Burp Suite User Forum

Login to post

Burp Suite Enterprise ci-driven scan

Yehor | Last updated: Aug 10, 2023 10:02AM UTC

Hello You recently added a new feature. Ci-driven scan for Jenkins. I would like to know how to scan several endpoints at the same time using external variables when launching docker container. In the configuration file burp_config.yml it is clear how to specify several endpoints in START_URL section, then when starting the container it is a little unclear how to specify URLs in BURP_START_URL. docker run --rm --pull=always \ -u $(id -u) -v $(pwd):$(pwd) -w $(pwd) \ -e BURP_ENTERPRISE_SERVER_URL=https://ent-server.com \ -e BURP_ENTERPRISE_API_KEY=XXXXxxxxXXXXxxxx \ -e BURP_START_URL=https://ginandjuice.shop \ ??

Thomas, PortSwigger Agent | Last updated: Aug 10, 2023 12:49PM UTC

To add a list of Start URLs to Burp Suite in a CI-Driven scan, this has to be done using the yam configuration file and cannot be done using the environment variables, such as BURP_START_URL. I have linked below our documentation on creating a configuration file and how to use it. https://portswigger.net/burp/documentation/enterprise/integrate-ci-cd-platforms/ci-driven-scans/create-config https://portswigger.net/burp/documentation/enterprise/integrate-ci-cd-platforms/ci-driven-scans/add-config Please note that it is best practice not to have multiple web applications scanned within a single site or CI-Driven scan. We only recommend adding multiple start URLs if multiple URLs are within the same overarching web application.

Yehor | Last updated: Aug 10, 2023 12:57PM UTC

Thanks for the answer. I will use the config file. I would like to know why it is not recommended to scan several URLs of different web services at once?

Liam, PortSwigger Agent | Last updated: Aug 11, 2023 08:49AM UTC

Adding multiple URLs can result in long scan times. It can also make assessing and refining or debugging scanning issues more challenging.

However, the decision to scan this way is, of course in your hands; if you are happy with your scanning and this method works for your security posture.

Please let us know if you require any further assistance.

You need to Log in to post a reply. Or register here, for free.