All Collections
Running HawkScan
How to run HawkScan in Kubernetes
How to run HawkScan in Kubernetes

Running HawkScan using a CronJob kube specification in k8s

Anthony Stinn avatar
Written by Anthony Stinn
Updated over a week ago

Overview

When testing applications running in a Kubernetes environment, you may want to run HawkScan from within that same environment.

This article details how to do so with a Kubernetes CronJob, although you can also do it as a normal batch Job.

We create the [Cron]Job pod from our StackHawk container image, stackhawk/hawkscan, and use environment variables to tell StackHawk to clone your Git repo, where it can find your StackHawk configuration file.

Procedure

To run HawkScan in Kubernetes, you'll need to configure the following elements:

  • Environment Variables:

    1. API_KEY - this authenticates the scanner to the StackHawk platform.

    2. HAWK_GIT_URL - this points the scanner to the appropriate GitHub repository.

    3. HAWK_GIT_REV - this points the scanner to the appropriate branch/commit/tag of your repository. You can omit this if you just want the latest revision of your default branch.

  • Kubernetes Namespace:

    1. Create and define a stackhawk namespace

Configure The Environment

1). Export your StackHawk API key as an environment variable, API_KEY (If necessary, you can create a new API key from API Keys in the StackHawk console):

export API_KEY=<your-stackhawk-api-key>

2). Export your GitHub repository URL as an environment variable, HAWK_GIT_URL. Since it is a private repository, you will need to supply your username <username> and GitHub PAT <github-PAT>. If necessary, you can create a new GitHub PAT following the GitHub guide, Creating a personal access token.

export HAWK_GIT_URL="https://<username>:<github-PAT>@github.com/<organization-name>/<repo-name>.git"

Create And Configure A Namespace

3). Create the Namespace stackhawk to run your CronJob in.

kubectl create namespace stackhawk

4). Create a Kubernetes Secret stackhawk to store your StackHawk API key and GitHub URL.
โ€‹

kubectl create secret --namespace stackhawk generic stackhawk \ --from-literal=api_key="${API_KEY}" \ --from-literal=hawk_git_url="${HAWK_GIT_URL}"

5). Create your CronJob using the yaml below, as cronjob.yaml.

kubectl apply -f ./cronjob.yaml

YAML (cronjob.yaml)

apiVersion: batch/v1
kind: CronJob
metadata:
  name: hawkscan-cron
  namespace: stackhawk
spec:
  schedule: "0 * * * *" # See https://crontab.guru/
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: Never
          containers:
            - name: hawkscan
              image: stackhawk/hawkscan:latest
              imagePullPolicy: Always
              securityContext:
                runAsUser: 0
              env:
                - name: API_KEY
                  valueFrom:
                    secretKeyRef:
                      name: stackhawk
                      key: api_key
                - name: HAWK_GIT_REV
                  value: main
                - name: HAWK_GIT_URL # Target repo, e.g. ""
                  valueFrom:
                    secretKeyRef:
                      name: stackhawk
                      key: hawk_git_url

Tip: Use a YAML linter like this one to double-check your yaml customizations.

Additional Information

While the above example is for a private GitHub repository, it can apply to public repos as well:

  • Use a public repo URL for HAWK_GIT_URL rather than a private repo URL

    • No username or PAT section is needed

  • Simply obtain the HTTPS URL from the Code button dropdown in the public repo on GitHub.com

For example:

Related Articles
HawkScan CLI unexpectedly requests Git password or token when running a scan
'No default configuration file' error when running Docker-based HawkScan
'No default configuration file' error when running the HawkScan CLI
How to run the HawkScan CLI on Windows (Powershell)
'docker pull stackhawk/hawkscan' fails with 'no such host' error in GitLab
Did this answer your question?