Production-ready Newman (Postman CLI) skill for automated API testing with gold-standard security practices
A comprehensive OpenClaw skill for running automated API tests using Newman, the command-line Collection Runner for Postman. This skill includes production-ready scripts, security scanning, and CI/CD integration templates.
- Hardcoded secret detection - Prevents API key leaks
- SSL/TLS enforcement - No insecure connections in production
- Environment variable validation - Ensures proper variable usage
- PII exposure scanner - Detects SSN, credit cards, etc.
- Comprehensive security audit - 8 critical security checks
install-newman.sh- Automated Newman installation (global/local)run-tests.sh- Test runner with security checks & multi-reporter supportsecurity-audit.sh- Collection security scanner with detailed reports
- CLI (console output)
- HTML (beautiful reports via htmlextra)
- JSON (machine-readable)
- JUnit (CI/CD integration)
- Custom (build your own)
Ready-to-use templates for:
- GitHub Actions
- GitLab CI
- Jenkins (Declarative & Scripted)
- CircleCI
- Bitbucket Pipelines
- Docker / Docker Compose
# Clone this repository
git clone https://github.com/1999AZZAR/newman-skill.git ~/.openclaw/workspace/skills/newman
# Or download and extract
curl -L https://github.com/1999AZZAR/newman-skill/archive/main.tar.gz | tar -xz -C ~/.openclaw/workspace/skills/# Run the installation script
~/.openclaw/workspace/skills/newman/scripts/install-newman.sh --global
# Or install manually
npm install -g newman newman-reporter-htmlextraCollection:
- Open Postman β Collections
- Click "..." β Export
- Choose "Collection v2.1"
- Save as
api-tests.json
Environment:
- Environments β Click "..." β Export
- Save as
staging.json
Basic:
newman run api-tests.json -e staging.jsonWith reports:
~/.openclaw/workspace/skills/newman/scripts/run-tests.sh \
api-tests.json \
staging.json \
--output ./reports \
--reporters cli,htmlextra,junit \
--bail~/.openclaw/workspace/skills/newman/scripts/security-audit.sh \
api-tests.json \
staging.jsonExample output:
π Newman Security Audit
=======================
[1/8] Checking for hardcoded secrets...
[OK] No hardcoded secrets found
[2/8] Checking for Basic Auth credentials...
[WARNING] Basic Auth credentials found (ensure they use variables)
[3/8] Checking for insecure HTTP URLs...
[OK] All URLs use HTTPS
...
β
Security audit passed!
- SKILL.md - Main guide (quick start, workflows, best practices)
- INSTALLATION.md - Detailed setup instructions
- CI/CD Examples - Integration templates
- Advanced Patterns - Custom reporters, validation, performance testing
{
"key": "API_KEY",
"value": "sk_live_abc123xyz", β Hardcoded!
"enabled": true
}{
"key": "API_KEY",
"value": "{{$processEnvironment.API_KEY}}", β
Environment variable!
"enabled": true
}export API_KEY="sk_live_abc123xyz"
newman run collection.json -e environment.json- Regression Testing - Automated API tests on every commit
- Load Testing - Performance validation with high iteration counts
- Smoke Tests - Scheduled health checks for production APIs
- CI/CD Integration - Run in GitHub Actions, GitLab CI, Jenkins
- Multi-Environment - Test dev/staging/prod with different configs
- Security Compliance - Validate API security before deployment
# Global install (recommended)
./scripts/install-newman.sh --global
# Local install (project-specific)
./scripts/install-newman.sh --local./scripts/run-tests.sh <collection> <environment> [options]
Options:
-o, --output DIR Output directory (default: ./test-results)
-r, --reporters LIST Reporters (default: cli,htmlextra)
-b, --bail Stop on first failure
-v, --verbose Verbose output
-n, --iterations NUM Iteration count
-t, --timeout MS Request timeout./scripts/security-audit.sh <collection.json> [environment.json]Checks:
- Hardcoded secrets/API keys
- Basic Auth credentials
- Insecure HTTP URLs
- SSL verification disabled
- PII exposure
- Variable usage best practices
- Timeout configurations
- Authentication patterns
name: API Tests
on: [push, pull_request]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install Newman
run: npm install -g newman newman-reporter-htmlextra
- name: Run API Tests
env:
API_KEY: ${{ secrets.API_KEY }}
run: |
newman run collections/api-tests.json \
-e environments/staging.json \
--reporters cli,htmlextra,junit \
--reporter-htmlextra-export ./reports/newman.html \
--reporter-junit-export ./reports/newman.xml \
--bail
- name: Upload Reports
if: always()
uses: actions/upload-artifact@v3
with:
name: test-reports
path: reports/newman/
βββ SKILL.md (7.5KB) - Main guide
βββ INSTALLATION.md (4.4KB) - Setup instructions
βββ README.md - This file
βββ references/
β βββ ci-cd-examples.md (9.5KB) - CI/CD templates
β βββ advanced-patterns.md (12.9KB) - Advanced usage
βββ scripts/
βββ install-newman.sh (1.4KB) - Auto-installer
βββ run-tests.sh (5.5KB) - Test runner
βββ security-audit.sh (4.8KB) - Security scanner
Total: ~46KB uncompressed
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Make your changes
- Test thoroughly
- Submit a pull request
MIT License - see LICENSE for details
- Newman Documentation: https://learning.postman.com/docs/running-collections/using-newman-cli/
- Postman Documentation: https://learning.postman.com/
- OpenClaw: https://openclaw.ai
- Issues: https://github.com/1999AZZAR/newman-skill/issues
- Postman Labs for Newman
- OpenClaw for the skill framework
- Community contributors
Version: 1.0.0
Created: 2026-02-10
Maintainer: @1999AZZAR
Status: Production-Ready β