Stackhawk Security Consultant
Comprehensive agent designed for automatically, stackhawk, security, testing. Includes structured workflows, validation checks, and reusable patterns for security.
Stackhawk Security Consultant
Configures and optimizes StackHawk DAST scanning pipelines to automate API security testing within CI/CD workflows.
When to Use This Agent
Choose this agent when you need to:
- Set up StackHawk dynamic application security testing for a web application or API with proper attack surface analysis
- Generate stackhawk.yml configurations and GitHub Actions workflows tailored to your detected framework and auth patterns
- Triage and remediate StackHawk scan findings with prioritized fix recommendations and false positive management
Consider alternatives when:
- You need static application security testing (SAST) on source code rather than runtime DAST scanning against a live application
- Your application is a library or package without HTTP endpoints, where DAST scanning provides no meaningful attack surface coverage
Quick Start
Configuration
name: stackhawk-security-consultant type: agent category: security
Example Invocation
claude agent:invoke stackhawk-security-consultant "Set up StackHawk security testing for our Express.js API"
Example Output
Attack Surface Assessment: Express.js API
Repository Analysis:
Framework: Express.js (Node.js)
API Routes: 24 endpoints detected
Auth: JWT via passport-jwt middleware
Host: http://localhost:3000 (from package.json start script)
Generated Files:
1. stackhawk.yml
- applicationId: ${HAWK_APP_ID}
- host: http://localhost:3000
- authentication: token (JWT bearer)
- openApiConf: ./openapi.yaml (detected)
2. .github/workflows/stackhawk.yml
- Trigger: pull_request + push to main
- Steps: checkout, npm install, npm start, hawkscan
Required Secrets:
- HAWK_API_KEY (Settings > Secrets > Actions)
- HAWK_APP_ID (from app.stackhawk.com)
TODOs:
- [ ] Add JWT test credentials to workflow env
- [ ] Verify OpenAPI spec path is current
Core Concepts
DAST Scanning Pipeline Overview
| Aspect | Details |
|---|---|
| Attack Surface Analysis | Repository classification (application vs library), endpoint enumeration, auth mechanism detection |
| Configuration Generation | stackhawk.yml with host, app ID, environment, authentication type, and OpenAPI spec references |
| CI/CD Integration | GitHub Actions workflow with dependency install, application startup, and hawkscan-action execution |
| Authentication Handling | Token-based (JWT/Bearer), cookie-based (session), OAuth flows, or external auth provider configuration |
| Finding Management | Severity classification, false positive triaging, remediation guidance, and compliance reporting |
DAST Pipeline Architecture
āāāāāāāāāāāāāāā āāāāāāāāāāāāāāā āāāāāāāāāāāāāāāā
ā PR / Push āāāā>ā CI Runner āāāā>ā App Startup ā
ā Trigger ā ā (ubuntu) ā ā (localhost) ā
āāāāāāāāāāāāāāā āāāāāāāāāāāāāāā āāāāāāāā¬āāāāāāāā
ā
āāāāāāāāāāāāāāā āāāāāāāāā“āāāāāāā
ā Results & ā<āāāā HawkScan ā
ā Findings ā ā Execution ā
ā ā ā ā
ā StackHawk ā ā Crawl Routes ā
ā Dashboard ā ā Fuzz Inputs ā
ā PR Comments ā ā Test Auth ā
āāāāāāāāāāāāāāā āāāāāāāāāāāāāāāā
Configuration
| Parameter | Type | Default | Description |
|---|---|---|---|
| applicationId | string | "${HAWK_APP_ID}" | StackHawk application identifier from the platform dashboard |
| scanEnvironment | string | "Development" | Target environment label: Development, Staging, or Production |
| hostUri | string | "http://localhost:3000" | Base URL where the application is accessible during CI scan execution |
| authType | string | "none" | Authentication mechanism: none, token, cookie, oauth, or external |
| openApiSpec | string | "" | Path to OpenAPI/Swagger specification file for guided route scanning |
Best Practices
-
Assess Attack Surface Before Configuring Scans - Not every repository warrants DAST scanning. Libraries, documentation sites, and static assets lack HTTP endpoints to test. Analyze the repository for web server code, API route definitions, and authentication middleware before investing in scan configuration, and clearly document why a repository was included or excluded.
-
Use OpenAPI Specifications for Guided Scanning - Crawler-based discovery misses endpoints behind authentication, conditional routing, or dynamic path parameters. Providing an OpenAPI or Swagger specification to StackHawk ensures comprehensive route coverage, reduces scan time by eliminating aimless crawling, and produces more accurate findings by testing documented parameter types.
-
Configure Authentication with Dedicated Test Credentials - DAST scans that cannot authenticate only test the unauthenticated attack surface, missing vulnerabilities behind login walls. Create dedicated test accounts with known credentials stored as CI secrets, and configure the authentication section in stackhawk.yml to obtain and use valid tokens during scanning.
-
Integrate Scan Results into Pull Request Workflows - Running scans only on scheduled builds delays vulnerability discovery. Triggering StackHawk scans on pull requests surfaces security issues before code merges, provides developers with immediate feedback in the PR context, and prevents vulnerable code from reaching the main branch where remediation costs increase.
-
Triage Findings Promptly to Prevent Alert Fatigue - Unreviewed scan results accumulate quickly and developers learn to ignore them. Establish a triage cadence where findings are classified as true positives requiring fixes, false positives to be suppressed, or accepted risks with documented justification. Use StackHawk's finding management features to track disposition decisions.
Common Issues
-
Application Not Running When Scan Executes - The most frequent CI failure occurs when hawkscan starts before the application is fully initialized. Add a health check wait step between application startup and scan execution, using a curl loop against the health endpoint with a timeout. Without a responsive target, every scan request fails with connection refused errors.
-
Scan Returns Zero Findings on Authenticated Endpoints - When authentication configuration is missing or misconfigured, StackHawk receives 401/403 responses and cannot test protected routes. Verify that the auth section in stackhawk.yml matches your actual auth mechanism, test credentials are valid, and token acquisition succeeds by checking scan logs for authentication step results.
-
OpenAPI Spec Out of Sync with Actual Routes - When the specification file diverges from implemented endpoints, scans test routes that no longer exist while missing newly added endpoints. Integrate OpenAPI spec generation into your build pipeline so the specification is always current, or use StackHawk's crawler mode as a fallback for discovering undocumented routes.
Reviews
No reviews yet. Be the first to review this template!
Similar Templates
API Endpoint Builder
Agent that scaffolds complete REST API endpoints with controller, service, route, types, and tests. Supports Express, Fastify, and NestJS.
Documentation Auto-Generator
Agent that reads your codebase and generates comprehensive documentation including API docs, architecture guides, and setup instructions.
Ai Ethics Advisor Partner
All-in-one agent covering ethics, responsible, development, specialist. Includes structured workflows, validation checks, and reusable patterns for ai specialists.