Postman · Arazzo Workflow

Postman Remediate a Detected Secret

Version 1.0.0

Find unresolved secrets, inspect one, locate it, and mark it revoked.

1 workflow 1 source API 1 provider
View Spec View on GitHub AI Agent BuilderAI AgentsAPI CatalogAPI ClientAPI DesignAPI DevelopmentAPI DocumentationAPI GovernanceAPI LifecycleAPI MonitoringAPI NetworkAPI PlatformAPI TestingAudit LogsAutomationCI/CDCollaborationCollectionsComplianceDiscoveryEnvironmentsFlowsGraphQLgRPCHTTPInsightsMCPMCP GeneratorMock ServersMockingMonitorsNewmanOpenAPIPlatformPrivate API NetworkPublic API NetworkSecret ScanningSpec HubSpecificationsSSOTestingVaultWebSocketWorkflowsWorkspacesArazzoWorkflows

Provider

postman

Workflows

remediate-detected-secret
Triage and revoke the first unresolved detected secret.
Lists unresolved secrets, takes the first one, reads its details and locations, and resolves it as revoked.
4 steps inputs: limit outputs: locations, resolution, secretId
1
listUnresolvedSecrets
getDetectedSecrets
List unresolved detected secrets and take the first one.
2
getSecretDetail
getDetectedSecret
Read the details of the selected secret, including its resolution history.
3
getSecretLocations
getSecretLocations
Enumerate all locations where the secret was found across Postman entities.
4
resolveSecret
resolveDetectedSecret
Mark the secret as revoked now that it has been triaged and rotated.

Source API Descriptions

openapi
secretScannerApi https://raw.githubusercontent.com/api-evangelist/postman/refs/heads/main/openapi/postman-secret-scanner-api-openapi.yml

Arazzo Workflow Specification

postman-remediate-detected-secret-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Postman Remediate a Detected Secret
  summary: Find unresolved secrets, inspect one, locate it, and mark it revoked.
  description: >-
    A security remediation pattern over the secret scanner. The workflow lists
    unresolved detected secrets, reads the details of the first one, enumerates
    every location where it was found, and resolves it as revoked. Each step
    spells out its request inline so the flow can be read and executed without
    opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: secretScannerApi
  url: ../openapi/postman-secret-scanner-api-openapi.yml
  type: openapi
workflows:
- workflowId: remediate-detected-secret
  summary: Triage and revoke the first unresolved detected secret.
  description: >-
    Lists unresolved secrets, takes the first one, reads its details and
    locations, and resolves it as revoked.
  inputs:
    type: object
    properties:
      limit:
        type: integer
        description: Maximum number of unresolved secrets to fetch.
        default: 25
  steps:
  - stepId: listUnresolvedSecrets
    description: >-
      List unresolved detected secrets and take the first one.
    operationId: getDetectedSecrets
    parameters:
    - name: statuses
      in: query
      value: UNRESOLVED
    - name: limit
      in: query
      value: $inputs.limit
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      secretId: $response.body#/data/0/secretId
      secretType: $response.body#/data/0/secretType
  - stepId: getSecretDetail
    description: >-
      Read the details of the selected secret, including its resolution history.
    operationId: getDetectedSecret
    parameters:
    - name: secretId
      in: path
      value: $steps.listUnresolvedSecrets.outputs.secretId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      workspaceId: $response.body#/data/workspaceId
  - stepId: getSecretLocations
    description: >-
      Enumerate all locations where the secret was found across Postman
      entities.
    operationId: getSecretLocations
    parameters:
    - name: secretId
      in: path
      value: $steps.listUnresolvedSecrets.outputs.secretId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      locations: $response.body#/data
  - stepId: resolveSecret
    description: >-
      Mark the secret as revoked now that it has been triaged and rotated.
    operationId: resolveDetectedSecret
    parameters:
    - name: secretId
      in: path
      value: $steps.listUnresolvedSecrets.outputs.secretId
    requestBody:
      contentType: application/json
      payload:
        resolution: RESOLVED_REVOKED
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      resolution: $response.body#/data/resolution
  outputs:
    secretId: $steps.listUnresolvedSecrets.outputs.secretId
    locations: $steps.getSecretLocations.outputs.locations
    resolution: $steps.resolveSecret.outputs.resolution