SonarQube Stackhawk DAST Demo Repo
Published: (February 23, 2026 at 08:29 AM EST)
1 min read
Source: Dev.to
Source: Dev.to
Setup and Run the Application
This is an intentionally vulnerable Java Spring Boot application with Thymeleaf, intended for training purposes only.
# From the root folder of the application
mvn spring-boot:runThe application populates data at startup; wait until you see READY in the console.
You can then access it at: http://localhost:8081
Default Users
| Username | Password | User type |
|---|---|---|
| Admin | admin | ADMIN |
| User | user | CUSTOMER |
Run a DAST Scan with StackHawk
export SARIF_ARTIFACT=true
hawk scanThe scan produces a stackhawk.sarif file that can later be ingested into SonarQube.
Add the SARIF Report to a SonarQube Scan
# Get the current branch name
CURRENT_BRANCH=$(git branch --show-current)
# Verify branch name was obtained
if [ -z "$CURRENT_BRANCH" ]; then
echo "Error: Could not determine the current Git branch."
exit 1
fi
mvn clean verify sonar:sonar \
-Dsonar.projectKey=e-corp-demo_sonarqube-stackhawk-dast-demo_31dfab10-94aa-4a9b-a894-77cabdab902a \
-Dsonar.projectName='sonarqube-stackhawk-dast-demo' \
-Dsonar.host.url=https://mathiasconradt.ngrok.io \
-Dsonar.sarifReportPaths=stackhawk.sarif \
-Dsonar.branch.name=$CURRENT_BRANCHThe DAST findings from StackHawk will appear under Issues in SonarQube, tagged with STACKHAWK.