Added first-class **Postman** scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports.

2026-04-29 08:58:11 -07:00 · 2026-04-29 08:58:11 -07:00 · 8d9f5bed40
commit 8d9f5bed40
parent 997480ffc7
4 changed files with 10 additions and 5 deletions
--- a/src/cli/commands/inputs.rs
+++ b/src/cli/commands/inputs.rs
@ -467,6 +467,10 @@ impl InputSpecifierArgs {
            || self.confluence_url.is_some()
            || self.slack_query.is_some()
            || self.teams_query.is_some()
+            || !self.postman_workspaces.is_empty()
+            || !self.postman_collections.is_empty()
+            || !self.postman_environments.is_empty()
+            || self.postman_all
            || self.s3_bucket.is_some()
            || self.gcs_bucket.is_some()
            || !self.docker_image.is_empty()