Skip to main content

'No default configuration file' error when running Docker-based HawkScan

Troubleshooting permissions issues when running HawkScan

AJ avatar
Written by AJ
Updated over 3 years ago

Applies To

Scans initiated in Docker-based HawkScan implementations.

Issue

When running HawkScan, the scan fails immediately with the following error:

General Configuration Error: No default configuration file (stackhawk.yml,stackhawk.yaml) found in /hawk"

Cause

Possible Causes:

1. stackhawk.yml is not present in the directory that the docker run command is being run from

2. Permissions issue with the directory containing stackhawk.yml

In the permissions scenario:

  • stackhawk.yml is present in the directory that the docker command is run from

  • The $(pwd):/hawk:rw portion of the docker command is present (this is what maps the local directory and its contents (such as stackhawk.yml) into the container so that HawkScan can read the configuration)

  • running docker with sudo doesn’t fix the issue

  • launching the container interactively (docker run -v ${pwd}:/hawk:rw -it --entrypoint /bin/bash stackhawk/hawkscan:latest) and running ls /hawk results in: cannot open directory '/hawk': Permission denied

Explanation:

/hawk is a directory within the HawkScan Docker container which inherits the permissions of the pwd directory that the docker command is called from.

zap is the user within the container that HawkScan runs as, and may not have sufficient permissions to access the /hawk directory as mapped from the Docker host if that host directory is too restricted.

  • If that directory has open permissions (for instance, drwxr-xr-x), the zap user can access the directory

  • If that directory does not have sufficient permissions (for instance rwx------), it will be mapped into the container but the zap user that hawk runs as won't be able to access it

Example (RHEL 8 environment):

  • Too restrictive: stackhawk.yml in the top level of the user's home directory:

    • ls -ld /home

      drwx------. 4 1443803177 1443800513 194 Jun 7 15:07 user

  • Sufficient permissions: stackhawk.yml in a subdirectory (/hawk) under the user's home directory:

    • ls -ld /home/user

      drwxr-xr-x. 2 1443803177 1443800513 27 Jun 8 09:26 hawk

3. Wrong directory is mapped into the Docker volume (/hawk)

In this scenario, the wrong directory is named in docker run's -v option.

Typically, the current working directory is specified and the docker run command is run from that directory:

  • linux/MacOS: -v $(pwd):/hawk:rw

  • Windows:

    1. Powershell: -v ${PWD}:/hawk:rw

If a different value is specified (e.g., an absolute path to a directory that doesn't contain stackhawk.yml, or an environment variable that isn't populated correctly), Docker will fail to map the host directory containing stackhawk.yml into the /hawk directory within the container, resulting in the error.

Solution

  1. Place stackhawk.yml in a directory with sufficient permissions for the zap user to access it when docker is run from that directory.

  2. Run docker run from that directory, using the appropriate volume mapping in the docker run command

Notes:

  • Ideally, place stackhawk.yml in the root of the repository for the application in question, and run docker run from there.

  • Alternatively: install the HawkScan CLI, which runs locally without any Docker dependencies.

Additional Information

A similar error can occur when running the HawkScan CLI -- see 'No default configuration file' error when running the HawkScan CLI for details.

Related Articles
'Unable to access http://<host>:<port>' error when running Docker-based HawkScan
HawkScan CLI unexpectedly requests Git password or token when running a scan
'No default configuration file' error when running the HawkScan CLI
How to run the HawkScan CLI on Windows (Powershell)
'hawk.ps1 cannot be loaded' error when running the hawk command with PowerShell
Did this answer your question?