diff --git a/rules/S6771/metadata.json b/rules/S6771/metadata.json
new file mode 100644
index 00000000000..2c63c085104
--- /dev/null
+++ b/rules/S6771/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S6771/secrets/metadata.json b/rules/S6771/secrets/metadata.json
new file mode 100644
index 00000000000..531ff3c7fb2
--- /dev/null
+++ b/rules/S6771/secrets/metadata.json
@@ -0,0 +1,59 @@
+{
+    "title": "Postman tokens should not be disclosed",
+    "type": "VULNERABILITY",
+    "code": {
+      "impacts": {
+        "SECURITY": "HIGH"
+      },
+      "attribute": "TRUSTWORTHY"
+    },
+    "status": "ready",
+    "remediation": {
+      "func": "Constant\/Issue",
+      "constantCost": "30min"
+    },
+    "tags": [
+      "cwe",
+      "cert"
+    ],
+    "extra": {
+      "replacementRules": [
+  
+      ]
+    },
+    "defaultSeverity": "Blocker",
+    "ruleSpecification": "RSPEC-6771",
+    "sqKey": "S6771",
+    "scope": "All",
+    "securityStandards": {
+      "CWE": [
+        798,
+        259
+      ],
+      "OWASP": [
+        "A3"
+      ],
+      "CERT": [
+        "MSC03-J."
+      ],
+      "OWASP Top 10 2021": [
+        "A7"
+      ],
+      "PCI DSS 3.2": [
+        "6.5.10"
+      ],
+      "PCI DSS 4.0": [
+        "6.2.4"
+      ],
+      "ASVS 4.0": [
+        "2.10.4",
+        "3.5.2",
+        "6.4.1"
+      ]
+    },
+    "defaultQualityProfiles": [
+      "Sonar way"
+    ],
+    "quickfix": "unknown"
+  }
+  
\ No newline at end of file
diff --git a/rules/S6771/secrets/rule.adoc b/rules/S6771/secrets/rule.adoc
new file mode 100644
index 00000000000..f8039942139
--- /dev/null
+++ b/rules/S6771/secrets/rule.adoc
@@ -0,0 +1,108 @@
+Postman is an API development and testing platform that allows developers to design, build, and test APIs. Postman tokens are used for authentication and authorization purposes when making API requests. 
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+If a Postman token is leaked or compromised, it can lead to several security issues and risks. Here are some potential consequences:
+
+==== Unauthorized access
+
+An attacker who gains access to a leaked token can use it to impersonate the legitimate user or application associated with the token. This can result in unauthorized access to sensitive data or functionality within the API.
+
+
+==== Data breaches
+
+If the leaked token provides access to sensitive data, an attacker can use it to retrieve or manipulate that data. This can lead to data breaches that compromise the confidentiality and integrity of the information. Depending on the type of data that is compromised, it could lead to privacy violations, identity theft, financial loss, or other
+negative outcomes.
+
+In most cases, a company suffering a sensitive data compromise will face a
+reputational loss when the security issue is publicly disclosed.
+
+==== API abuse
+
+With a leaked token, an attacker can abuse the API by making unauthorized requests, consuming excessive resources, or performing malicious actions. This can disrupt the API's regular operation, impact performance, or even cause denial-of-service (DoS) attacks.
+
+====  Privilege escalation
+
+Depending on the permissions and scope associated with the token, an attacker may be able to escalate their privileges within the API. They can gain access to additional resources or perform actions that they are not authorized to do.
+
+include::../../../shared_content/secrets/impact/non_repudiation.adoc[]
+
+==== Reputation damage
+
+If a token is leaked and used for malicious purposes, it can damage the reputation of the API provider. Users may lose trust in the security of the API, leading to a loss of business and credibility.
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/recent_use.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,javascript,diff-id=1,diff-type=noncompliant]
+----
+const axios = require('axios');
+
+const apiKey = 'PMAK-6502e63761882f002a69f0cb-6d9bc58cd0cc60ff5547f81cf2ca141bb9'; // Noncompliant
+const options = {
+    method: 'get',
+    url: 'https://api.getpostman.com/me',
+    headers: {
+        'Content-Type': 'application/json',
+        'X-API-Key': apiKey
+    }
+};
+
+(async() => { await axios(options); })();
+----
+
+==== Compliant solution
+
+[source,javascript,diff-id=1,diff-type=compliant]
+----
+const axios = require('axios');
+
+const apiKey = process.env.POSTMAN_API_KEY;
+const options = {
+    method: 'get',
+    url: 'https://api.getpostman.com/me',
+    headers: {
+        'Content-Type': 'application/json',
+        'X-API-Key': apiKey
+    }
+};
+
+(async() => { await axios(options); })();
+
+----
+
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+=== Documentation
+
+https://www.postman.com/postman/workspace/postman-public-workspace/documentation/12959542-c8142d51-e97c-46b6-bd77-52bb66712c9a[Postman API]
+
+=== Articles & blog posts
+
+https://blog.postman.com/how-to-get-started-with-the-postman-api/[How to Get Started with the Postman API]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks