How to Setup Burp Suite Professional with Jenkins.

5 min readSep 6, 2021

Hi Everyone in this blog I would help you in setting up Burpsuite Professional with Jenkins. There are a lot of tools which you could use such as Acunetix or Netsparker. But we all know these tools cost a hell of a lot of money. So in order to save the cost. I came up with using Burp as a DAST Tool in the Pipeline. I know a lot of you will say why not move to an open-source DAST tool such as OWASP ZAP. But I feel that it does not have that reliability over the Burpsuite professional’s active scan.

What is DAST Tool?

A dynamic analysis security testing tool, or a DAST test, is an application security solution that can help to find certain vulnerabilities in web applications while they are running in production. A DAST test is also known as a black box test because it is performed without a view into the internal source code or application architecture — it essentially uses the same techniques that an attacker would use to find potential weaknesses.

First things First let's get started with configuring Burp Rest API.

Setting up the API

To configure the API, navigate to

User options — ->Misc — ->REST API, then select the checkbox to start the service.

By default, the service runs on http://127.0.0.1:1337 and requires you to generate an API key to use it. To generate an API key, select New, give the key a name, copy the key to the clipboard and click OK. Once you have the API key, you can start using the API. The API is self-documenting, so to understand the use of the API you can just browse to it and view the documentation located at http://127.0.0.1:1337/<your API key>/v0.1/<api_key>

Now configure NGROK to point to the Burp API so that you can access it from anywhere

ngrok http 1337

How to configure the Burp API to scan?

In order to scan your website. You have to choose the 2nd option i.e /scan.

Scan Section

Add your website where it says add array item. You can add more websites by simply clicking on Add array item.

Application Login Section

You can add a login to your application by checking the application_logins box.

We can choose 2 options to set your login. Either set your creds or record your login using Burps Embedded browser

Scan Configuration section

You can Configure Scans as well in the scan_configurations section. This means you can set your burp to do crawling or doing audit checks.
These scan configurations are the built-in configurations of burp. You can see them when you go to Burp → configuration library

In the Scan_Configuration section, you have 2 options Named Configuration and Custom Configuration. In Custom Configuration you have import your custom library. For this post, we will be configuring our burp to named configuration i.e. “Crawl strategy — faster”

Resource Pool section

In this section, you enter the name of the resource pool that you would have created previously you can leave this blank as well.

Scan Callback

You can configure a scan callback URL, which will be sent information regarding a scan.

After all the configuration is done you have to simply click on send request.

Now Setting Jenkins to run the build which triggers the Burp API to run.

In order to move forward with this step, you have to configure your GitHub access token with Jenkins. Here is a link to a blog post you can use.

P.s. I’m Running Jenkins on a linux server if you are using it on Windows. please change the build step to Execute Windows Batch Command.

Click on New Item (this will start a new job)

Choose a name for this job and then choose Freestyle Project.

Now Open the Job that you created.
Click on Configure Tab.

Now choose the project where you push the code. I choose Github because I push my code there.
Now choose the source code management Git

In Build, Triggers choose GitHub hook trigger.
In Build Section choose to Execute shell and paste the curl command that you got from Burp Suite API. If you face issues with the curl command try converting your curl command into bash using Reqbin.