Administer PostmanTeam managementSecret ScannerSecret Scanner dashboard

Manage Local Secret Protection policies

View as Markdown

The Secret Scanner dashboard is available on Postman Enterprise plans. For more information, see the pricing page.

With the Secret Scanner dashboard, Team Admins can enable Local Secret Protection and control how exposed secrets are handled across their organization. Local Secret Protection detects sensitive information before it can be saved to the Postman cloud, local files, or connected Git repositories.

You can define workspace-level policies that determine how detected secrets are handled. Policies can be configured by workspace type or applied to specific workspaces, giving you flexibility to enforce different levels of protection based on visibility and collaboration needs. Policies can prompt users to choose how to handle a detected secret or automatically move secrets to Postman Local Vault or Postman Shared Vault. Policies can also require users to provide a justification before overriding a detected secret.

Enable Local Secret Protection

To enable Local Secret Protection in Postman, do the following:

  1. Click Organization > Organization settings in the Postman header, then click Secret Scanner in the left sidebar.
  2. Select the Local Protection tab.
  3. Turn on Local secret protection.

Once enabled, Team Admins can configure how Postman stores exposed secrets in your organization’s workspaces. By default, all workspaces use the Prompt option and users can choose how to handle detected secrets, such as storing them in a local vault or shared vault. However, Admins can change the default storage behavior.

Users can’t turn off secret policies, but can submit justifications to Admins to override any detected secrets.

Set default protection policies

You can customize how Local Secret Protection manages exposed secrets in your team’s workspaces. Define a policy for specific types of workspaces, and all new workspaces automatically inherit the policy you choose.

This only applies to workspaces created after you set a policy. To apply the policy to existing workspaces, update their policy.

To set default policies by workspace types, do the following:

  1. Click Set default policies.
  2. Select a protection policy for each workspace type.
  3. Click Save.

To reset the policy for workspaces to their default, do the following:

  1. Click Set default policies.
  2. Click Reset workspaces.
  3. Review the listed changes to each workspace type.
  4. Click Apply to all to confirm your changes. This resets all workspaces to use the default policy for the displayed workspace types and removes any custom overrides.

The Local Secret Protection interface

Protection policy options

Postman’s automatic secret protection policy offers the following options:

  • Move to Local Vault — Automatically move detected secrets to the user’s Postman Local Vault. Secrets stored in local vault aren’t synced to the Postman cloud and only the user can access them. The detected secret is replaced with a secure collection variable where the value references the vault secret. Users are notified when Postman detects an exposed secret.

  • Move to Shared Vault — Automatically move detected secrets to the workspace’s Postman Shared Vault. Secrets stored in the shared vault are synced to the Postman cloud and available to your teammates. The detected secret is replaced with a secure collection variable where the value references the vault secret. Users are notified when Postman detects an exposed secret.

  • Prompt — Prompt users to choose which vault type to move detected secrets to. Users are notified when Postman detects an exposed secret, and can click Move to vault in the notification to select which vault to move their secrets to. Users can also click Ignore to dismiss the notification, but they’ll be required to move the detected secrets to a local or shared vault before they can save their secrets.

  • No policy — Ignores any secrets detected by Secret Scanner and stores them in the Postman cloud. Secret Scanner performs no automated actions or notifications. If you’re on an Enterprise plan, all workspace types in Cloud View use this policy by default.

Update protection policies

You can update an existing workspace’s protection policy. This is useful if you want to change how secrets are handled in specific workspaces or apply a new policy to existing workspaces after setting default policies. Policies are automatically applied to the selected workspaces.

To update a workspace’s protection policy, you can take the following actions:

  • To update the policy of a single workspace, select a policy from the Policy dropdown list next to the workspace.

  • To update the policy of multiple workspaces, select the workspaces or select the checkbox next to the Workspace column, then select a policy from Select policy dropdown list.

    By default, only the first 50 workspaces are listed. To select all workspaces or workspaces of the selected type, click Select all workspaces within team.

View workspace scan policies

Use the Search workspaces text box to search for and select workspaces, or use the Created by dropdown list to filter by specific users. You can also use the Type dropdown list to filter workspaces by their visibility:

  • PublicPublic workspaces are visible to everyone in the Postman community.
  • Partner — Only invited team users and partners have access to Partner Workspaces.
  • InternalInternal workspaces are visible to only you or your team.

View secret scan metrics

With the Advanced Security Administration add-on, you can view Local Secret Protection metrics in the Secret Scanner reports dashboard. These reports provide insights into how secrets are handled across your team’s workspaces, including how many detected secrets are moved to Postman Vault and how often users ignore detected secrets.

To learn more, see View Secret Scanner reports.