Postman collections with AST
  • 09 Mar 2023
  • 3 Minutes to read
  • PDF

Postman collections with AST

  • PDF

Article Summary

Postman is an API development and testing tool used by software developers and testers. It allows users to create, test, and manage APIs, as well as automate API tests, and collaborate with team members on API development projects. It supports a variety of request types, including GET, POST, PUT, DELETE, and PATCH, and allows users to add custom headers, parameters, and authentication options to their requests.

In Postman, a collection is a group of related API requests, along with any associated test scripts, variables, and documentation. Collections make it easy to organize and manage API requests for a particular project or workflow. A collection can include requests for various HTTP methods, such as GET, POST, PUT, DELETE, and PATCH, each with its set of parameters and headers. These requests can be organized into folders within the collection, and can be grouped based on their purpose or functionality. For more information on Postman collection, see Creating your first collection. 

You can use your Postman collections to start a security scan in Traceable's API security testing (AST) tool. For more information on creating and running a scan, see Security testing. At present, you can use your Postman collection with AST with CLI and your CI/CD pipeline. 

Before you begin

  • Before you proceed with using your Postman collection, make sure that you have the Traceable Platform agent's URL or IP address handy. 
  • Make sure you have the path to your Postman environment file with you.
    In Postman, an environment file is a collection of variables that can be used to store and manage data that is shared across multiple API requests. Environment files allow developers to easily switch between different environments, such as development, staging, and production, without having to modify their API requests manually. For more information on Post environments, see Managing environments.
  • Make sure you have the path to your Postman collection file.
  • If you are going to run the Postman collection through CI/CD pipeline, make sure that the repository against which you are the AST scan has the Postman collection in it.

Run the Postman collection

Enter the following command to run the AST scan using Postman collection on CLI or in your CI/CD pipeline. For running through the CI/CD pipeline, configure the command in the pipeline.

traceable ast scan initAndRun --scan-name postman-collection-demo --traffic-env {{traffic environment}} - --postman-environment {{Postman environment JSON file}} --postman-collection {{Postman collection JSON file}} --proxy --tpa {{TPA URL}}

Following are the arguments for the above command:

  • initAndRun – Initialize and run the scan
  • scan-name – The name of the scan
  • traffic-env – Traffic environment where you want to report your postman traffic
  • postman-environment – Path to your postman environment file
  • postman-collection – Path to your postman collection file
  • proxy – The proxy to Traceable's Platform agent. This argument does not take any value.
  • tpa – URL or IP address to Traceable's Platform agent.

proxy and tpa are optional parameters and are required when the target application is not pre-instrumented with Traceable's tracing agent.

For example, for a crAPI application, the command would be like following:

traceable ast scan initAndRun --scan-name crAPI-postman-demo -e crapi -i "crapi.allvapps.*" -x "logout|8025|verify" -pe crAPI.postman_environment.json -pc crAPI.postman_collection.json --proxy -tpa http://localhost:4317
  • The command traceable ast scan initAndRun is running a scan using Traceable's Application Security Testing (AST) tool. The initAndRun option specifies that the scan should be initialized and run. The --scan-name crAPI-postman-demo option sets the name of the scan to “crAPI-postman-demo”.
  • The -e crapi option specifies the environment in which the scan should be run, with “crapi” being the name of the environment. The -i "crapi.allvapps.*" option sets the include filter, which specifies the files or directories to include in the scan. In this case, it includes all files and directories under “crapi.allvapps”.
  • The -x "logout|8025|verify" option sets the exclude filter, which specifies the files or directories to exclude from the scan. In this case, it excludes any files or directories that contain the strings “logout”, “8025”, or “verify”.
  • The -pe crAPI.postman_environment.json option specifies the Postman environment file to use for the scan, with “crAPI.postman_environment.json” being the name of the file. This file likely contains environment variables that will be used in the API requests being tested by the scan.
  • The -pc option specifies that the scan should be run in a Postman collection. This means that the scan will use the API requests and associated data defined in the Postman collection to perform security testing.
  • The -tpa http://localhost:4317 option specifies the IP address or hostname of the Traceable Platform agent to use for the scan.

Once the scan is complete, you can view the results in the AST Dashboard.

Was this article helpful?