The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

API Integration Options

Zac | Last updated: Oct 14, 2021 03:19PM UTC

Hi, I am currently evaluating the BS Enterprise Edition and have some questions about the various API/integration capabilities. It seems that there are only 3 REST endpoints (GET issue definitions, POST scan which runs a scan, and GET scan progress). After looking at the GraphQL API, it seems very well documented and supported, however, I don't see the ability to run an actual scan through it. The Java CI driver also seems to only support the REST API functions (fetching issue defs, running scans and checking on scan progress). So my questions/concerns: (a) Does the GraphQL API support running scans and checking on their progress? Or is that something I can only do through the REST API and/or CI driver? (b) Does the CI driver provide the same query operations that the GraphQL API offers, or does it only support the same 3 operations that the REST API supports? Thanks for any and all clarification!

Uthman, PortSwigger Agent | Last updated: Oct 15, 2021 08:46AM UTC

Hi Zac,

The GraphQL API does in fact support running scans and checking their progress. I appreciate that it is not immediately obvious so please see below:

  1. You can use the CreateScheduleItem mutation to trigger your scan
  1. Then you can query information on the scan using the Scan object. The scan ID will be your schedule item ID + 1

The new CI driver is built on the GraphQL API and allows you to run a site-driven scan.

Please take a look at the resources and feel free to reach out again if you have any further questions. You can also email us directly at support@portswigger.net.

Zac | Last updated: Oct 15, 2021 09:39AM UTC

Thanks, this is very helpful! How can I use the GraphQL API to kick off a scan on-demand, instead of according to a schedule? The objective here is to allow our CI/CD pipeline kick off a security scan on demand. Thanks for any further details!

Uthman, PortSwigger Agent | Last updated: Oct 15, 2021 10:31AM UTC