Last updated: August 3, 2021
Read time: 5 Minutes
You can adjust various settings to control how Burp Suite Enterprise Edition handles sites and the data generated by their scans. To access these options, click the settings icon and select "Sites and scan data".
When a scan is triggered via the REST API, for example, by a CI/CD pipeline, integrated using the legacy "Burp scan" integration option, Burp Suite Enterprise Edition attempts to attach the scan data to existing sites in the system. If no matching site is found, a new site is automatically created instead.
By default, sites generated in this way are not displayed in your site tree. However, if you enable this option, the site tree will display them alongside the sites that you create manually using the web UI.
This setting is irrelevant for CI/CD integrations that use the "Burp site-driven scan" option. Site-driven scans are manually linked to a specific site by the user and are integrated via the GraphQL API rather than the REST API.
When a scan is triggered via the REST API using the legacy "Burp scan" integration option, Burp Suite Enterprise Edition uses its built-in site-matching rules to decide whether the scan and its data should be matched with an existing site. These site-matching rules are based on both the name of the site and the list of included and excluded URLs.
If a name was provided for the site when the scan was created:
If no name was provided for the site when the scan was created:
If you enable this setting, you can define a threshold for how long old scans will be kept in the system. By default, this is set to delete all scans that are more than one year old, but you can change this to anything from one day up to five years. Note that the most recent scan for each site is always kept, even if it is older than the defined threshold.
When a scan finds an issue, Burp Suite Enterprise Edition determines whether it is a new issue for the site or an issue that was already discovered by previous scans. This information is used to produce the trend information about new, resolved, and regressed issues that you see in the dashboards. It is also used to identify issues that have previously been flagged as false positives.
In the scan delta settings, you can adjust how Burp Suite Enterprise Edition decides which issues are "new". You have the following options:
You can configure how Burp Suite Enterprise Edition handles issues that are flagged as false positives. To access these options, click the settings icon and select "False positives".
By default, if you flag an issue as being a false positive, this will be remembered in future scans of the same site. If the same issue is reported again, it will automatically be flagged as a false positive. You can change this behavior using the "Remember false positives for future scans" option.
You can also configure how Burp Suite Enterprise Edition matches newly reported issues with past issues that were flagged as false positives. By default, these are matched based on the issue type and URL. However, you can change this so that issues are matched based solely on the issue type. You should use this option with caution. For example, if you enable it, and you flag a SQL injection issue as being a false positive, then all future SQL injection issues reported for the site will automatically be flagged as false positives, even if they arise at different URLs.
If you are using the bundled database, you can control your database backup settings from within Burp Suite Enterprise Edition. Click the settings icon and select "Database backup".
You can control the following settings:
You can also back up your database manually at any time using the "Back up now" button.
Note that if you use an external database, your database administrator manages your backup settings outside of Burp Suite Enterprise Edition.