Configuring a site-driven scan using the generic CI/CD driver
- You have created an API user in Burp Suite Enterprise Edition and have access to the corresponding API key
- You have finished setting up the site that you want to scan in Burp Suite Enterprise Edition. We recommend running a couple of scans from the web UI to make sure that you're happy with the scan configuration and crawler behavior.
Add the build steps to your pipeline
- On your preferred CI/CD platform, open the pipeline in which you want to incorporate a vulnerability scan. Alternatively, create a new freestyle project if you just want to test the integration process.
- Make sure your pipeline deploys the application that you want to scan to the same URL as the corresponding site in Burp Suite Enterprise Edition.
- Set up your pipeline so that it has access to the generic CI/CD driver from our website and a suitable JRE for running the JAR. For reference, the driver was built using Java 9.
- Add either an "Execute shell" or "Execute Windows batch command" build step.
Enter a command that will run the driver with the appropriate parameters for the scans that you want to trigger. For a site-driven scan, you must include:
- The URL of your Enterprise server
--api-keyfor the API user that you created earlier
--site-idof the site that you want to scan. You can find this ID in the URL of a site in the web UI:
java -jar path/to/ci-driver.jar https://your-enterprise-server:8080 --api-key=secret --site-id=7 --min-severity=high --min-confidence=certain --report-file=scan-report.html --report-type=summary
- Save your pipeline.
For detailed information about the available parameters and which settings they control, please refer to our parameter reference guide or use the
Test your integration
After you finish configuring the build step, it's a good idea to check whether the integration is working correctly and that your scan is able to run successfully.
- Kick off a build on demand and look at the console output. You should see the scan initialize and start crawling. Throughout the scan, you can check the status by monitoring the console output for the build.
- In Burp Suite Enterprise Edition, go to your site and open the "Scans" tab. You should see the build-initiated scan in the list.