You can easily integrate Burp Suite Enterprise Edition with your existing CI/CD platform. We provide native plugins for both Jenkins and TeamCity, as well as a generic driver for any other platform that you might use. This enables you to incorporate automated vulnerability scans into your existing pipelines and configure rules for failing the build based on the scan’s results. This helps you to catch bugs earlier in your development process by adopting a DevSecOps approach with minimal disruption to your existing workflow.
The integration process essentially involves adding build steps that will automatically trigger a scan, which can optionally be linked to one of your existing sites in Burp Suite Enterprise Edition. This means you can work with the scan results and analyze the generated data in the web UI, just like you can with scans that you create manually. Scans can also be configured to generate HTML reports, which you can use to share the results across your organization, even with people who do not have access to Burp Suite Enterprise Edition themselves.
Regardless of which CI/CD platform you use, you have two options for integrating vulnerability scans. You can either configure a site-driven scan or use the legacy “Burp scan” option. You select your preferred option when adding the associated build steps to your pipeline. Which one you choose affects the rest of the process, so it is important to understand the differences and decide which approach is right for you.
The exact steps required for the integration differ slightly depending on your preferred CI/CD platform. However, all of the different options require you to create an API user in Burp Suite Enterprise Edition first. Please refer to the relevant sections below for detailed instructions on how to perform the integration process: