API Security Unleashed: Automate Postman Tests via Jenkins and Azure Pipelines

It’s 2 AM, and your ERP system is quietly handling critical financial transactions. But a recent software update has introduced a hidden flaw in the payment processing API. Within moments, an attacker finds and exploits this flaw, stealing sensitive data and manipulating transaction records. The result? Immediate financial chaos and a scramble to contain the damage.

Could This Have Been Prevented? Absolutely.

Introducing the HCL AppScan plugin for Postman Collections¹, seamlessly integrated with HCL AppScan Enterprise. This powerful tool helps you detect vulnerabilities early in your API lifecycle, before they result in costly data breaches.

This plugin is part of a potent HCL AppScan ecosystem, designed to safeguard your software at every stage and offering a full suite of testing capabilities, including:

• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Interactive Application Security Testing (IAST)
• Software Composition Analysis (SCA)

Whether you're diving into source code, probing live applications, or dissecting open-source libraries, HCL AppScan empowers you to uncover vulnerabilities before they become threats.

The Game-Changer: CI/CD + API Security Scanning + Postman Collections

In one of the recent updates to the HCL AppScan plugin for Jenkins² and the HCL AppScan Azure DevOps plugin³, a powerful new feature allows automated security testing of Postman collections. This means development teams can now:

• Commit Postman Collections to a Git repo (GitHub, GitLab, Azure Repos, etc.)
• Automatically trigger functional API tests using Postman during build stages
• Run deep security scans on those APIs using HCL AppScan Enterprise—without leaving the CI/CD ecosystem

No more last-minute “Did-we-check-for-that?” worries. Just seamless integration and continuous security.

Real-World Use Cases: From Netflix to Swiggy

Let’s put this in a real-world context:

Netflix

New feature rollouts, like a smarter recommendation engine, depend on robust APIs. A misconfigured endpoint could leak the user's viewing history. Now, with Postman and HCL AppScan Enterprise, every API push undergoes functional and security testing before deployment.

Amazon / Flipkart

APIs manage everything from inventory to payments. A delay or leak due to untested APIs could result in millions of dollars in losses during peak sales hours. This integration ensures every API behaves as expected and is secure—automatically.

Swiggy

API vulnerabilities could expose customer data or delivery location tracking. With this plugin setup, developers can be alerted within the CI/CD process if a security flaw is detected during a scan.

Microsoft / Google / Twitter / YouTube

Whether it’s user authentication, video uploads, or tweets, these platforms rely heavily on secure API communications. This feature can scan for injection flaws, misconfigurations, authentication bypasses, and other vulnerabilities, directly from the pipeline.

How It Works in the CI/CD Pipeline

1. The developer commits a Postman collection to Git.

2. A CI pipeline is triggered (via Jenkins or Azure DevOps).

3. Functional tests run using the Postman CLI (Newman).

4. HCL AppScan plugin kicks in post-functional test.

• Scans the Postman collection using predefined security policies in HCL AppScan Enterprise.
• Automatically fails the build if vulnerabilities are found above a threshold, with a message as shown below.

5. Security results are published directly in Jenkins or Azure DevOps dashboards.

Sample Security Results Are Shown Below.

This means developers can identify functional bugs and security vulnerabilities early in the DevOps lifecycle, reducing risk and accelerating delivery.

Unlocking Seamless Security and Speed

Many notable companies, including YouTube, Amazon, and Microsoft, already push code multiple times a day. But with speed comes the risk of skipping security validation. This integration reduces friction between developers, testers, and security teams and embeds security directly into your DevOps pipeline without slowing you down.

What this integration delivers:

• AI-powered precision
  Leverage HCL AppScan’s Agentic AI to detect and remediate critical vulnerabilities faster. It intelligently reduces false positives, prioritizes risks, and even suggests or generates fixes—saving time and effort.
• Unified workflow
  Run Postman tests and security scans side-by-side within the same CI/CD pipeline—no context-switching, no delays.
• Dual validation
  Achieve both functional and security assurance in a single test run—boosting confidence in every release.
• Enterprise-ready scalability
  Whether you're a small team or a global enterprise, this integration scales effortlessly across your CI/CD infrastructure.
• Tailored Security Policies
  Customize scan rules based on your application’s risk profile to ensure relevant, targeted protection.

Refer to this link² for instructions on configuring Postman collection tests using the Jenkins plugin, and refer to this link³ for configuring it using Azure DevOps.

Wrapping It Up: Ship Fast, Ship Secure

From ERP systems to Swiggy, APIs are the invisible workhorses of modern applications. But they are also the most targeted. By automating both Postman's functional testing and HCL AppScan's application security scanning within your CI/CD pipeline, you can deliver secure applications faster. Whether you're using Jenkins or Azure DevOps, this integration enables your team to identify and address vulnerabilities early, striking a perfect balance between speed and security.

Whether you're pushing code at Netflix scale or building the next big app in your garage, this integration ensures your APIs stay robust, reliable, and resilient against attacks.

Get more detailed information on all HCL AppScan application security testing solutions here⁴. 

Learn about Comprehensive security testing using HCL AppScan.

HCL AppScan: Comprehensive Security Testing (SAST, DAST, IAST, SCA)

HCL AppScan also supports integrations with high-demand tools, including VSCode, JetBrains, Jira, GitHub, GitLab, and more (see full list here⁵).

Interested in getting started? Contact our team to learn more.

Source:

1. https://www.postman.com/product/collections/
2. https://plugins.jenkins.io/appscan/
3. https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.ApplicationSecurity-VSTS
4. https://help.hcltechsw.com/appscan/Welcome.html
5. https://cloud.appscan.com/plugins