Enterprise Edition: CI integration
2018-08-31 00:41:00 Author: portswigger.net(查看原文) 阅读量:89 收藏

Burp Suite Enterprise Edition has full support for integration with CI/CD systems.

There is a REST API that can be used to initiate scans and obtain the results:


There is a native Burp CI plugin for Jenkins:


And for TeamCity:


There is also a generic Burp CI driver that provides a command-line interface for use by any CI platform for which a native plugin is not available:


Using the CI integration, you can configure builds in your CI system to drive scans per commit or on a schedule, and fail software builds when certain issues are reported. This involves making your build deploy the application that is to be scanned to a suitable test server. This might be a static server that is used for this purpose, or a more dynamic deployment such as a Docker container. The build should output the URLs to be scanned within its build log, and then invoke the Burp CI integration. Optionally, you can also configure per-build the minimum severity or confidence for a discovered issue to break the build.

Note that Burp Suite Professional does not have a suitable design or architecture for use in CI integration, and is not licensed for this purpose. Users wishing to use Burp Suite to perform scanning within their CI builds should use Burp Suite Enterprise Edition.


文章来源: https://portswigger.net/blog/enterprise-edition-ci-integration
如有侵权请联系:admin#unsafe.sh