Applies To

Scans initiated in Docker-based HawkScan implementations.

Issue

When running HawkScan, the scan fails immediately with the following error:

General Configuration Error: No default configuration file (stackhawk.yml,stackhawk.yaml) found in /hawk"

Cause

Possible Causes:

1. `stackhawk.yml` is not present in the directory that the `docker run` command is being run from

2. Permissions issue with the directory containing `stackhawk.yml`

In the permissions scenario:

stackhawk.yml is present in the directory that the docker command is run from
The $(pwd):/hawk:rw portion of the docker command is present (this is what maps the local directory and its contents (such as stackhawk.yml) into the container so that HawkScan can read the configuration)
running docker with sudo doesn’t fix the issue
launching the container interactively (docker run -v ${pwd}:/hawk:rw -it --entrypoint /bin/bash stackhawk/hawkscan:latest) and running ls /hawk results in: cannot open directory '/hawk': Permission denied

Explanation:

/hawk is a directory within the HawkScan Docker container which inherits the permissions of the pwd directory that the docker command is called from.

zap is the user within the container that HawkScan runs as, and may not have sufficient permissions to access the /hawk directory as mapped from the Docker host if that host directory is too restricted.

If that directory has open permissions (for instance, drwxr-xr-x), the zap user can access the directory
If that directory does not have sufficient permissions (for instance rwx------), it will be mapped into the container but the zap user that hawk runs as won't be able to access it

Example (RHEL 8 environment):

Too restrictive: stackhawk.yml in the top level of the user's home directory:
- ls -ld /home
  drwx------. 4 1443803177 1443800513 194 Jun 7 15:07 user
Sufficient permissions: stackhawk.yml in a subdirectory (/hawk) under the user's home directory:
- ls -ld /home/user
  drwxr-xr-x. 2 1443803177 1443800513 27 Jun 8 09:26 hawk

3. Wrong directory is mapped into the Docker volume (/hawk)

In this scenario, the wrong directory is named in docker run's -v option.

Typically, the current working directory is specified and the docker run command is run from that directory:

linux/MacOS: -v $(pwd):/hawk:rw
Windows:
1. Powershell: -v ${PWD}:/hawk:rw

If a different value is specified (e.g., an absolute path to a directory that doesn't contain stackhawk.yml, or an environment variable that isn't populated correctly), Docker will fail to map the host directory containing stackhawk.yml into the /hawk directory within the container, resulting in the error.

Solution

Place stackhawk.yml in a directory with sufficient permissions for the zap user to access it when docker is run from that directory.
Run docker run from that directory, using the appropriate volume mapping in the docker run command

Notes:

Ideally, place stackhawk.yml in the root of the repository for the application in question, and run docker run from there.
Alternatively: install the HawkScan CLI, which runs locally without any Docker dependencies.

Additional Information

A similar error can occur when running the HawkScan CLI -- see 'No default configuration file' error when running the HawkScan CLI for details.

'Unable to access http://<host>:<port>' error when running Docker-based HawkScan

HawkScan CLI unexpectedly requests Git password or token when running a scan

'No default configuration file' error when running the HawkScan CLI

How to run the HawkScan CLI on Windows (Powershell)

'hawk.ps1 cannot be loaded' error when running the hawk command with PowerShell