daemon mode) to be running first. Start perch,
run the validation, then stop perch when done.
If any validation fails, fix it before proceeding to hawk scan.
The validate commands accept config files as positional arguments only — there is
NO -c or --config flag. Do NOT invent one.
# CORRECT — positional args, just the filename
hawk validate config stackhawk.yml
hawk validate config stackhawk.yml stackhawk-override.yml
hawk validate auth stackhawk.yml
# WRONG — there is no -c flag
hawk validate config -c stackhawk.yml # ← WILL FAIL
hawk validate auth --config stackhawk.yml # ← WILL FAIL
The CLI automatically prepends the working directory to config file paths. This means:
stackhawk.yml) when the file is in the current directory/Users/me/project/stackhawk.yml — the CLI will
prepend projectRepoDir/ to it, producing a broken double-path--repo-dir=<path> to set the
base directory, then pass just the filenameThis applies identically to hawk scan, hawk validate config, hawk validate api,
and hawk validate auth — they all use the same positional argument + path resolution.
The hawk CLI is preferred for local/agentic use. For the full CLI command reference
(scan commands, flags, diagnostics, perch daemon mode), see:
→ references/cli-reference.md
For Docker-based scanning (CI environments or when CLI isn't installed), see:
→ references/docker-usage.md
Quick reference for agentic scanning:
hawk scan # scan using stackhawk.yml in current directory
hawk scan --json-output # output findings as JSON (best for agentic parsing, requires Dev Release v5.3.41+)
hawk rescan # re-run only plugins that threw alerts from previous scan
| Code | Meaning |
|---|---|
0 | Scan complete, no findings at or above failureThreshold |
1 | Scan failed (config error, app unreachable, auth failure) |
42 | Scan complete, findings met or exceeded failureThreshold |
Exit code 1 = fix the config or confirm the app is reachable before re-running.
Exit code 0 = no critical findings, but review the report for any items and consider fixing them anyway.
Exit code 42 = scan worked; findings need remediation.
Use --json-output to get structured scan results for agentic consumption
(requires at least Dev Release v5.3.41):
# CLI — json output to file
hawk scan --json-output > findings.json
# CLI — json output piped directly
hawk scan --json-output
--json-output suppresses all other stdout (progress, banners, etc.), so you do NOT
need --no-color or --verbose when using it. It cannot be combined with --trace.
Parse the JSON output to extract findings, then transform them into fix tasks for the
coding agent. For the full JSON schema, field reference, fix task format, and common
findings guidance, see:
→ references/findings-and-fixes.md
If --json-output is not available (requires at least Dev Release v5.3.41), fall back to capturing
stdout with hawk --no-color scan --verbose and parse the terminal output. Look for lines
containing finding names, severity levels, and affected paths. The platform URL printed
at scan end can be used to fetch the full report via the StackHawk API if needed.
After generating fix tasks, instruct the agent:
hawk validate config stackhawk.yml # catches malformed YAML, missing required fields
hawk validate api stackhawk.yml # validates OpenAPI spec references in config
host in config is correcthawk validate auth (requires hawk perch start first);
see references/config-patterns.mdapplicationId → verify UUID matches an app in the StackHawk platformhawk validate config will show the specific linestackhawk.yml. Always use ${HAWK_API_KEY}.stackhawk.yml. Use env vars and reference them in the authentication block.host: "https://${HOST}/api" will
NOT interpolate. Use host: ${FULL_HOST_URL} instead.npx claudepluginhub stackhawk/agent-skills --plugin hawkscanIntegrates SAST, DAST, and SCA into CI/CD pipelines using Semgrep, Trivy, OWASP ZAP, and Gitleaks for automated security scanning.
Integrates SAST, DAST, and SCA into CI/CD pipelines using Semgrep, Trivy, OWASP ZAP, and Gitleaks for automated security scanning.
Orchestrates security auditing workflow for web apps, APIs, and infrastructure, covering reconnaissance, vulnerability scanning, pentesting, and hardening phases.