Applies To
HawkScan CLI scans (local or within CI/CD Automation).
Issue
HawkScan authenticates to the StackHawk platform and the successfully validates the yaml configuration, but the scan errors out with an unexpected Git credentials challenge.
Example error:
+ /var/opt/hawk-2.0.0/hawk scan
Authenticating to platform
Authenticating to platform .
Authenticating to platform ..
Git Username: Git Password or Personal Access Token:
[1;91mUnexpected Error: [0m[0m
Cause
Overview:
The GIT_URL environmental variable is set in the shell that launched the CLI version of HawkScan, causing HawkScan to attempt to pull from the git repo contained in that variable.
By default, HawkScan mounts itself to the current working directory from which it runs; GIT_URL is used to mount it from a repository instead.
Details:
Unlike the docker-based version of HawkScan--in which all environmental variables must be explicitly specified--in the CLI version, environmental variables are inherited from the parent shell from which the hawk command is run.
This shell could be local (e.g., a laptop running MacOS with the CLI installed), within a container (e.g., within a Kubernetes pod) or a host (e.g., Jenkins agent runner host) in a CI/CD workflow.
Environmental variables, if present, can be overridden with command line options or unset (see below).
Solution
Unset the GIT_URL variable that HawkScan is attempting to use, then re-run the scan.
Examples:
MacOS:
Unset GIT_URL prior to running hawkscan:
unset GIT_URL;hawk scan
Jenkins:
Unset GIT_URL within a step in the Jenkinsfile pipeline:
stage ("Run HawkScan Test") {
steps {
sh 'unset GIT_URL; /var/opt/hawk-2.1.1/hawk scan'
}
}
Additional Information
StackHawk CLI:
Running HawkScan in Jenkins:
Mounting HawkScan from a Git repository: