This project is a Python-based tool to automate web application security scans using Burp Suite's GraphQL API (called BurPy). It allows you to create a site, start a scan, monitor its progress, and retrieve the results programmatically. This is good if you can't use Burp's CI-driven scanning functionality.
- Create a site in Burp Suite with a specified scope.
- Start a scan for the created site.
- Monitor the scan's progress until completion.
- Retrieve and display scan results, grouped by severity.
- Python 3.8 or higher
- Burp Suite Enterprise with GraphQL API enabled
- API key with permissions to create sites and scans
- Clone this repository:
git clone <repository-url>
cd graphql-run-scan- Create a virtual environment and activate it:
python3 -m venv venv
source venv/bin/activate- Install the required dependencies:
pip install -r requirements.txtBefore running the script, update the following variables in run_scan.py:
BURP_URL: The URL of your Burp Suite serverAPI_KEY: Your Burp Suite API keySITE_NAME: The name of the site to be created in Burp SuiteSITE_URL: The URL of the site to scanSCAN_CONFIGURATION_IDS: The scan configuration ID(s) to use
python run_scan.pyThe script logs its progress and results to the console. You can adjust the logging level by modifying the logging.basicConfig configuration in run_scan.py.
- Ensure that the Burp Suite server is accessible from the machine running this script.
- The API key must have the necessary permissions to create sites and scans.