FroggerAPI · CI-enforceable OpenAPI workflow for security scanning

Security team workflow

Keep Tenable WAS scan inputs current and validated—without blocking deployments.

Dev → FroggerAPI → Security → Tenable WAS workflow

Developers submit Postman/OpenAPI. Frogger validates and versions. Security imports the latest approved spec into Tenable. Read the full workflow →

Why this workflow exists →

Who is this for?

AppSec / product security teams Platform / API teams that own Postman collections Teams feeding Tenable WAS with OpenAPI specs

How FroggerAPI works

Built for security teams that live in Postman but need clean, strict OpenAPI for CI gating and scanning.

1. You upload your Postman collection

Use the web UI or call the public API with a POST. Optionally include a Postman environment file if you rely on variables.

•Supports Postman v2.1 collections.
•Optional environment JSON for resolving variables.
•File size and structure validated up front.

2. FroggerAPI converts to hardened OpenAPI

Under the hood, a dedicated converter walks every request in your collection and builds a strict OpenAPI 3 document.

•Infers JSON body schemas and tightens them with type + length constraints.
•Resolves variables into concrete server URLs, paths, and examples.
•Skips sensitive headers like Authorization so Tenable credentials stay separate.

3. You feed the spec into your scanner (Tenable WAS)

Download JSON or YAML and import into your scanner workflow (including Tenable Web Application Scanning) as an API scan.

•Use Tenable’s API / OpenAPI templates for API scans.
•Cleaner specs mean fewer “permissive input validation” findings.
•Repeatable process — re-generate the spec whenever your APIs change.

API usage (preview)

Use the UI, or call the public endpoint directly from scripts and CI.

Simple cURL example

Send a Postman collection (and optional environment file) as multipart form-data:

curl -X POST "https://froggerapi.io/api/convert" \
  -F "collection=@your_collection.postman_collection.json" \
  -F "environment=@your_environment.json"

The response body is a strict OpenAPI 3 JSON document. See Security workflow for how dev teams submit specs and security teams keep Tenable WAS scan inputs accurate and current.

Pricing

Start free with the public converter. Upgrade to Pro when you want persistence, CI gating, and team workflows.

Free (Preview)

$0

Developer tier for evaluating conversion and CI compatibility.

Convert Postman → OpenAPI
Deterministic, in-memory processing
No persistence or history
No governance, audit, or team features

Pro

$50/month

CI-ready workspace for teams enforcing OpenAPI quality before security scans.

Persisted, versioned OpenAPI definitions
CI gating and validation checks
Governance rules to prevent invalid scan inputs
Audit trail (who submitted what, and when)
Team workspaces, API keys, and automation

Enterprise

Contact

Same product. Different deployment and support model.

Private VPC or on-prem deployment
SSO and role-based access
Network isolation and compliance support
SLA-backed support

No custom rules. No bespoke features.

Security & deployment

Built for security-sensitive environments: healthcare, finance, internal APIs, and locked-down VPCs.

How your data is handled

•No long-term storage of collections or specs on the public demo.
•Collections are processed in-memory and returned as a single OpenAPI file.
•No AI model calls; conversion is pure deterministic code.

For customers that can’t send data outside their own environment, FroggerAPI is designed to run as a container inside your VPC or on-prem — the public site reflects the same deterministic engine used in private deployments.

Preview: HTTPS fronted by ALB / API domain

WAF / ALB hardening in progress before GA

Designed for private / on-prem deployment

Feedback

FroggerAPI is intentionally product-led: no calls required. If something doesn’t fit your workflow, send a note and we’ll use it to prioritize documentation and reliability fixes.

Email: feedback@froggerapi.io

Pro features (included in $50/month)

Governance, history, and collaboration for teams feeding scanners on a regular cadence.

Spec history & diffing

Track how your API definition evolves and avoid surprises right before a scan.

•Keep a versioned history of generated OpenAPI specs.
•Compare two versions to see exactly what changed.
•Highlight breaking changes before they hit production.

API security linting & rules

Static checks on the generated spec to keep Tenable scans focused and high-signal.

•Flag overly-permissive schemas and missing constraints.
•Enforce patterns, formats, and bounds for critical fields.
•Use built-in rules aligned to common AppSec baselines.

Teams, keys & automation

Make FroggerAPI a shared utility for your security and platform teams.

•Tenant-aware workspaces with shared history.
•Per-tenant API keys and higher rate limits.
•Integrate with CI so every Tenable scan starts from a strict spec.

Future ideas (not commitments)

Ideas we may explore after the initial Pro release. No promises.

Deeper Tenable automation

Closer integration with Tenable WAS to reduce manual steps even further.

•Trigger scans automatically when specs change.
•Surface key scan findings alongside spec history.

Policy packs & templates

Pre-built rule bundles tuned for common industries and risk profiles.

•Healthcare, finance, and internal-only API presets.
•Shareable policy packs across tenants and teams.

Deeper workspace integrations

Richer collaboration around specs, changes, and scan prep.

•Slack/webhook notifications on new runs and diffs.
•Exportable reports for change control and approvals.

If you rely on these, FroggerAPI is not ready for you yet.

Ready to see your Postman collection as a scanner-ready OpenAPI spec?

Upload a collection, get a strict OpenAPI spec back, and import into your scanner workflow (including Tenable WAS). No signup required for the preview.

Turn Postman collections into CI-enforceable OpenAPI specs.