Last updated: August 3, 2021
Read time: 4 Minutes
Regardless of which CI/CD platform you use, you have two options for integrating vulnerability scans. You can either configure a site-driven scan or use the legacy "Burp scan" option. You select your preferred option when adding the associated build steps to your pipeline. Which one you choose affects the rest of the process, so it is important to understand the differences and decide which approach is right for you.
Site-driven scans are the recommended approach for most use cases. This enables your CI/CD system to access your site tree and other details about your sites from Burp Suite Enterprise Edition. This includes things like the default scan configurations, false positive settings, included/excluded URLs, and so on.
A "Burp scan" is our legacy CI/CD integration type and still works in the same way as in previous versions of the driver and plugins. This option does not allow you to fetch your sites and their details from the Enterprise server, which has several key disadvantages. For this reason, we recommend that most customers use site-driven scans instead wherever possible. We are primarily continuing to offer the "Burp scan" option to avoid breaking any existing integrations that long-term customers have already configured.