Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

API Integration Options

Zac | Last updated: Oct 14, 2021 03:19PM UTC

Hi, I am currently evaluating the BS Enterprise Edition and have some questions about the various API/integration capabilities. It seems that there are only 3 REST endpoints (GET issue definitions, POST scan which runs a scan, and GET scan progress). After looking at the GraphQL API, it seems very well documented and supported, however, I don't see the ability to run an actual scan through it. The Java CI driver also seems to only support the REST API functions (fetching issue defs, running scans and checking on scan progress). So my questions/concerns: (a) Does the GraphQL API support running scans and checking on their progress? Or is that something I can only do through the REST API and/or CI driver? (b) Does the CI driver provide the same query operations that the GraphQL API offers, or does it only support the same 3 operations that the REST API supports? Thanks for any and all clarification!

Uthman, PortSwigger Agent | Last updated: Oct 15, 2021 08:46AM UTC

Hi Zac,

The GraphQL API does in fact support running scans and checking their progress. I appreciate that it is not immediately obvious so please see below:

  1. You can use the CreateScheduleItem mutation to trigger your scan
  1. Then you can query information on the scan using the Scan object. The scan ID will be your schedule item ID + 1

The new CI driver is built on the GraphQL API and allows you to run a site-driven scan.

Please take a look at the resources and feel free to reach out again if you have any further questions. You can also email us directly at support@portswigger.net.

Zac | Last updated: Oct 15, 2021 09:39AM UTC

Thanks, this is very helpful! How can I use the GraphQL API to kick off a scan on-demand, instead of according to a schedule? The objective here is to allow our CI/CD pipeline kick off a security scan on demand. Thanks for any further details!

Uthman, PortSwigger Agent | Last updated: Oct 15, 2021 10:31AM UTC

Hi Zac,

No problem at all!

For a CI/CD pipeline, you could use the site-driven scan CI driver. That will ultimately be the best way to achieve what you are trying to do.

In terms of triggering the scan without a schedule, you could use a mutation like below since schedule is not a required field: 

mutation CreateScheduleItem {
  create_schedule_item(input: {site_id: "24"}) {
    schedule_item {
      id
    }
  }
}

You will only need to change the site_id as appropriate in the example above. This will match an existing site with that ID in your Enterprise portal and use the associated scan configurations, scope, extensions, etc... that already exist for the site. This is essentially what the new site-driven scan CI driver does.

The required fields are followed by a '!' in the documentation, for future reference.

Let me know if you have any more questions! :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.