Postman · Capability

Postman Secret Scanner Bridge

Bridges Postman's Secret Scanner findings (leaked credentials in public collections, public workspaces, etc.) into Naftiko's webhook- driven workflows so the Naftiko engine can act on them — alert, rotate, escalate, or block the offending capability. Closes the loop between "Postman saw a leaked secret" and "Naftiko can do something about it."

Run with Naftiko NaftikoPostmanPartnershipSecret-ScannerSecurityIncident-Response

What You Can Do

GET
List secret findings
/secret-findings
GET
Get secret finding
/secret-findings/{finding_id}
POST
Resolve secret finding
/secret-findings/{finding_id}
GET
Get secret scanner summary
/secret-findings/summary

MCP Tools

list-secret-findings

List Postman Secret Scanner findings (optionally filtered by status / since).

read-only
get-secret-finding

Get a single Postman Secret Scanner finding.

read-only
resolve-secret-finding

Mark a Postman Secret Scanner finding as resolved.

get-secret-scanner-summary

Get the aggregate Postman Secret Scanner summary (counts by status / severity).

read-only

Capability Spec

postman-secret-scanner-bridge.yaml Raw ↑ 
naftiko: "1.0.0-alpha2"

info:
  title: Postman Secret Scanner Bridge
  description: >-
    Bridges Postman's Secret Scanner findings (leaked credentials in
    public collections, public workspaces, etc.) into Naftiko's webhook-
    driven workflows so the Naftiko engine can act on them — alert,
    rotate, escalate, or block the offending capability. Closes the loop
    between "Postman saw a leaked secret" and "Naftiko can do something
    about it."
  tags:
    - Naftiko
    - Postman
    - Partnership
    - Secret-Scanner
    - Security
    - Incident-Response
  created: '2026-05-15'
  modified: '2026-05-15'

binds:
  - namespace: postman-env
    description: Postman API key.
    keys:
      POSTMAN_API_KEY: POSTMAN_API_KEY

capability:
  consumes:
    - namespace: postman
      type: http
      baseUri: https://api.getpostman.com
      authentication:
        type: bearer
        token: '{{POSTMAN_API_KEY}}'
      resources:
        - name: list-secret-findings
          path: '/secret-scanner/findings'
          operations:
            - name: list-secret-findings
              method: GET
              inputParameters:
                - { name: status, in: query, type: string, required: false }
                - { name: since, in: query, type: string, required: false }
                - { name: cursor, in: query, type: string, required: false }
        - name: secret-finding
          path: '/secret-scanner/findings/{{finding_id}}'
          operations:
            - name: get-secret-finding
              method: GET
              inputParameters:
                - { name: finding_id, in: path, required: true }
            - name: resolve-secret-finding
              method: POST
              inputParameters:
                - { name: finding_id, in: path, required: true }
        - name: secret-scanner-summary
          path: '/secret-scanner/summary'
          operations:
            - name: get-secret-scanner-summary
              method: GET

  exposes:
    - type: rest
      address: 0.0.0.0
      port: 8080
      namespace: postman-secret-scanner-bridge-rest
      description: REST surface for managing Postman Secret Scanner findings.
      resources:
        - name: list-secret-findings
          path: '/secret-findings'
          operations:
            - name: list-secret-findings
              method: GET
              inputParameters:
                - { name: status, in: query, type: string, required: false }
                - { name: since, in: query, type: string, required: false }
                - { name: cursor, in: query, type: string, required: false }
              call: postman.list-secret-findings
        - name: secret-finding
          path: '/secret-findings/{finding_id}'
          operations:
            - name: get-secret-finding
              method: GET
              inputParameters:
                - { name: finding_id, in: path, type: string, required: true }
              call: postman.get-secret-finding
            - name: resolve-secret-finding
              method: POST
              inputParameters:
                - { name: finding_id, in: path, type: string, required: true }
              call: postman.resolve-secret-finding
        - name: get-secret-scanner-summary
          path: '/secret-findings/summary'
          operations:
            - name: get-secret-scanner-summary
              method: GET
              call: postman.get-secret-scanner-summary

    - type: mcp
      address: 0.0.0.0
      port: 3010
      namespace: postman-secret-scanner-bridge-mcp
      description: MCP server for security agents to query + resolve Postman Secret Scanner findings.
      tools:
        - name: list-secret-findings
          description: List Postman Secret Scanner findings (optionally filtered by status / since).
          hints: { readOnly: true }
          inputParameters:
            - { name: status, type: string, required: false, description: Filter by status (open / resolved / muted). }
            - { name: since, type: string, required: false, description: ISO 8601 timestamp lower bound. }
            - { name: cursor, type: string, required: false, description: Pagination cursor. }
          call: postman.list-secret-findings
        - name: get-secret-finding
          description: Get a single Postman Secret Scanner finding.
          hints: { readOnly: true }
          inputParameters:
            - { name: finding_id, type: string, required: true, description: Postman Secret Scanner finding ID. }
          call: postman.get-secret-finding
        - name: resolve-secret-finding
          description: Mark a Postman Secret Scanner finding as resolved.
          hints: { destructiveHint: true }
          inputParameters:
            - { name: finding_id, type: string, required: true, description: Postman Secret Scanner finding ID. }
          call: postman.resolve-secret-finding
        - name: get-secret-scanner-summary
          description: Get the aggregate Postman Secret Scanner summary (counts by status / severity).
          hints: { readOnly: true }
          call: postman.get-secret-scanner-summary