This workshop is designed to help you get started with the HawkScan in GitHub Actions. Participants get hands-on experience with:
- GitHub Enrollment
- GitHub Actions workflows
- StackHawk dynamic application security test (DAST) scanning
You can find the slide deck for this workshop here.
To get the most out of this workshop, make sure you have the following prerequisites before getting started.
- Join us in the StackHawk Discord: https://discord.gg/aQA5GUqJ7A
- A web browser
Go to the GitHub Signup Page and sign up for an account!
Fork the vuln_node_express app:
https://github.com/kaakaww/vuln_node_express
Go to the Code section of your newly forked repository in GitHub. Create a new file using the Add file --> Create new file button. Name the file .github/workflows/build-and-test.yml, and add the following contents:
# .github/workflows/build-and-test.yml
name: Build and Test
on:
push:
branches:
- main
pull_request:
jobs:
build-and-test:
name: Build and test
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Install Node.js 14.x
uses: actions/setup-node@v2
with:
node-version: 14.x
- name: Install dependencies
run: npm clean-installCommit the change.
Go to the Actions section of your repository, and you should see the new workflow running.
Sign up for a StackHawk Developer account. Follow the Get Started flow to create your StackHawk API key and first application.
Stash your StackHawk API key in GitHub Secrets. In your repo, navigate to the Settings section, and find Secrets in the left pane.
Add a secret named HAWK_API_KEY, and add your StackHawk API key as the value.
Download the stackhawk.yml file that you created in the Get Started flow in the StackHawk platform. Copy the contents into a new file at the base of your repo named stackhawk.yml. Commit the file.
Update your Build and Test workflow. Add a step to start the vuln_node_express, and a step to run HawkScan using the StackHawk Action at the end:
# .github/workflows/build-and-test.yml
name: Build and Test
on:
push:
branches:
- main
pull_request:
jobs:
build-and-test:
name: Build and test
runs-on: ubuntu-20.04
steps:
- name: Check Out Code
uses: actions/checkout@v2
- name: Install Node.js 14.x
uses: actions/setup-node@v2
with:
node-version: 14.x
- name: Install Dependencies
run: npm clean-install
- name: Daemonize our Node API service
run: nohup npm run start &
- name: Run HawkScan
uses: stackhawk/hawkscan-action@v1.3.1
with:
apiKey: ${{ secrets.HAWK_API_KEY }}Commit this change.
Go to the Actions section of your repo, and watch your updated Build and Test workflow run. Examine the Run HawkScan step console logs.
Check your scan results on the StackHawk platform.
You just automated StackHawk DAST scanning with GitHub Actions!
Read more about GitHub Actions, and check out the GitHub Actions Marketplace, where you can find other Actions to build out your pipeline.
Finally, here are some additional resources for tuning StackHawk to scan your applications.
- HawkDocs, where you can read all the details on how to configure and run HawkScan in your environment.
- Authenticated Scanning - Guides for authenticating HawkScan to your application for deeper scans.
- Continuous Integration, where you can see our guides for integrating HawkScan with the most popular CI/CD systems.
- StackHawk Blog, with technical tips, tricks, and walkthroughs to help you secure and test your applications.