Skip to main content
All CollectionsRunning HawkScan
How to run HawkScan in Kubernetes
How to run HawkScan in Kubernetes

Running HawkScan using a CronJob kube specification in k8s

Anthony Stinn avatar
Written by Anthony Stinn
Updated over 11 months ago

Overview

When testing applications running in a Kubernetes environment, you may want to run HawkScan from within that same environment.

This article details how to do so with a Kubernetes CronJob, although you can also do it as a normal batch Job.

We create the [Cron]Job pod from our StackHawk container image, stackhawk/hawkscan, and use environment variables to tell StackHawk to clone your Git repo, where it can find your StackHawk configuration file.


Procedure

To run HawkScan in Kubernetes, you'll need to configure the following elements:

  • Environment Variables:

    1. API_KEY - this authenticates the scanner to the StackHawk platform.

    2. HAWK_GIT_URL - this points the scanner to the appropriate GitHub repository.

    3. HAWK_GIT_REV - this points the scanner to the appropriate branch/commit/tag of your repository. You can omit this if you just want the latest revision of your default branch.

  • Kubernetes Namespace:

    1. Create and define a stackhawk namespace

Configure The Environment

1). Export your StackHawk API key as an environment variable, API_KEY (If necessary, you can create a new API key from API Keys in the StackHawk console):

export API_KEY=<your-stackhawk-api-key>

2). Export your GitHub repository URL as an environment variable, HAWK_GIT_URL. Since it is a private repository, you will need to supply your username <username> and GitHub PAT <github-PAT>. If necessary, you can create a new GitHub PAT following the GitHub guide, Creating a personal access token.

export HAWK_GIT_URL="https://<username>:<github-PAT>@github.com/<organization-name>/<repo-name>.git"

Create And Configure A Namespace

3). Create the Namespace stackhawk to run your CronJob in.

kubectl create namespace stackhawk

4). Create a Kubernetes Secret stackhawk to store your StackHawk API key and GitHub URL.
โ€‹

kubectl create secret --namespace stackhawk generic stackhawk \ --from-literal=api_key="${API_KEY}" \ --from-literal=hawk_git_url="${HAWK_GIT_URL}"

5). Create your CronJob using the yaml below, as cronjob.yaml.

kubectl apply -f ./cronjob.yaml

YAML (cronjob.yaml)

apiVersion: batch/v1
kind: CronJob
metadata:
name: hawkscan-cron
namespace: stackhawk
spec:
schedule: "0 * * * *" # See https://crontab.guru/
jobTemplate:
spec:
template:
spec:
restartPolicy: Never
containers:
- name: hawkscan
image: stackhawk/hawkscan:latest
imagePullPolicy: Always
securityContext:
runAsUser: 0
env:
- name: API_KEY
valueFrom:
secretKeyRef:
name: stackhawk
key: api_key
- name: HAWK_GIT_REV
value: main
- name: HAWK_GIT_URL # Target repo, e.g. ""
valueFrom:
secretKeyRef:
name: stackhawk
key: hawk_git_url


Additional Information

While the above example is for a private GitHub repository, it can apply to public repos as well:

  • Use a public repo URL for HAWK_GIT_URL rather than a private repo URL

    • No username or PAT section is needed

  • Simply obtain the HTTPS URL from the Code button dropdown in the public repo on GitHub.com

For example:

Did this answer your question?