app.host is a required field in stackhawk.yml -- it represents the root URL of the application being scanned.

What do we mean by root URL?

HawkScan allows the following options for URL's in app.host:

  1. an FQDN in a URL (https://app.company.com)

  2. an IP:PORT in a URL (

  3. a domain as a URL (https://domain.com)

    1. this approach is uncommon -- scans should be granular, localized, and non-production in nature

  4. localhost as URL

    1. https://localhost:5000



  • While the above examples use https, http (e.g., http://localhost:5000) is also an option within the URL

  • If not port is specified in the URL, the default http port (80) or https port (443) are assumed

But what about paths?

Specific paths (e.g., API paths such as https://myapp.com/api/v2) can be scanned, but can't serve as the root of the application to be scanned.

If you have applications for which communication with the root application url is not allowed (i.e., only specific paths respond to http messages, but the root does not), reach out to StackHawk Support for assistance.


  1. Set app.host according to the rules above

  2. Configure HawkScan to populate the paths beneath the application root, via:

    1. hawk.spider configuration

      1. standard spider (on by default)

      2. ajax spider (off by default)

    2. API configuration (to seed API paths to be scanned):

      1. OpenAPI (including Postman collections)

      2. GraphQL

  3. Run a scan

Did this answer your question?