gRPC is an open-source framework developed by Google for building high-performance, scalable, and efficient microservices. It uses Protocol Buffers as its data serialization format, and HTTP/2 as its transport protocol. gRPC applications are becoming increasingly popular due to their performance benefits and ease of use. However, like any other application, gRPC applications are also susceptible to security vulnerabilities. Therefore, it is important to test gRPC applications for security vulnerabilities using a dynamic application security scanner like HawkScan.

Using HawkScan to secure gRPC applications during our Beta requires a gRPC application running in a local or pre-production environment with the following:

Once you've confirmed these requirements, you can move on to setting up HawkScan.

In order to start scanning gRPC applications with HawkScan you'll need to update to the latest build of HawkScan (3.0 or later). You can check the currently installed version as follows:

$ hawk version

v3.0.0

To scan a gRPC application using HawkScan, you need to configure the scanner with the appropriate options. The following yaml configuration can be used to configure HawkScan for scanning a gRPC application:

The above example uses reflection to obtain the schema for the application via the path field. This value is usually the same as the appHost without the prefix. If the target application does not have reflection enabled, a file descriptor set can also be supplied to HawkScan via the filePath field. This file must be generated before the scan takes place. In order to generate this file, generateDescriptorSet must be enabled in the build spec and a path should be supplied that you can point the scanner to. It is worth noting that at this time, not all frameworks/languages support generating the descriptor set for gRPC, and in those cases, reflection will be required. Once the descriptor set file has been generated, it can be supplied to the scanner as such:

Once the scanner is configured with the appropriate options, you can run the scan like any other application type using the following command:

The scanner will connect to the gRPC endpoint specified in the configuration and scan for security vulnerabilities.

You may notice longer than expected scan times for gRPC applications especially those with many services and methods. To reduce scan time we recommend you set the OpenAPI/REST API scan policy to avoid plugins not relevant to gRPC applications. You can do so from the Application settings screen under 'Application Scan Policies'. Update the Applied Policy as follows:

Once the scan is complete you view the results in the terminal and then can navigate to the StackHawk Platform to see more details. Applications with successful gRPC scans will show up as follows in the Applications screen:

Don't have a gRPC application or want to see how this all works before you try it? Watch our guide to scanning gRPC applications with StackHawk here:

Scanning gRPC applications for security vulnerabilities is important to ensure that they are secure and do not pose a threat to the users. HawkScan provides support for scanning gRPC applications and can be configured using yaml configuration files. By using the configuration options provided by HawkScan, you can customize the scanning process and ensure that your gRPC application is secure.