StackHawk Review 2026: Developer-First DAST

Name: StackHawk
Availability: OnlineOnly

StackHawk is a DAST tool built on the OWASP ZAP scanning engine, packaged for CI/CD pipelines. Security tests are configured in a stackhawk.yml file that lives in your repository alongside your code. Scans run in your pipeline, findings go to developers with remediation guidance.

The tool focuses on APIs and modern application architectures. REST, GraphQL, SOAP, and gRPC are all first-class scan targets, not afterthoughts bolted onto a browser-based scanner.

Feature	Details
Engine	OWASP ZAP
Configuration	YAML (`stackhawk.yml` in repo)
API protocols	REST, GraphQL, SOAP, gRPC
API discovery	HawkAI (source code analysis)
Auth methods	Form, HTTP, OAuth2, cookie, token, external command
CI/CD	GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure, AWS, 6+ more
Trial	14-day free trial (enterprise features)
LLM testing	LLM security risk detection
Data detection	PII, PCI, PHI sensitive data
Deployment	SaaS (Docker-based scanner)

What is StackHawk?

StackHawk takes the ZAP scanning engine and wraps it in a workflow that fits how developers already work. Configuration lives in version control. Scans trigger in CI/CD. Findings include code examples showing how to fix the issue.

The philosophy: security testing belongs in the development process, not bolted on at the end. If you can configure your tests in YAML, version-control them, and run them in a pipeline, security testing gets treated like any other quality check. The OWASP Testing Guide recommends integrating dynamic analysis into CI/CD workflows to catch vulnerabilities before they reach production.

HawkAI, the API discovery feature, scans your source code to find endpoints that may not appear in your OpenAPI spec. It looks at route definitions in frameworks like Express, Spring, Django, and Rails, and flags undocumented or internal APIs that your spec missed.

ZAP Under the Hood

StackHawk uses OWASP ZAP for vulnerability detection. You get ZAP’s proven scanning capabilities without having to configure ZAP directly. StackHawk adds the developer experience layer: YAML config, CI/CD integrations, and findings written for engineers rather than security specialists.

Key features

YAML Configuration

Security tests defined in stackhawk.yml in your repo. Lives in version control and gets reviewed in PRs like any other config. Specify targets, auth, scan duration, and active scan types.

API-First Testing

REST via OpenAPI specs, GraphQL via introspection, SOAP, and gRPC. StackHawk tests mutations, queries, and endpoints for injection vulnerabilities and authorization flaws.

HawkAI Discovery

Analyzes source code to find API endpoints not in your spec. Supports Express, Spring, Django, Rails, and other frameworks. Catches undocumented endpoints and spec drift.

CI/CD Native

GitHub Actions with code scanning integration, GitLab CI with vulnerability reporting, Jenkins, CircleCI, Azure Pipelines, AWS CodePipeline, Bitbucket, Bamboo, Harness, Buildkite, Travis CI.

LLM Security Testing

Tests LLM-powered application features for prompt injection, data leakage, and other AI-specific security risks. A newer addition to the StackHawk scanning capabilities.

Developer Findings

Vulnerability reports include code-level remediation examples, links to documentation, and severity based on exploitability. Written for developers, not security analysts.

Installation

# macOS with Homebrew
brew tap stackhawk/cli
brew install hawk

# Docker
docker pull stackhawk/hawkscan

# Initialize with your API key
hawk init --api-key=YOUR_API_KEY

# Verify
hawk --version

Configuration

Create stackhawk.yml in your project root:

app:
  applicationId: ${STACKHAWK_APP_ID}
  env: ${STACKHAWK_ENV}
  host: ${STACKHAWK_HOST}

hawk:
  spider:
    maxDurationMinutes: 5
  scan:
    maxDurationMinutes: 10

API scanning

# REST via OpenAPI
app:
  openApiConf:
    filePath: openapi/spec.yaml

# GraphQL via introspection
app:
  graphqlConf:
    schemaPath: /graphql
    operation: ALL

Authentication

# Bearer token via external auth
app:
  authentication:
    external:
      type: TOKEN
      value: ${ACCESS_TOKEN}
    tokenAuthorization:
      type: HEADER
      value: Authorization
      tokenType: Bearer

# Cookie-based via external auth
app:
  authentication:
    external:
      type: COOKIE
      name: session
      value: ${SESSION_COOKIE}

Source-Based Discovery

Point HawkAI at your source directories to catch API endpoints your OpenAPI spec missed. Add sourceHawk.enabled: true and specify your source paths. It identifies routes in Express, Spring, Django, and Rails automatically.

Integrations

CI/CD Platforms

GitHub Actions

GitLab CI

Jenkins

CircleCI

Azure Pipelines

AWS CodePipeline

Bitbucket

DevOps & Security

Jira

Slack

Semgrep

Snyk

Endor Labs

Getting started

Install the CLI — Use Homebrew (brew tap stackhawk/cli && brew install hawk) or Docker. Initialize with hawk init --api-key=YOUR_KEY.

Create stackhawk.yml — Define your application ID, host, and scan configuration. Point to your OpenAPI spec or enable GraphQL introspection.

Run locally first — hawk scan --host http://localhost:8080 tests your running application. Fix issues before they hit the pipeline.

Add to CI/CD — Use the official GitHub Action (stackhawk/hawkscan-action@v2), GitLab image, or Docker in any pipeline. Set codeScanningAlerts: true for GitHub Security tab integration.

GitHub Actions example

name: Security Scan
on:
  push:
    branches: [main]
  pull_request:

jobs:
  stackhawk:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Start application
        run: docker-compose up -d
      - name: Run StackHawk scan
        uses: stackhawk/hawkscan-action@v2
        with:
          apiKey: ${{ secrets.STACKHAWK_API_KEY }}
          configurationFiles: stackhawk.yml
          codeScanningAlerts: true
          githubToken: ${{ github.token }}

When to use StackHawk

StackHawk is a natural fit for teams that build API-first applications and practice DevSecOps. If you want security config in version control, scans in CI/CD, and findings that developers can act on, StackHawk delivers that workflow.

The YAML-based configuration means security tests work the same way every time and get reviewed in PRs. The ZAP engine handles vulnerability detection; StackHawk handles the developer experience on top.

It is less suited for teams that need to scan without application source access, organizations heavily invested in traditional browser-rendered apps rather than APIs, or teams requiring fully on-premises deployment. StackHawk is SaaS only. For on-premises or standalone DAST, consider Burp Suite or Nuclei. For a comparison of testing approaches, see SAST vs DAST vs IAST.

A 14-day free trial of the enterprise plan is available, making it practical to evaluate before committing to a paid subscription.

Frequently Asked Questions

What is StackHawk?

StackHawk is a DAST tool built on the OWASP ZAP engine, designed for CI/CD pipelines. You configure scans in a stackhawk.yml file that lives in your repo, and it runs against your application as part of your build process. Supports REST, GraphQL, SOAP, and gRPC APIs.

Is StackHawk free?

StackHawk does not offer a permanent free tier. A 14-day free trial of the enterprise plan is available for evaluation. After the trial, paid plans start with the Pro tier based on per-contributor pricing.

How does StackHawk use ZAP?

StackHawk wraps the OWASP ZAP scanning engine in a developer-friendly interface. You get ZAP’s proven vulnerability detection without managing ZAP configuration directly. StackHawk adds YAML config, CI/CD integrations, and developer-focused findings on top of the ZAP core.

What is HawkAI?

HawkAI is StackHawk’s API discovery feature. It analyzes your source code to find API endpoints that may not be documented in OpenAPI specs, including undocumented endpoints, internal APIs, and differences between your spec and actual implementation.

What CI/CD platforms does StackHawk support?

StackHawk integrates with GitHub Actions (including code scanning), GitLab CI (vulnerability reporting), Jenkins, CircleCI, Azure Pipelines, AWS CodePipeline, Bitbucket Pipelines, Bamboo, Harness, Spinnaker, Buildkite, and Travis CI.