How the Secret Scanner works

The Secret Scanner scans public workspaces and published documentation to detect exposed secrets on all Postman plans. Secret Scanner is turned on by default for public workspaces with all Postman plans and scans for:

• Exposed supported secrets in all HTTP and multi-protocol collections, including their requests and responses.
• The shared values of environment variables and global variables.
• API specifications in the Postman API Builder.
• Documentation published, regardless of the type of workspace it’s found in.

Postman automatically replaces exposed secrets with placeholders if the Secret Scanner detects exposed supported secrets in your public workspaces. Team Admins and Workspace Admins are notified by email, Slack (if configured), and in-app notification if exposed secrets are automatically replaced.

Postman recommends using a vault secret as a placeholder for a real secret because each user can only access and use their own vault secrets. Vault secrets aren’t synced to the Postman cloud. You can also use a variable as a placeholder if you’d like.

With Postman’s Enterprise plan, you gain access to the Secret Scanner dashboard, where you can view scan results. With the Advanced Security Administration add-on, you get access to scan all workspace types, in addition to greater support for secrets in your Postman elements.

Automatically replace secrets detected in public workspaces

If the Secret Scanner detects exposed supported secrets in your public workspaces, Postman automatically replaces each secret with a placeholder. Postman notifies Team Admins and Workspace Admins by email and in-app notification that the secrets were detected and replaced with placeholders.

Exposed secrets are automatically replaced with placeholders as follows:

• For HTTP collections and requests, secrets are replaced with a reference to a vault secret based on the detected key or token in lowercase, such as {{vault:authorization-secret}}.
• For all other Postman elements, secrets are replaced with the detected key or token in uppercase with angle brackets around the text, such as <AUTHORIZATION_SECRET>.

Secrets exposed in multi-protocol collections aren’t automatically replaced with placeholders. Secrets detected in multi-protocol collections must be removed or manually replaced with placeholders. Note that vault secrets aren’t supported in multi-protocol collections.

It’s important that you also revoke exposed secrets the Secret Scanner detects.

Advanced Security Administration add-on

For Enterprise plans with the Advanced Security Admin add-on, Secret Scanner scans all public workspaces, internal workspaces, and Partner Workspaces and delivers its results to the Secret Scanner dashboard. It also scans for exposed secrets in all HTTP and multi-protocol collections. It also scans API specifications in the Postman API Builder.

For Partner Workspaces, the Secret Scanner also scans the shared values of environment and global variables.

Protect Postman API keys in GitHub

Postman also works with GitHub to ensure that your Postman API keys are secure for free and paid Postman plans. If you commit a valid Postman API key to a public GitHub repository, Postman notifies you by email and in-app notification. You can also set up Postman’s integration for Slack to alert you in Slack if this occurs.

It’s recommended you delete the exposed API key in your API keys dashboard. You can then generate a new API key to continue working with the Postman API.

Protect Postman API keys in GitLab

This feature is available with GitLab Ultimate plans.

Postman works with GitLab to protect your Postman API keys in GitLab public repositories for free and paid Postman plans. If you commit a valid Postman API key to a public GitLab repository, Postman notifies you by email and in-app notification.

It’s recommended you delete the exposed API key in your API keys dashboard. You can then generate a new API key to continue working with the Postman API.