With StackHawk, engineering teams can run security tests against JS applications and the backing APIs to find and fix vulnerabilities fasters. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder Scott Gerlach for a quick overview of JS application security testing with StackHawk.
Automated Security Testing for JS Apps & Underlying APIs

AI Generated Video Summary
StackHawk is a dynamic application security testing tool that helps find and fix security vulnerabilities. It integrates with your engineering stack and works with popular players in CICD. The DAST scanner crawls your application, tests it, and provides a summary of the findings, including cross-site scripting and SQL injection issues. The output in CICD includes a link to triage the issues.
1. Introduction to StackHawk
StackHawk is a dynamic application security testing tool. It scans your application, runs anywhere, and helps you find and fix security vulnerabilities. The Stackhawk platform presents the criticality of an issue, the issue type, the path, and the request-response pair that generated the issue. It integrates with your engineering stack and works with popular players in CICD. Let's jump into a quick demo to see how Stackhawk works.
What's up, JSNationLive. Scott Gerlach, co-founder and CSO of StackHawk here. Thanks for taking time to check out what StackHawk has to offer.
Real quick, StackHawk is a dynamic application security testing tool. You can use it to test your running HTTP applications. That's application and API security testing, REST APIs, GraphQL, server-side HTML, and single-page apps.
StackHawk was built for automation in CICD. Makes finding and fixing security vulnerabilities very, very simple.
A little bit of how it works. First of all, it scans your application, and by scans your application we mean it runs anywhere. You can run it on your local host while you're writing code, testing your application, back that up in CICD, test your application there before you push it to prod, and then, again, if you want to, you can run it in prod.
It's built to scan those modern applications, like I mentioned, server-side HTML, single-page apps, REST API, where you have an open API spec, and GraphQL, where you have GraphQL introspection queries turned on. All of those things help inform the scanner as to how to do a good job testing your application for security vulnerabilities.
Once the test is all done, it does a really good job of showing you where those problems are found and potentially how to fix them. Finding and fixing those security issues is super simple with the Stackhawk platform.
The Stackhawk platform presents you with the criticality of an issue, the issue type, the path, and the request-response pair that actually generated the issue. The other thing that's really awesome about the Stackhawk platform is there's a curl recreation of that finding. So there's a curl command that you can copy and paste and run the same attack that the scanner did against your application to be able to just put your application in debug mode, step through that code, and quickly find where you may have made a mistake.
All of that is set up for CICD and you can break your build. You can set up the Stackhawk scanner to exit non-zero if it finds an issue of a severity type, medium or higher, high or high or higher, low or higher, all of those things are totally configurable in the Stackhawk platform. It does not do that natively. You can configure that for your own work.
Stackhawk integrates with your engineering stack. As you can see, I've got icons from some of the major popular players in CICD. Stackhawk works with all of them. Because it's Docker based, if your CICD system can run Docker, it can run Stackhawk.
Let's jump into a quick demo to see how Stackhawk works. Here you can see I've got my vulnerable Django application. This is just a basic Django application, so server side HTML, and I'm testing it with my Stackhawk scanner. The way that looks is I've got a simple Docker command, docker run stackhawk hawkscan.
2. StackHawk Configuration and Scanning
The DAST scanner crawls your application, tests it, and provides a summary of the findings. It identifies cross-site scripting and SQL injection issues. The output in CICD includes a link to triage the issues.
I've got the configuration file, which we're going to take a look at next. And what happens is the DAST scanner crawls your application, looking for interesting things to test, and then tests it. Once that's done, you get a simple summary of what's happening, what Stackhawk found. So here you can see I've got a cross-site scripting issue, a SQL injection issue, and some lower issues. We'll focus on those highs for today. At the very bottom of this, I've got a link back to the Stackhawk platform. This is exactly the same output you'd get in CICD, so if you chose to break build in CICD, you'd have a link to be able to go triage these issues.