Skip to main content
All CollectionsScan Configuration
How to generate a GraphQL schema file for use by HawkScan
How to generate a GraphQL schema file for use by HawkScan

Generating a GraphQL schema file for import into HawkScan

Anthony Stinn avatar
Written by Anthony Stinn
Updated over 2 years ago

GraphQL Support

StackHawk is pioneering application security testing for GraphQL APIs. The scanner, HawkScan, will perform introspection of a GraphQL app to generate routes based on available operations.

The scanner can be configured to enumerate all available types and input parameters for Query and Mutation together, or for each individual type separately.

GraphQL Scanning Overview

See Scanning GraphQL for the high-level process for scanning a GraphQL application with HawkScan.

Schema File as Alternative to Introspection Endpoint

If your application doesn't host a live introspection endpoint that the scanner can reach (as configured in app.graphqlConf.schemaPath), fear not!

As an alternative, you can ingest a json-formatted graphQL schema file into HawkScan by setting a relative path to that file in app.graphqlConf.filePath.

Note:

  • schemaPath and filePath are either/or; set one, but not both

But how can you generate a schema file in the first place? Read on...

Generating a Schema File

1. To generate a GraphQL schema, run the following introspection query against the application:

query IntrospectionQuery {
    __schema {
        queryType { name }
        mutationType { name }
        subscriptionType { name }
        types { ...FullType }
        directives {
            name
            description
            args { ...InputValue }
        }
    }
}

fragment FullType on __Type {
    kind
    name
    description
    fields(includeDeprecated: true) {
        name
        description
        args { ...InputValue }
        type { ...TypeRef }
        isDeprecated
        deprecationReason
    }
    inputFields { ...InputValue }
    interfaces { ...TypeRef }
    enumValues(includeDeprecated: true) {
        name
        description
        isDeprecated
        deprecationReason
    }
    possibleTypes { ...TypeRef }
}

fragment InputValue on __InputValue {
    name
    description
    type { ...TypeRef }
    defaultValue
}

fragment TypeRef on __Type {
    kind
    name
    ofType {
        kind
        name
        ofType {
            kind
            name
            ofType {
                kind
                name
                ofType {
                    kind
                    name
                    ofType {
                        kind
                        name
                        ofType {
                            kind
                            name
                            ofType {
                                kind
                                name
                            }
                        }
                    }
                }
            }
        }
    }
}

2. strip off the "data" wrapper ("data":{<your_schema_details>}) of the introspection query results and save the file such it begins with {"__schema".

3. Place the file in the directory (relative to where stackhawk.yml resides) as configured in app.graphqlConf.filePath.

4. Run HawkScan

5. Repeat after me: "KaaKaww!"

Notes:

Related Articles
Scanning GraphQL
'500 Internal Error' when attempting to scan a GraphQL application via filePath
How to run HawkScan in Kubernetes
Did this answer your question?