<h1>StackHawk</h1>
<p>I attended a <a href="https://portal.gitnation.org/contents/js-security-testing-in-github-actions-631">workshop</a> on security testing during <a href="https://portal.gitnation.org/events/node-congress-2022">Node Congress 2022</a>.</p>
<p>Here are some key takeaways:</p>
<ul>
<li>Software Composition Analysis (SCA): <a href="https://github.com/dependabot">Dependabot</a>, <a href="https://snyk.io/">Snyk</a></li>
<li>Static Application Security Testing: <a href="https://github.com/github/codeql">CodeQL</a>, Snyk</li>
<li>Dynamic Application Security Testing: <a href="https://www.stackhawk.com/">StackHawk</a>, <a href="https://www.zaproxy.org/">OWASP ZAP</a></li>
</ul>
<h2>Dynamic Application Security Testing</h2>
<p>StackHawk is a DAST tool built upon OWASP ZAP. For example, it can scan a running application and then displays on a dashboard the different scans that classify the potential security risks by severity.</p>
<p>I integrated StackHawk with my <a href="https://github.com/pfongkye/nextjs-blog">Next.js blog</a> using <a href="https://docs.stackhawk.com/continuous-integration/github-actions.html">GitHub actions</a>.
There are two config files that are added before StackHawk can start scanning: the <a href="https://github.com/pfongkye/nextjs-blog/blob/main/.github/workflows/hawkscan.yml">GitHub workflow</a> file and the <a href="https://github.com/pfongkye/nextjs-blog/blob/main/stackhawk.yml">configuration file</a> that contains the endpoint to scan.</p>
<p>What I find particularly interesting with this tool is that for each potential security risk, there is a clear explanation of the problem. And from this explanation, you decide how to act on the issue:
<img src="https://user-images.githubusercontent.com/1062699/170891632-feddaf85-d814-4f67-9ac4-cfca7a0a2c7e.png" alt="image"></p>


Pascal

JS Security Testing in GitHub Actions

StackHawk

Dynamic Application Security Testing