Integration types for CI/CD platforms
Last updated: May 17, 2022
Read time: 4 Minutes
Regardless of which CI/CD platform you use, you have two options for integrating vulnerability scans. You can either configure a site-driven scan or use the legacy Burp scan option. You select your preferred option when adding the associated build steps to your pipeline. Which one you choose affects the rest of the process, so it is important to understand the differences and decide which approach is right for you.
Site-driven scans are the recommended approach for most use cases. This enables your CI/CD system to access your site tree and other details about your sites from Burp Suite Enterprise Edition. This includes things like the default scan configurations, false positive settings, included/excluded URLs, and so on.
- You can manually select the exact site with which the scan and its results should be associated rather than relying on automated site-matching rules. This makes it much easier to take advantage of Burp Suite Enterprise Edition's trend analysis features and dashboards. If you want to track the changes to your security posture over time, we recommend that you use this option.
- You perform all of the site setup and configuration in Burp Suite Enterprise Edition's intuitive web UI rather than having to manually enter site details in your CI/CD system.
- You can test your site's scan configuration and settings using the web UI to make sure everything is working as expected before adding the scan to your CI/CD pipeline.
- You can make adjustments to your site settings in the web UI. The new settings will automatically be used by future scans triggered by your CI/CD system. This makes it easier to fine-tune your false positive rules, for example.
- You cannot override the site's default scan configuration or included/excluded URLs from your CI/CD system. Instead, you must make these changes using the Burp Suite Enterprise Edition web UI. If you want to scan the same site using different configurations, you should instead create multiple versions of the same site, each with a different configuration. For example, you might create sites called "My Site - Quick Scan" and "My Site - Full Scan" that are identical except for the scan configuration. This is to preserve the validity of your trend analysis data.
A "Burp scan" is our legacy CI/CD integration type and still works in the same way as in previous versions of the driver and plugins. This option does not allow you to fetch your sites and their details from the Enterprise server, which has several key disadvantages. For this reason, we recommend that most customers use site-driven scans instead wherever possible. We are primarily continuing to offer the "Burp scan" option to avoid breaking any existing integrations that long-term customers have already configured.
- You can create scans without associating their results with an existing site. As a "Burp scan" uses automated site-matching rules to try and match your scan to an existing site, you can intentionally set up a scan that will not be matched with any of your sites.This is useful if you just want to run a one-off scan from your CI/CD system and do not want the results to affect your trend analysis data for an existing site. In this case, a brand new site will be created for the scan. Note that these newly created sites will only be visible in the web UI if you enable the Display sites generated by the REST API option in your site and scan data settings.
- You can manually override the default scan configuration and included/excluded URLs for a site from your CI/CD system. This may be useful in some cases, however, please be aware that this is likely to affect the validity of the site's trend analysis data. For example, information about which issues are new, regressed, or resolved will no longer be accurate if you run scans with different configurations and scopes on the same site.
- Requires significantly more manual configuration on your CI/CD platform. As the site data cannot be fetched automatically, you need to manually enter things like the included/excluded URLs, set up ignore rules for issues that you want to mark as false positives, and so on.
- You cannot explicitly tell the CI/CD system which site you want to scan. Instead, you manually enter details about the site and Burp Suite Enterprise Edition will attempt to match the scan to one of your existing sites according to its site-matching rules. This is prone to user error and could mean that scan results are missing from your site's trend analysis data.
- If you want to use a custom scan configuration, you cannot test this in the web UI first. You need to either test the scan configuration in Burp Suite Professional, or complete the full CI/CD integration and run a build in order to see whether your scan behaves as expected.