How to scan using a Postman Collection

If you have a Postman collection of requests to your web API, you can add this collection and use it as the basis for a scan. AppScan runs its own Explore stage using the collection, and displays the resulting data in Dashboard.

You can create and run a scan job using the Postman collection in the following ways:
Note:
  • Adding a Postman collection is not applicable to a content scan job.
  • You cannot create or edit a Postman collection scan job using ADAC.

Using the AppScan Standard scan job in AppScan Enterprise

You can import the Postman collection in a scan job using AppScan Standard and then replicate this job in AppScan Enterprise.

Follow these steps to use the collection in your scan job:
  1. In AppScan Standard, create a scan job using the Import Postman Collection option. For more information, see Scan using a Postman Collection.
  2. On the menubar, click AppScan Connect > AppScan Connect login. Configure your AppScan Enterprise sign-in information:
    1. To sign in with a User ID and Password:
      1. Select Log in with User ID and Password.
      2. In the URL field, enter the AppScan Enterprise server's service URL.

        Format: https://[AppScan Enterprise Server]:[Server port]/ase

      3. Enter a valid User ID (with the format [domain name]\[username]) and Password.
      4. Click Login.
    2. To sign in using a client-side certificate or smart card:
      1. Select Log in using Client-Side Certificate / Smart Card.
      2. In the URL field, enter the AppScan Enterprise server's service URL.

        Format: https://[AppScan Enterprise Server]:[Server port]/ase

      3. Select the check box for the certificate needed.
      4. Click Login.Note: If a Smart Card PIN code is needed to log in, a dialog box opens for you to enter it.

      On successful login, close the AppScan Connect window.

  3. On the menubar, click AppScan Connect > Create scan in AppScan Enterprise.
  4. Define the Job Name and optionally AppScan Enterprise Folder, Application and the Test Policy.
    Note:
    • If you do not select a folder the default AppScan Enterprise folder is used.
    • The Select Application dialog box includes a Create a new application on server option if your permissions allow this.
  5. By default, the Continue Full Scan option is selected.
    Note: Irrespective of the option you select the Full scan option will be applied to the job in AppScan Enterprise.
  6. Click Create. When the process is complete a green success message appears in the dialog box.
  7. Click AppScan Enterprise jobs link to view and run your job in AppScan Enterprise.

Using the AppScan Enterprise APIs

You can use the AppScan Enterprise REST APIs to create a scan job, add a Postman collection and then run the job.

Follow these steps to use the collection in your scan job:
  1. Create a scan job by using any one of the following APIs.
    1. POST /jobs/{templateId}/dastconfig/createjob
    2. POST /jobs
    3. POST /jobs/createjobBasedOnTemplateFile
      Note: When you create a scan job, it is recommended to select the "Regular" template to avoid any performance issues.
  2. Add the Postman collection to the job by using the API: POST /jobs/{jobId}/dastconfig/postman/create
  3. Run the scan job by using the API: POST /jobs/{jobId}/actions
    Note: After you have created the job using the APIs, you can view and run these scan jobs from the Scans view of AppScan Enterprise.

For more information, see the article API scanning using Postman Collection. To get additional information about the APIs and the parameters to be used, refer the Swagger page.