- 07 May 2024
- 3 Minutes to read
- Print
- PDF
Postman collections with AST
- Updated on 07 May 2024
- 3 Minutes to read
- Print
- PDF
Postman is an API development and testing tool used by software developers and testers. It allows users to create, test, and manage APIs, as well as automate API tests, and collaborate with team members on API development projects. It supports various request types, including GET, POST, PUT, DELETE, and PATCH, and allows users to add custom headers, parameters, and authentication options to their requests.
In Postman, a collection is a group of related API requests, along with any associated test scripts, variables, and documentation. Collections make it easy to organize and manage API requests for a particular project or workflow. A collection can include requests for various HTTP methods, such as GET, POST, PUT, DELETE, and PATCH, each with its set of parameters and headers. These requests can be organized into folders within the collection, and can \be grouped based on their purpose or functionality. For more information on the Postman collection, see Creating your first collection.
You can use your Postman collections to start a security scan using Traceable's API security testing (AST) tool. For more information on creating and running a scan, see Security Testing. At present, you can use your Postman collection with AST with CLI and your CI/CD pipeline.
Before you begin
Before you use your Postman collection, ensure you have the Traceable Platform agent's URL or IP address handy.
(Optional) Make sure you have the path to your Postman environment file with you.
Information
In Postman, an environment file is a collection of variables that can be used to store and manage variables that are shared across multiple API requests. Environment files allow developers to easily switch between different environments, such as development, staging, and production, without manually modifying their API requests. For more information on Post environments, see Managing environments. Optionally, you can use the variables in a Postman collection file instead of the environment file.
Make sure you have the path to your Postman collection file.
If you are going to run the Postman collection through the CI/CD pipeline, make sure that the repository against which you are the AST scan has the Postman collection in it.
Run the Postman collection
Enter the following command to run the AST scan using Postman collection on CLI or in your CI/CD pipeline. To run through the CI/CD pipeline, configure the command in the pipeline.
traceable ast scan initAndRun --scan-name postman-collection-demo --traffic-env {{traffic environment}} --postman-environment {{Postman environment JSON file}} --postman-collection {{Postman collection JSON file}}
Following are the arguments for the above command:
initAndRun
– Initialize and run the scanscan-name
– The name of the scantraffic-env
– Traffic environment where you want to report your postman trafficpostman-environment
– Path to your postman environment filepostman-collection
– Path to your postman collection file
For example, for a crAPI application, the command would be like the following:
traceable ast scan initAndRun --scan-name crAPI-postman-demo -e crapi -i "crapi.allvapps.*" -x "logout|8025|verify" -pe crAPI.postman_environment.json -pc crAPI.postman_collection.json
The command
traceable ast scan initAndRun
is running a scan using Traceable's Application Security Testing (AST) tool. TheinitAndRun
option specifies that the scan should be initialized and run. The--scan-name crAPI-postman-demo
option sets the name of the scan to “crAPI-postman-demo”.The
-e crapi
option specifies the environment in which the scan should be run, with “crapi” being the name of the environment. The-i "crapi.allvapps.*"
option sets the include filter, which specifies the URL to include in the scan. In this case, it includes all files and directories under crapi.allvapps.The
-x "logout|8025|verify"
option sets the exclude filter, which specifies the URL to exclude from the scan. In this case, it excludes any URLs that contain the strings “logout”, “8025”, or “verify”.The
-pe crAPI.postman_environment.json
option specifies the Postman environment file to use for the scan, with “crAPI.postman_environment.json” being the name of the file. This file likely contains environment variables that will be used in the API requests being tested by the scan.The
-pc
option specifies that the scan should be run in a Postman collection. This means that the scan will use the API requests and associated data defined in the Postman collection to perform security testing.
Once the scan is complete, you can view the results in the AST Dashboard.