StackHawk was purpose-built for the shift-left security model where security testing runs as part of the development workflow rather than as a separate gate before production. The platform provides a CLI tool that developers run locally or in CI/CD pipelines to test running applications for OWASP Top 10 vulnerabilities. Built on top of the established OWASP ZAP scanning engine, StackHawk adds developer experience improvements including YAML-based configuration, API-aware scanning, and findings presented with one-click reproducers.
The CI/CD integration is StackHawk's defining capability. Pipeline plugins for GitHub Actions, GitLab CI, Jenkins, CircleCI, and other CI providers enable automated security testing on every pull request. Scan results appear as PR comments with severity ratings and direct links to detailed findings, creating a feedback loop where developers fix security issues alongside functional changes. Custom scan configurations per environment enable different testing profiles for development, staging, and production.
StackHawk scans REST APIs, GraphQL endpoints, gRPC services, and traditional web applications with authentication support that handles OAuth, session tokens, API keys, and custom auth schemes. Each finding includes a curl command that reproduces the vulnerability, making it simple for developers to verify the issue and confirm the fix. The triaging workflow allows teams to mark findings as false positives, accepted risks, or prioritized fixes, maintaining a clean backlog of actionable security work.