Overview
When testing applications running in a Kubernetes environment, you may want to run HawkScan from within that same environment.
This article details how to do so with a Kubernetes CronJob, although you can also do it as a normal batch Job.
We create the [Cron]Job pod from our StackHawk container image, stackhawk/hawkscan, and use environment variables to tell StackHawk to clone your Git repo, where it can find your StackHawk configuration file.
Procedure
To run HawkScan in Kubernetes, you'll need to configure the following elements:
Environment Variables:
API_KEY
- this authenticates the scanner to the StackHawk platform.HAWK_GIT_URL
- this points the scanner to the appropriate GitHub repository.HAWK_GIT_REV
- this points the scanner to the appropriate branch/commit/tag of your repository. You can omit this if you just want the latest revision of your default branch.
Kubernetes Namespace:
Create and define a stackhawk namespace
Configure The Environment
1). Export your StackHawk API key as an environment variable, API_KEY
(If necessary, you can create a new API key from API Keys in the StackHawk console):
export API_KEY=<your-stackhawk-api-key>
2). Export your GitHub repository URL as an environment variable, HAWK_GIT_URL
. Since it is a private repository, you will need to supply your username <username>
and GitHub PAT <github-PAT>
. If necessary, you can create a new GitHub PAT following the GitHub guide, Creating a personal access token.
export HAWK_GIT_URL="https://<username>:<github-PAT>@github.com/<organization-name>/<repo-name>.git"
Create And Configure A Namespace
3). Create the Namespace stackhawk
to run your CronJob in.
kubectl create namespace stackhawk
4). Create a Kubernetes Secret stackhawk
to store your StackHawk API key and GitHub URL.
โ
kubectl create secret --namespace stackhawk generic stackhawk \ --from-literal=api_key="${API_KEY}" \ --from-literal=hawk_git_url="${HAWK_GIT_URL}"
5). Create your CronJob using the yaml below, as cronjob.yaml
.
kubectl apply -f ./cronjob.yaml
YAML (cronjob.yaml)
apiVersion: batch/v1
kind: CronJob
metadata:
name: hawkscan-cron
namespace: stackhawk
spec:
schedule: "0 * * * *" # See https://crontab.guru/
jobTemplate:
spec:
template:
spec:
restartPolicy: Never
containers:
- name: hawkscan
image: stackhawk/hawkscan:latest
imagePullPolicy: Always
securityContext:
runAsUser: 0
env:
- name: API_KEY
valueFrom:
secretKeyRef:
name: stackhawk
key: api_key
- name: HAWK_GIT_REV
value: main
- name: HAWK_GIT_URL # Target repo, e.g. ""
valueFrom:
secretKeyRef:
name: stackhawk
key: hawk_git_url
Additional Information
While the above example is for a private GitHub repository, it can apply to public repos as well:
Use a public repo URL for
HAWK_GIT_URL
rather than a private repo URLNo username or PAT section is needed
Simply obtain the HTTPS URL from the Code button dropdown in the public repo on GitHub.com
For example: