Enterprise Edition
Creating a configuration file for a CI-driven scan with no dashboard
-
Last updated: July 22, 2024
-
Read time: 4 Minutes
We provide a template configuration file. The file includes comments to help you to understand and edit each of the parameters. After you edit the configuration file, you can rename it to burp_config.yml
, to match the integration examples we give in this section.
You can get the template YAML file here (opens in a new tab):
Mandatory settings
Mandatory settings define what Burp Suite Enterprise Edition should scan. These settings vary depending on whether you're scanning a web app or an API. If you only define mandatory settings when scanning an API definition, Burp Scanner uses the default scan configuration.
Common requirements
For all CI-driven scans, you must specify an Enterprise server URL and API key (enterpriseServer.url
and enterpriseServer.apiKey
). You can find these in your user account.
Web apps
For web app scans, you must provide start URLs (site.startUrls
). These are the URLs that Burp Scanner starts scanning from.
APIs
You can add API definitions by either uploading a file (site.apiDefinition.fromFile
) or providing a URL (site.apiDefinition.fromUrl
). You must provide one of these properties when running a CI-driven scan on an API definition.
For API scans, Burp Suite Enterprise Edition supports API definitions in JSON or YAML format, compatible with OpenAPI 2.0.x or 3.0.x.
Proxy settings
If you need to use a proxy to connect to the PortSwigger licensing server, add the URL and authentication credentials into the following fields. The authentication credentials are optional:
proxyUrl
proxyUsername
proxyPassword
Defining the scope
Burp Scanner only visits URLs that are in scope. Use the YAML file to set the scope of your scan, to make sure Burp Scanner only visits URLs that you have permission to scan. You can also use the scope to focus on particular paths that you're interested in.
To define the scope, enter URLs as values in the site.inScopeUrlPrefixes
or site.outOfScopeUrlPrefixes
parameters.
Note
The start URLs are automatically added to the site.inScopeUrlPrefixes
parameter.
Authentication
You can use Authenticated scanning to scan content that is behind authentication. We support two methods of authentication:
- Login credentials (usernames and passwords)
- Recorded logins, for more complex authentication processes
Login credentials
To define login credentials, enter a list of username
and password
pairs in the logins.loginCredentials
setting.
Recorded logins
You can use our Chrome plugin to record login sequences. For more information, see Recording login sequences:
- Follow the instructions in the link above to install our Chrome plugin, and save the recorded login sequence to the clipboard.
- Save the contents of the clipboard as a JSON file in the same directory as the configuration file.
-
In the
logins.recordedLogins
parameter, enter the path for the JSON file.
Selecting a built-in scan configuration
You can select from the list of built-in scan configurations. These are the same built-in scan configurations used by Burp Suite Enterprise Edition and Burp Suite Professional.
If you don't select a built-in scan configuration, the default configuration is used.
To use a built-in scan configuration, enter the name of the configuration in the scanConfigurations.builtIn
setting. The configuration names are case-sensitive.
Configuring connection settings
The JSON file contains some parameters that enable you to configure the connection settings used when running CI-driven scans:
-
headersCookiesConfig
enables you to add a list of custom headers and cookies to requests made when scanning a site. This enables you to, for example, configure header authentication. For more information on configuring request headers and cookies, see Adding headers and cookies. -
platformAuthentication
enables you to add authentication credentials for HTTP Basic and NTLM authentication. For more information on the settings available, see Configuring platform authentication. -
proxies
enables you to enter a list of upstream proxy servers for the connection to use. For more information on the settings available, see Configuring upstream proxy servers.
Specifying report format
By default, CI-driven scans output reports in JUnit XML format. However, they can also output in Burp XML format if required. Use the reporting.reportFormats
parameter to specify the format to use.
Ignoring specific vulnerabilities
You can ignore specific vulnerabilities, so that they do not cause the build to fail. Burp Scanner still looks for these vulnerabilities, and records them in the results. For a list of vulnerabilities, see Vulnerabilities detected by Burp Scanner.
Enter the name of the vulnerabilities in the reporting.ignoredIssues
parameter. Names are case-sensitive. If you name an issue and don't supply a path, the issue is ignored everywhere.
We support the use of regex for the paths.
Setting the threshold
You can set a threshold that causes Burp Scanner to tell your CI/CD system to fail the pipeline step.
To enable a threshold, set reporting.threshold.enabled
to TRUE
. Then enter a minimum severity and a minimum confidence. If Burp Scanner detects an issue with at least this severity and confidence, it finishes with a non-zero exit code.
You can set the reporting.threshold.enabled
to:
-
TRUE
-
FALSE
You can set the threshold.minimumSeverity
to:
-
INFO
-
LOW
-
MEDIUM
-
HIGH
You can set the threshold.minimumConfidence
to:
-
TENTATIVE
-
FIRM
-
CERTAIN
If you don't input values for these parameters, the default values are TRUE
, LOW
, and
TENTATIVE
.
Configuring output detail level
The verboseScanning
parameter controls the amount of detail provided in scan output:
-
When
verboseScanning
is set toenabled: true
, the scan produces detailed output, making it easier to troubleshoot and gain deeper insights into what the scan is doing. -
When
verboseScanning
is set toenabled: false
, the scan produces minimal output, showing only the most important information. This mode is useful for routine scans where detailed information is not necessary. This is the default option.
Next step - Adding a configuration file