This workshop shows you how to scan a GraphQL application with StackHawk, and automate that scan in GitHub Actions.
You can find the slide deck for this workshop here.
Not attending our workshop right now? Watch it on your own schedule.
To get the most out of this workshop, make sure you have the following prerequisites.
- Discord - Find us in #oct11-gql-security-testing under the 🧩 RADV FREE WORKSHOPS category
- Docker -- Get the latest version
- HawkScan --
docker pull stackhawk/hawkscan
Fork the vuln-graphql-api
app:
https://github.com/kaakaww/vuln-graphql-api
Then clone your fork to your workstation:
git clone git@github.com:<YOUR-GITHUB-ORG>/vuln-graphql-api
Enter your cloned project directory:
cd vuln-graphql-api
Prepare the vuln-graphql-api
project directory for the workshop:
./scripts/workshop-prep.sh
Build and run the test app:
docker compose up --build --detach
Browse to the test app:
Sign up for a StackHawk Developer Account. Create an API Key, App ID, Environment, and HawkScan initial configuration file in the Getting Started flow.
Follow the guidance to save your StackHawk API key to ~/.hawk/hawk.rc
Copy the intial HawkScan configuration file, stackhawk.yml
, to the base of your project directory:
# ./stackhawk.yml
app:
applicationId: <YOUR-APP-ID>
env: Development
host: http://localhost:3000
☝️ Replace
<YOUR-APP-ID>
with the App ID you created in the StackHawk platform.
Scan vuln-graphql-api
:
source ~/.hawk/hawk.rc
docker run -e API_KEY=${HAWK_API_KEY} --rm -v $(pwd):/hawk:rw -it --network host stackhawk/hawkscan:latest
Update your stackhawk.yml
configuration file:
# ./stackhawk.yml
app:
applicationId: <YOUR-APP-ID>
env: Development
host: http://localhost:3000
graphqlConf:
enabled: true
autoPolicy: true
autoInputVectors: true
hawk:
spider:
base: false
Scan again:
docker run -t -e API_KEY=${HAWK_API_KEY} -v $(pwd):/hawk --network host stackhawk/hawkscan:latest
Add your StackHawk API key as a GitHub Secret. Go to your repository in GitHub, and under the Settings section, find Secrets in the left-hand pane.
Enter your StackHawk API key as a secret named HAWK_API_KEY
.
Create the workflow, .github/workflows/build-and-scan.yml
:
# .github/workflows/build-and-scan.yml
name: Build and Scan
on:
push:
jobs:
hawkscan:
name: Build and Scan
runs-on: ubuntu-20.04
steps:
- name: Clone repo
uses: actions/checkout@v2
- name: Build and run vuln-graphql-api
run: docker-compose up --build --detach
- name: Run HawkScan
uses: stackhawk/hawkscan-action@v1.3.1
with:
apiKey: ${{ secrets.HAWK_API_KEY }}
Push your changes to GitHub:
git add .
git commit -m "add HawkScan to the build workflow"
git push
Check your workflow in GitHub Actions, and your scan results on StackHawk.
You just automated DAST GraphQL scanning in a build pipeline!
Here are some additional resources for further tuning StackHawk for your applications.
- HawkDocs - StackHawk Documentation.
- GraphQL Configuration - Details on how to tune your GraphQL scan.
- Authenticated Scanning - Guides for authenticating HawkScan to your application for deeper scans.
- Continuous Integration - Guides for integrating HawkScan with the most popular CI/CD systems.
- StackHawk Blog - Tips, tricks, and strategies to help you continuously test and secure your applications.