Configuring a site-driven scan in TeamCity

  • Last updated: July 3, 2023

  • Read time: 2 Minutes

To integrate Burp Suite Enterprise Edition with TeamCity, we recommend using the site-driven scan option. In this section, we'll provide step-by-step instructions on the full configuration process.


Whitelist your TeamCity URL

Site-driven scans interact with your Enterprise server via the GraphQL API. In order to support this behavior, you need to whitelist your TeamCity URL so that TeamCity can make the necessary cross-origin requests for retrieving your site tree and creating new scans.

  1. Log in to Burp Suite Enterprise Edition as an administrator.
  2. From the settings menu, select Network.
  3. On the network settings page, scroll down to the Allowed Origins for GraphQL API section.
  4. In the provided field, enter your TeamCity URL, including the protocol and port. For example:

  5. Save your entries.

Create the site-driven scan build step in TeamCity

  1. Log in to TeamCity.
  2. Open the pipeline in which you want to incorporate a vulnerability scan. Alternatively, create a new dummy project if you just want to test the integration process.
  3. Make sure your pipeline deploys the application that you want to scan to the same URL as the corresponding site in Burp Suite Enterprise Edition.
  4. Add a new build step and select the runner type Burp site-driven scan.
  5. Enter the URL of your Enterprise server. This is the URL that you normally use to access Burp Suite Enterprise Edition. Make sure you include the appropriate protocol and port. By default, this will be something like:

  6. Enter the API key that you generated when creating the API user earlier. If you've lost this, you need to generate a new API key or create a new API user from the Burp Suite Enterprise Edition web UI.
  7. Once you have entered both of these values, your site tree will automatically be fetched from Burp Suite Enterprise Edition. From the drop-down menu, select the site that you want to scan.
  8. Adjust the various optional settings to fine-tune how the scan and its results will affect your build.
  9. Save your pipeline.

Test your integration

After you finish configuring the build step, it's a good idea to check whether the integration is working correctly and that your scan is able to run successfully.

  1. Kick off a build-on-demand and look at the build log in TeamCity. You should see the scan initialize and start crawling. Throughout the scan, you can check the status by monitoring the build log.
  2. In Burp Suite Enterprise Edition, go to your site and open the Scans tab. You should see the TeamCity-initiated scan in the list.

Was this article helpful?