Using FroggerAPI with Tenable Web Application Scanning

Tenable WAS relies heavily on your OpenAPI 3 specifications to understand parameters, request bodies, and expected behavior. If your spec is too loose, you end up with noisy “permissive input validation” findings and partial coverage.

Why Postman → OpenAPI is tricky

Most teams maintain Postman collections, not handcrafted OpenAPI docs. Collections typically lack:

• Clear required vs optional fields
• Length limits (e.g. maxLength) and array bounds (maxItems)
• Patterns for IDs, codes, and other constrained values
• Consistent schema structure across endpoints

Code-first generators or AI can guess at schemas, but they often err on the side of being permissive. Tenable will flag that.

What FroggerAPI does differently

FroggerAPI starts from your Postman collection and produces a strict OpenAPI 3.0 spec tuned for Tenable:

• Resolves collection + environment variables into concrete hostnames, paths, and examples.
• Builds JSON schemas for request bodies and tightens them with:
• type and format
• maxLength and maxItems
• pattern where obvious (IDs, codes, etc.)
• additionalProperties: false where safe
• Skips sensitive headers like Authorization so you can keep using Tenable’s own credential system.
• Produces deterministic output – same input collections always yield the same spec.

End-to-end Tenable WAS workflow

Step 1 – Convert your Postman collection

From the web UI at froggerapi.io/convert, upload a Postman collection and optional environment JSON. Alternatively, use the API directly:

curl -X POST "https://api.froggerapi.io/api/convert" \
  -F "collection=@your_collection.postman_collection.json" \
  -F "environment=@your_environment.json" \
  -o openapi.json

The response (or openapi.json if you use -o) is a strict OpenAPI 3 document.

Step 2 – Import into Tenable WAS

1. In Tenable, go to Scans → New Scan → Web Application.
2. Select the API/OpenAPI scan template.
3. Upload the openapi.json (or YAML) you generated from FroggerAPI.

Step 3 – Configure credentials

Configure your usual credential method in Tenable (bearer token, header auth, etc.). Since FroggerAPI excludes Authorization from the spec, Tenable’s own credential workflow remains the source of truth.

Step 4 – Run the scan

With tighter schemas, Tenable can:

• Exercise endpoints with more realistic inputs.
• Reduce “permissive input validation” findings.
• Provide more consistent coverage across releases.

Integrating into CI/CD

For teams that want an always-fresh spec, you can run FroggerAPI as a build step:

# Example (GitHub Actions)
curl -X POST "https://api.froggerapi.io/api/convert" \
  -F "collection=@collections/my-api.postman_collection.json" \
  -o openapi.json

# Then, publish openapi.json as an artifact
# or feed it into downstream tools.

See the Docs for full CI/CD examples and patterns.

Questions or feedback

If you have a specific Tenable WAS use case and want to see if FroggerAPI fits, email: feedback@froggerapi.io.