Download the Burp Plugin from the Download Tools page in ThreadFix.
Install ThreadFix Plugin
Go to Extender tab > Add > choose threadfix-release-2.jar
A new ThreadFix tab will be presented with three buttons:
ThreadFix > Main > Import Endpoints From Source
ThreadFix > Main > Import Endpoints From ThreadFix
ThreadFix > Main > Export Scan
Please ensure that the following are set up correctly in ThreadFix before continuing.
A Team with an Application is setup
The Application is linked to its source code
You've created an API key and it is accessible
Choose the Threadfix tab, then click the desired 'Import Endpoints...' button
Import Endpoints From Source
Import Endpoints From ThreadFix
From the ThreadFix > Options tab, enter the ThreadFix URL & API Key, the ThreadFix application from which you want to get endpoints, and the Target URL
You should add "/rest/latest" to the end of the ThreadFix URL in order for Burp to connect using the latest version of the API.
If you're running ThreadFix over HTTPS, you may need to import the ThreadFix server's certificate into Burp's trust store (<burp-install>/jre/lib/security).
Then, from the ThreadFix > Main tab, click Import Endpoints From ThreadFix
Burp will import endpoints from the source code.
Begin the spider by choosing Spider from the Target tab.
Burp will then begin scanning and will show its progress.
Once the scan is complete you will be able to export this scan to ThreadFix.
Select ThreadFix > Main > Export Scan
Enter the correct URL and API key
Choose the application for which you want to export a scan to Threadfix
A pop up should be displayed informing you that the export was successful
Check ThreadFix to verify that the scan was uploaded
Import ThreadFix Server Certificate
Burp comes packaged with it's own JRE, which is used when you run the exe program. If you need to import the ThreadFix server's cert in order to connect to it, import it to <Burp Install>/jre/lib/security/cacerts.