Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Use call_back when a scan has finished

SecTer | Last updated: Mar 29, 2022 03:17PM UTC

We want to use Burp Enterprise in out gitlab CI/CD pipeline. Because a scan can take long, we want to use the call_back function to trigger when the scan is finished. However, the call_back uses a PUT request, while we need a POST. And when a scan starts, the call_back gives back a few times that a scan is initializing, but does not notify when a scan has finished or failed. How can we achieve this?

Maia, PortSwigger Agent | Last updated: Mar 30, 2022 02:46PM UTC

Hi, Can you give us a little more detail on the method / API you are using to integrate with your GitLab CI/CD pipeline please? if you are using the GraphQL API then you can query the scan object for the status: https://portswigger.net/burp/extensibility/enterprise/graphql-api/scanstatus.html If your end goal is to raise issues in GitLab for any vulnerabilities found by your scans, you can now do this from within Burp Suite Enterprise Edition using the built-in integration.

SecTer | Last updated: Mar 30, 2022 05:49PM UTC

In our GitLab CI/CD pipeline we use the REST API to start a scan, with the GraphQL API we check for the status of a scan and, when finished we use the GrapQL API to get the html report. So far so good. Only, when a Burp scan takes very long, lets say 20 hours, the GitLab runner can not be used for something else. Our idea is to only start a scan from a pipeline. And we would like to use for example the call_back to trigger another GitLab pipeline to get the html report. Only the call_back does not notify us when the scan has completed. Another way we tried this, was by writing our own plugin (Extender). The idea was to monitor the current scan and, when finished, get the report. Only we could not retrieve the scan_id from the current scan, which we need to match it with the scan_id we got back from the pipeline.

Maia, PortSwigger Agent | Last updated: Mar 31, 2022 07:39PM UTC

Thank you for the details. I'm looking into this for you and will get back to you shortly.

Maia, PortSwigger Agent | Last updated: Apr 01, 2022 03:36PM UTC