Allow (process) env vars to be used as Environment Variables

As discussed earlier, automatic insertion brings with it security concerns. You’d have to use the --global-var option as demonstrated above. The former section in my previous comment was just a working sample.

I understand the concern for users who may inadvertently allow the exfiltration of sensitive environment variables by malicious collections. However, there is another security concern to consider here, too.

On many UNIX-family operating systems, the full command line (including arguments) for each process is visible to all. This means that if I want to pass an API token to a collection and use newman run collection.json --global-var token=$token, the value of $token (expanded by the shell) will be visible to all users on the host where newman is running. This is not ideal, especially on shared hosts like build servers.

I like @gaieges’s suggestion of filtering by a NEWMAN_ prefix.

Alternatively, a list of specific variable names to import could be provided as a command line argument. For example:

newman run collection.json --shell-env-vars token,url

With considerations like the above, shell environment variables could actually be more secure than command line arguments.