Automating Burp Suite Scans: Building DAST Pipelines with burpa
Hook
Burp Suite Professional is the gold standard for web security testing, but automating it requires managing two separate REST APIs—one official, one community-maintained—which burpa orchestrates together.
Context
Burp Suite Professional has dominated the web application security testing landscape, but it was built for interactive, manual testing through a GUI. As DevSecOps practices matured and security shifted left into CI/CD pipelines, teams needed Dynamic Application Security Testing (DAST) that could run without human intervention. Burp Suite Professional version 2.0 and greater includes a REST API, but burpa addresses automation challenges by combining it with the burp-rest-api extension from VMware.
This creates a practical solution to a common problem. Organizations that have invested in Burp Suite Professional licenses and built institutional knowledge around its scanner can now integrate it into automated pipelines without writing substantial orchestration code. The burp-rest-api extension provides capabilities that complement the official API. burpa emerged as a wrapper that combines both APIs to expose Burp’s scanner through clean CLI and programmatic interfaces designed specifically for automation.
Technical Insight
burpa’s architecture orchestrates two APIs to provide complete automation capabilities. The tool uses Burp’s official REST API for launching scans and handling authentication, then uses the third-party burp-rest-api extension for HTML report generation. This dual-API approach addresses gaps in either API alone.
The scan workflow demonstrates this orchestration. When you run a scan, burpa communicates with the APIs to submit URLs and configure authentication:
# Using burpa as a Python library
from burpa import Burpa
scanner = Burpa(
api_url="http://localhost",
api_port=8090,
new_api_url="http://localhost",
new_api_port=1337,
new_api_key="your-api-key"
)
# Launch authenticated scan
scanner.scan(
urls=["http://myapp.com/dashboard"],
app_user="testuser",
app_pass="testpass",
report_output_dir="./reports"
)burpa tracks scan progress by monitoring metrics like CRAWL_REQUESTS_MADE, AUDIT_QUEUE_ITEMS_COMPLETED, and ISSUE_EVENTS until the scan reaches “succeeded” status. It then uses the burp-rest-api extension to generate HTML reports.
The CLI interface, built with python-fire, provides the same functionality:
# Scan with authentication and custom output
burpa scan https://staging.myapp.com/api \
--app-user=scanner \
--app-pass='P@ssw0rd' \
--report-output-dir=./security-reports/
# Reset scanner state by stopping Burp
burpa stop
burpa test --wait 120 # Wait for automatic restartOne useful design choice is scope management. If you pass a URL pointing to a specific file like http://example.com/app/page.html?id=123, burpa automatically adds the parent directory (http://example.com/app/) to the scan scope, helping ensure related resources are crawled.
The configuration system uses environment variables as first-class citizens, automatically loading .env files with python-dotenv:
# .env file
BURP_API_URL=http://burp-scanner.internal
BURP_API_PORT=8090
BURP_NEW_API_URL=http://burp-scanner.internal
BURP_NEW_API_PORT=1337
BURP_NEW_API_KEY=abc123
# Now run without flags
burpa scan ./target-urls.txt --report-output-dir=./reports/The fork maintained by tristanlatr adds modern Python practices: proper package structure with pip install, static type hints for IDE support, and published API documentation. The removal of Slack integration reflects a design decision to keep notifications separate from the security tooling layer.
Gotcha
burpa’s infrastructure requirements are substantial. You need a Burp Suite Professional license, the burp-rest-api extension running alongside the official API (two services to manage), and both must be configured correctly before burpa will work. The README’s setup instructions describe the process: you need to launch Burp in GUI mode initially with the burp-rest-api extension using --headless.mode=false --unpause-spider-and-scanner options, enable the official REST API under User Options > Misc > REST API, export both project-level and user-level configuration files, then pass those configs when launching the headless burp-rest-api extension with --config-file and --user-config-file options.
The most significant limitation is scanner state management. According to the README, there appears to be no API method to reset the scanner to a clean state, referencing a GitHub issue. The only solution is to stop the entire Burp Suite process and restart it, which burpa handles with the burpa stop command. This means you need an external process manager (systemctl on Linux, NSSM on Windows, or supervisord) configured to automatically restart Burp when it exits. In containerized environments, this requires orchestrating a Java GUI application in headless mode while managing two REST APIs and coordinating restarts.
The dual-API dependency also creates version compatibility considerations. Since burpa relies on both the official API and the third-party burp-rest-api extension, updates to Burp Suite Professional could potentially affect compatibility with the VMware extension.
Verdict
Use burpa if you already have Burp Suite Professional licenses and infrastructure, need authenticated scanning capabilities, and want to integrate Burp’s active scanning into CI/CD pipelines without writing orchestration code yourself. It’s particularly valuable for organizations that have security teams already using Burp manually and want to automate their existing workflows. The Python library interface makes it straightforward to build custom security testing harnesses or integrate with existing test frameworks. Skip burpa if you don’t have Burp Professional (the licensing cost makes alternatives worth considering), or want something that doesn’t require managing multiple services and REST API extensions. For teams starting fresh with DAST, OWASP ZAP with automation tools offers similar capabilities with zero licensing costs, or Nuclei provides template-based scanning that may better suit certain use cases.
