Did the Burp Scan report find anything? Either you should fix it and run the test again or provide justification in a false positives document about why you don't think it is a security risk?

There is a good description of false positives in the Burp Suite Scanner About page.

False Positives

A false positive occurs when a bug is flagged as being legitimate, which a tool misinterprets as being an actual issue. This can occur for multiple reasons, but often times it occurs due to not understanding the full context of an application. Here are two of the common places where you will see false positives in the output from Burp:

• SQL Injection - SQL Injection consists of insertion of a SQL query via the input data from a user to the application. Burp looks for database error messages in the HTTP response, and may incorrectly classify an error message as being output from the database.
• XML Injection – XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. Burp looks for exceptions thrown during XML parsing. However, at times a response containing the term “XML” could get flagged as an exception.

I've answered a similar question before about scanning external APIs in another question. In my experience, you also need to run the security scan on any website that might be exposed around the API based on the same data. While the API may be reasonably secure, you also need to verify anything else that can expose the data.