Configuring a site-driven scan in Jenkins
Last updated: June 21, 2022
Read time: 3 Minutes
- You have Java 11 installed on your machine.
- You are using Jenkins 2.164.1 or higher
- You have created an API user in Burp Suite Enterprise Edition and have access to the corresponding API key
- You have installed the plugin in Jenkins.
- You have finished setting up the site that you want to scan in Burp Suite Enterprise Edition. We recommend running a couple of scans from the web UI to make sure that you're happy with the scan configuration and scanner behavior before starting the CI/CD integration.
Whitelist your Jenkins URL
Site-driven scans interact with your Enterprise server via the GraphQL API. In order to support this behavior, you need to whitelist your Jenkins URL so that Jenkins can make the necessary cross-origin requests for retrieving your site tree and creating new scans.
- Log in to Burp Suite Enterprise Edition as an administrator.
- From the settings menu, select Network.
- On the network settings page, scroll down to the Allowed Origins for GraphQL API section.
In the provided field, enter your Jenkins URL, including the protocol and port. For example:
- Save your entries.
Read moreWhitelisting an application for CORS
Create the site-driven scan build step in Jenkins
- Log in to Jenkins.
- Open the pipeline in which you want to incorporate a vulnerability scan. Alternatively, create a new freestyle project if you just want to test the integration process.
- Make sure your pipeline deploys the application that you want to scan to the same URL as the corresponding site in Burp Suite Enterprise Edition.
- Add a new build step and select the type Burp site-driven scan.
Enter the URL of your Enterprise server. This is the URL that you normally use to access Burp Suite Enterprise Edition. Make sure you include the appropriate protocol and port. By default, this will be something like:
- Enter the API key that you generated when creating the API user earlier. If you've lost this, you need to generate a new API key or create a new API user from the Burp Suite Enterprise Edition web UI.
- Once you have entered both of these values, your site tree will automatically be fetched from Burp Suite Enterprise Edition. From the drop-down menu, select the site that you want to scan.
- Adjust the various optional settings to fine-tune how the scan and its results will affect your build.
- Save your pipeline.
Test your integration
After you finish configuring the build step, it's a good idea to check whether the integration is working correctly and that your scan is able to run successfully.
- Kick off a build-on-demand and look at the console output in Jenkins. You should see the scan initialize and start crawling. Throughout the scan, you can check the status by monitoring the console output for the build.
- In Burp Suite Enterprise Edition, go to your site and open the Scans tab. You should see the Jenkins-initiated scan in the list.