This article describes how you can configure Snyk API & Web to scan API endpoints with a Postman Collection.
The configuration involves the following steps:
Prepare the Postman Collection.
Configure an API target using the Postman Collection.
(Optional) Configure the API target with Postman environment variables.
This guide uses a Postman Collection example with the following requests:
Authenticate and obtain an authentication token - requires a username and password in the request body.
Get a list of users - requires the authentication token in the request header.
Get user details - requires the authentication token in the request header and the user identifier as a parameter.
Step 1: Prepare the Postman Collection
Prepare the Postman Collection to run the sequence of requests from start to end without errors, so it can be exported to configure an API target in Snyk API & Web.
To get started, go to the Variables tab of the collection to create auxiliary variables for the authentication.
For this example, we have the following variables:
username: the hard-coded value of the username to obtain the tokenpassword: the hard-coded value of the password to obtain the tokentoken: the variable to store the authentication token
To obtain the authentication token, go to the authentication request and, in the Body tab, set the payload with the username and password variables.
To store the returned authentication token in the token variable, go to the Tests tab of the authentication request, and add the following JavaScript:
var jsonData = pm.response.json();
pm.collectionVariables.set('token', jsonData.access_token)
Once the token is configured, add the token variable to all requests, in the Headers tab.
In this example, the request to obtain user details requires the user identifier as a parameter. While it's possible to pass a hard-coded value, we recommend using the first user from the list returned by the previous request:
In the Variables tab of the Postman collection, add a new variable named
user_id.To set the variable value, go to the request that gets the users list and, in the Tests tab, add the following JavaScript:
var jsonData = pm.response.json();
pm.collectionVariables.set('user_id', jsonData.results[0].id)Go to the request that gets the user details and pass the
user_idvariable as a parameter.
With all requests configured, run the collection to test it and, if there are no issues, export the collection.
Step 2: Configure an API target using a Postman Collection
After the Postman Collection is prepared and exported, add an API target (see How to configure and scan an API), and ensure that you:
From the API Type drop-down list, select API and then, Postman Collection.
Select the Postman Collection schema upload radio button.
In File, choose the file exported from Postman.
Press Add, and the API target should be added and ready to be scanned.
Step 3: (Optional) Configure the API target with Postman environment variables
If the Postman Collection uses variables defined in a Postman environment, further configuration of the API target is necessary.
You can manually configure the environment variables in the user interface:
Navigate to the target’s Settings.
In the Scanner section, select API Scanning Settings.
Enter the required Postman environment values in the corresponding fields.
Alternatively, you can import the environment variables using an automated script:
Go to Postman and export the Postman environment to a file.
Retrieve the Python script to import the Postman environment variables into Snyk API & Web. This script can be found on the Snyk API & Web GitHub page.
Run the Python script and enter the following values:
Target ID: the Snyk API & Web identifier of the API target, which can be found in the browser URL of the API target,
Postman collection file: the file exported from Postman containing the environment variables.
Go to the Postman Environment Values section of the API target to see the newly added environment variables. If you are already on the page, refresh it to display the environment variables.