[Feature Request] - Allow syncing to private GHE instance & reading environment variables from local file system

[cdanielsen]

Is there an existing request for this feature?

• [X] I have searched the existing issues for this feature request

Is your feature request related to a problem?

Problem I find Postman very valuable, but I find the collaboration features lacking for two key reasons. Like most software developers, I work on a team of several other devs, in an organization made up of several teams. It would be very useful to be able to develop collections of requests to various internal and external apis just like we do with other code (read: git flow). It looks like you have basically recreated the GitHub PR flow within the app, which is great, as it would probably be difficult to effectively review a PR looking at the raw collection/environment files in something like GitHub. The problem is that you've designed it to only work within the context of your private cloud. This is going to be a dealbreaker for many large enterprises for two reasons:

1. Creates a vector for leaking internal secrets / credentials. Yes, you have a robust security policy, and yes, you have a mechanism that tries to help prevent people from doing this, but people are error prone and are going to do it accidentally. Once a secret has been leaked to your cloud, it must be considered compromised and should be rotated.
2. Creates a vector for leaking internal business logic. Aside from secrets, I'm not sure why you seem to cavalierly suggest that people upload the intricate details of all their internal services to your private cloud. That information is also sensitive / would provide a wealth of information to a malicious actor who gained access to it.

Describe the solution you'd like

Possible Solution to Problem 1 Introduce the ability to read/resolve environment variables from the local file system that are never sync'd. This would be analogous to using a git ignored .env file when doing local development. In this way, teams could template their requests and still use the sync feature with at least the confidence that will not accidentally send secrets to Postman's data center.

Possible Solution to Problem 2 You already provide the ability to backup collections to a private Github instance. Why not give people the option to sync their workspaces/collections/environments to that instead of your private cloud? That way you give people the option/peace of mind that their Postman data is under their control.

Describe alternatives you've considered

I would love to champion Postman at my org, but the above issues are going to be non-starters for many enterprise internal security teams. Perhaps some people find the tradeoff acceptable, but I think many will not.

Additional context

Thanks for considering!

[shashankawasthi88]

@cdanielsen thanks for the detailed explanation. We will look into the request.

[cdanielsen]

@giridharvc7 was wondering if you had any thoughts on this / if there's any place for it on the PM roadmap?

[shubhbhargav]

@cdanielsen Thanks for the feedback. Have you tried using the current values within the environment to avoid syncing the data? (ref: https://learning.postman.com/docs/sending-requests/variables/#specifying-variable-detail)

This way, you should be able to:

• Share the environment without sharing the variable values
• Keep the data / values local without sharing it

[michahell]

@cdanielsen honorable feature request, and much requested, also in other issues: Why not give people the option to sync their workspaces/collections/environments to that instead of your private cloud? But I think Postman is never going to even consider doing this, as it directly competes with their own teams feature, even when faced with the fact that some organizations won't be okay with their HTTPS security and need self-hosted collections or even not-hosted collections but still require collaboration.

[michahell]

https://github.com/postmanlabs/postman-app-support/issues/9681

[cdanielsen]

Why not give people the option to sync their workspaces/collections/environments to that instead of your private cloud? But I think Postman is never going to even consider doing this, as it directly competes with their own teams feature, even when faced with the fact that some organizations won't be okay with their HTTPS security and need self-hosted collections or even not-hosted collections but still require collaboration.

Agreed, I suspect the sync feature is embedded too deeply in every aspect of their data model.

[cdanielsen]

@shubhbhargav That feature is better than nothing, but I don't like the "Persist" button that allows for perhaps a less experienced user of Postman's very dense UI to accidentally push something like an API key up to the Postman cloud. It's also generally a band-aid on the underlying problem: you should be able to use all of Postman's nice features (Teams, git flow, etc.) to collaborate on private API development without risking that privacy being exposed in a data breach

[shubhbhargav]

@cdanielsen Thanks for the feedback. We will look into this and see what we can do to ease up the flow of storing / not storing certain type of data.

[byrdman]

Adding to this it would be great if the new Git Integrations included on-prem versions of GitHub, GitLab, and BitBucket. Many enterprises don't "trust" their code off prem.

[shashankawasthi88]

@byrdman @cdanielsen @michahell with the Postman V10, we have introduced git integration where you can directly work out of your repositories (both cloud and on-prem). Read my blogpost to know more. We are also working on syncing environments to the repository. We can do a detailed walkthrough of the complete feature and see how it fits into your use cases and if there are any gaps. Feel free to reach out to me or schedule a call using this.

[michahell]

This is great! Thanks for this improvement. I've referred our testers and others to this news 🎉 🎊