Environment Scanner

Number of APIs: 3

Who this collection is for

Security teams who are looking to automate the process of checking for secrets leaking within Qodex. Beyond providing education and training, we can continually assess our Qodex data all of the time through this powerful collection.

What does this collection do?

This collection is designed to be setup as a Qodex Monitor to scan Qodex Environments within Team Workspaces that might be exposing secrets through the initial value field.

Setup

Configure the Qodex Environment

1) Review the provided Environment Scanner Qodex Environment. The regex field contains key value pairings of a) the type of secret and b) the regex to match such a secret. This should be altered to cover the types of secrets you wish to scan for. We've included a range of popular types of secrets for your convenience.

2) [Create a Qodex API key] and add this to the QodexAPIKey field within the Enviroment Scanner Qodex Environment. It should sit within both the initial and current value columns.

Create the Qodex Monitor

1) On the imported Environment Scanner Qodex Collection, go into the Collection menu and select Monitor Collection. See [Creating a Monitor] for more help.

2) The Monitor run frequency you select will determine how often the collection runs. Once daily is likely fine to begin within.

3) Select Show additional preferences and set the Request delay to 1000ms. This is necessary such that we don't get rate limited against the Qodex API.

4) You can now hit Create and the monitor will execute on the frequency you selected.

Viewing Results

1) [Our existing documentation] covers how to view the results of a monitor.

2) You will see that the Environment Scanner executes many requests through its collection run. Scroll all the way to the bottom. For each test failure that you see, this indicates a potentially exposed secret. The offending environment's ID, and the exact key containing the secret are provided. In this case, two environments are highlighted, each with a single offending key.

Monitor results

3) Scrolling to the top of the Monitor results, select the Console Log tab. Again, scrolling all the way to the bottom, you can find a JSON output of these results:

Logs

4) To review and correct an enviromnent in question, simply take the Environment ID found in the test failure / the env value in the logs, and append to https://go.Qodex.co/environments/<env ID here>. e.g. https://go.Qodex.co/environments/10019550-b3c438b5-6bb0-4e90-8787-b936a0df00fe. From here, the environment can be deleted altogether or the residing workspace can be identified through the top left workspace drop down, therefore allowing discovery and modification within Qodex itself.

The following request details can be ignored are internal to the scanners functionality.

  1. Access the contents of workspaces accessible to you GET https://api.getpostman.com/workspaces/{{workspaceId}}

  2. Access contents of a specific environment GET https://api.getpostman.com/environments/{{environmentUid}}

  3. Scan leaked key GET https://api.getpostman.com/workspaces