Getting started with CI-driven scans with no dashboard

  • Last updated: September 14, 2023

  • Read time: 2 Minutes

You can integrate a scan with any CI/CD platform that supports Docker containers. This enables you to use Burp Scanner to run web vulnerability scans as a stage in your existing CI/CD pipeline. You don't need to set up an Enterprise server.

If you don't need to use the features of Burp Suite Enterprise Edition's dashboard, you can use this guide to quickly integrate a scan with your CI/CD platform. These instructions enable you to run a default scan from a shell script, against a single URL.


If you want to use more advanced features such as preset scan configurations or application logins, you'll need to use a configuration file.

The following examples show how you can use a configuration file with scans on different platforms:

If you want to get an idea of how Burp Scanner works and how the results are displayed, you may want to scan our deliberately vulnerable website, https://vulnerable-website.com.

Before you start

Before you start:

  1. Log in to your user account.
  2. To set up a scan for the first time, you need to switch your license to an API key:

    • Under Subscriptions > Actions, click Manage Subscription and select Switch to API key.
    • At the prompt, click Proceed.
  3. Under Licenses > Downloads, click View access details.
  4. Copy the URL and API Key.

System requirements

For information on the machine specification required to run a scan, see the System requirements for CI-driven scans with no dashboard.

Running a scan

To run a scan, include the following docker run command in your pipeline script:

docker run --rm --pull=always \ -u $(id -u) -v $(pwd):$(pwd) -w $(pwd) \ -e BURP_ENTERPRISE_SERVER_URL=https://ent-server.com \ -e BURP_ENTERPRISE_API_KEY=XXXXxxxxXXXXxxxx \ -e BURP_START_URL=https://ginandjuice.shop \ -e public.ecr.aws/portswigger/enterprise-scan-container:latest

You need to input the correct values for the environment variables in the command:

  • BURP_ENTERPRISE_SERVER_URL: This is the URL of your Enterprise server.
  • BURP_ENTERPRISE_API_KEY: This is the API key that you copied when you created an API user.
  • BURP_START_URL: This is the URL of the website you want Burp Scanner to scan.

Scan results

The results from Burp Scanner are available as a JUnit XML file when a scan is complete. The file is saved as burp_junit_report.xml in the working directory for your scan.

Remediation advice

The results from Burp Scanner include remediation advice for any security issues they find. This advice includes links to relevant sections of the free Web Security Academy resource, which provide further detail on web security vulnerabilities.


The results from Burp Scanner include evidence for any security issues found. This evidence includes the request sent by Burp Scanner to produce the issue, as well as the response sent by the application.

Was this article helpful?