1. Support Center
  2. Documentation
  3. Enterprise Edition
  4. Reference
  5. REST API

REST API

Burp Suite Enterprise Edition's REST API can be used for integration with other software, including CI/CD systems. The API can be used to initiate scans and obtain the results.

To make use of the REST API, you first need to create a user with the login type "API key" and assign them suitable privileges. Keep a record of the user's API key and handle it sensitively.

You can view the API documentation and interact with the API by browsing to: [Enterprise server URL]/api/[API key].

Burp Suite Enterprise Edition's CI integration uses the REST API to let you drive scans from your CI system and fail software builds when certain issues are reported.

Burp CI plugins

Native plugins are available for popular CI platforms, such as Jenkins and Team City.

Plugins can be downloaded here.

To configure the Burp plugin, you will need the URL to the REST API, including the API key. Plugins can also be configured with a minimum severity or confidence for a discovered issue to break the build.

Your build needs to communicate to the Burp CI plugin the URLs that should be scanned. It should do this by outputting lines of the form:

BURP_SCAN_URL = https://example.org/path/

Generic CI driver

A generic CI driver is available that provides a command-line interface for use by any CI platform for which a native plugin is not available.

The generic CI driver can be downloaded here.

The generic CI driver can be executed as a single command accepting standard input (which can come from another program or from an existing build log) containing lines of the form:

BURP_SCAN_URL = https://example.org/path/

It will begin the scan when the standard input terminates, and will block until the scan completes. It will terminate with an exit code of 0 if no applicable issues were found or 1 if any applicable issues were found.

You can configure the CI driver, including the minimum severity or confidence for a discovered issue to break the build. For more details of configuring the CI driver, execute it with the --help option.

Configuring CI builds

When you have installed a suitable Burp integration in your CI system, you need to configure builds to make use of the integration.

This involves making your build deploy the application that is to be scanned to a suitable test server. This might be a static server that is used for this purpose, or a more dynamic deployment such as a Docker container. The build should output the URLs to be scanned within its build log, and then invoke the Burp CI integration. Optionally, you can also configure per-build the minimum severity or confidence for a discovered issue to break the build.