arazzo: 1.0.1
info:
  title: Postman Remediate a Detected Secret
  summary: Find unresolved secrets, inspect one, locate it, and mark it revoked.
  description: >-
    A security remediation pattern over the secret scanner. The workflow lists
    unresolved detected secrets, reads the details of the first one, enumerates
    every location where it was found, and resolves it as revoked. Each step
    spells out its request inline so the flow can be read and executed without
    opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: secretScannerApi
  url: ../openapi/postman-secret-scanner-api-openapi.yml
  type: openapi
workflows:
- workflowId: remediate-detected-secret
  summary: Triage and revoke the first unresolved detected secret.
  description: >-
    Lists unresolved secrets, takes the first one, reads its details and
    locations, and resolves it as revoked.
  inputs:
    type: object
    properties:
      limit:
        type: integer
        description: Maximum number of unresolved secrets to fetch.
        default: 25
  steps:
  - stepId: listUnresolvedSecrets
    description: >-
      List unresolved detected secrets and take the first one.
    operationId: getDetectedSecrets
    parameters:
    - name: statuses
      in: query
      value: UNRESOLVED
    - name: limit
      in: query
      value: $inputs.limit
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      secretId: $response.body#/data/0/secretId
      secretType: $response.body#/data/0/secretType
  - stepId: getSecretDetail
    description: >-
      Read the details of the selected secret, including its resolution history.
    operationId: getDetectedSecret
    parameters:
    - name: secretId
      in: path
      value: $steps.listUnresolvedSecrets.outputs.secretId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      workspaceId: $response.body#/data/workspaceId
  - stepId: getSecretLocations
    description: >-
      Enumerate all locations where the secret was found across Postman
      entities.
    operationId: getSecretLocations
    parameters:
    - name: secretId
      in: path
      value: $steps.listUnresolvedSecrets.outputs.secretId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      locations: $response.body#/data
  - stepId: resolveSecret
    description: >-
      Mark the secret as revoked now that it has been triaged and rotated.
    operationId: resolveDetectedSecret
    parameters:
    - name: secretId
      in: path
      value: $steps.listUnresolvedSecrets.outputs.secretId
    requestBody:
      contentType: application/json
      payload:
        resolution: RESOLVED_REVOKED
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      resolution: $response.body#/data/resolution
  outputs:
    secretId: $steps.listUnresolvedSecrets.outputs.secretId
    locations: $steps.getSecretLocations.outputs.locations
    resolution: $steps.resolveSecret.outputs.resolution