SonarQube Stackhawk DAST Demo Repo

This application is an intentional vulnerable Java Spring-Boot application with Thymeleaf. It is use for training purposes only!

Run the application

Go to the root folder of the application and run using Maven

mvn spring-boot:run

The application fills itself with data at startup wait until you see READY in the console.

You can access the application on http://localhost:8081

By default there are two users configured you can access

Username        Password        User type
Admin           admin           ADMIN
User            user            CUSTOMER

DAST Scan with StackHawk

Run a DAST scan with StackHawk, producing a stackhawk.sarif file as output. This can later be ingested into SonarQube.

export SARIF_ARTIFACT=true
hawk scan

Adding the stackhawk.sarif to the Sonar Scan via -Dsonar.sarifReportPaths=stackhawk.sarif parameter:

# Get the current branch name directly using command substitution
CURRENT_BRANCH=$(git branch --show-current)

# Check if the command was successful and a branch name was found
if [ -z "$CURRENT_BRANCH" ]; then
    echo "Error: Could not determine the current Git branch."
    exit 1
fi

mvn clean verify sonar:sonar \
  -Dsonar.projectKey=e-corp-demo_sonarqube-stackhawk-dast-demo_31dfab10-94aa-4a9b-a894-77cabdab902a \
  -Dsonar.projectName='sonarqube-stackhawk-dast-demo' \
  -Dsonar.host.url=https://mathiasconradt.ngrok.io \
  -Dsonar.sarifReportPaths=stackhawk.sarif \
  -Dsonar.branch.name=$CURRENT_BRANCH

The DAST findings from StackHawk appear under the issues, tagged with STACKHAWK.

Questions & Contact

Mathias Conradt
Security Solutions Engineer at Sonar
https://www.linkedin.com/in/mathiasconradt/
https://x.com/mathiasconradt