From 308d4884008638ad01943722e75bb077caa59d4f Mon Sep 17 00:00:00 2001
From: Bob Roebling <bobbyroebling@gmail.com>
Date: Thu, 23 Apr 2026 06:32:54 -0500
Subject: [PATCH] feature: update Wiz scan workflow (latest)

---
 .github/workflows/wizscan.yml | 146 ++++++++++++++++++++++------------
 1 file changed, 93 insertions(+), 53 deletions(-)

diff --git a/.github/workflows/wizscan.yml b/.github/workflows/wizscan.yml
index 4e69cc7..9997a1b 100644
--- a/.github/workflows/wizscan.yml
+++ b/.github/workflows/wizscan.yml
@@ -2,56 +2,96 @@ name: 'wiz-cli'
 on: [pull_request]
 
 jobs:
-  wiz-cli-iac-scan:
-    name: 'Wiz-cli IaC Scan'
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
-    env:
-      SCAN_PATH: '.' # Set the relative path in the repo to scan
-      POLICY: '1_High_Misconfiguration' # Set the desired Wiz-cli policy to use
-      DOCKER_POLICY: 'custom-policy-high-critical-CVE-vulnerabilities'
-
-    # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
-    defaults:
-      run:
-        shell: bash
-
-    steps:
-      # Checkout the repository to the GitHub Actions runner
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Configure AWS credentials from Test account
-        uses: aws-actions/configure-aws-credentials@v2
-        with:
-          role-to-assume: arn:aws:iam::014524682603:role/oidc-for-github
-          aws-region: us-east-1
-
-      - name: Get secrets by name and by ARN
-        uses: aws-actions/aws-secretsmanager-get-secrets@v1
-        with:
-          secret-ids: |
-            WIZ_CLIENT_ID,WIZ_CLIENT_ID
-            WIZ_CLIENT_SECRET,WIZ_CLIENT_SECRET
-            JFROG_CREDENTIALS,jfrog
-            JFROG_NPMRC_FILE,jfrog_npmrc_node18
-
-      - name: Download Wiz-cli
-        run: curl -o wizcli https://wizcli.app.wiz.io/latest/wizcli && chmod +x wizcli
-
-      - name: Authenticate to Wiz
-        run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
-        
-      - name: Login to Docker registry
-        run:  echo "$JFROG_CREDENTIALS" | docker login --username "techops.jfa.prod@omf.com" --password-stdin "jfafn.jfrog.io"
-      
-      - name: Download .npmrc file
-        run:  echo "$JFROG_NPMRC_FILE" > .npmrc
-
-      - name: Docker Build & Scan
-        run: if test -f "Dockerfile"; then docker build -t $GITHUB_REPOSITORY:$GITHUB_SHA . ; docker images; ./wizcli docker scan --image $GITHUB_REPOSITORY:$GITHUB_SHA --tag repo=$GITHUB_REPOSITORY --tag branch=$GITHUB_REF_NAME --tag commit=$GITHUB_SHA  -p "$DOCKER_POLICY" --policy-hits-only; fi
-      - name: Run wiz-cli IaC scan
-        run: ./wizcli iac scan --path $SCAN_PATH --policy "$POLICY"  --tag repo=$GITHUB_REPOSITORY --tag branch=$GITHUB_REF_NAME --tag commit=$GITHUB_SHA  --policy-hits-only --timeout 30m
-      - name: Run wiz-cli custom-policy-secrets scan
-        run: ./wizcli iac scan --path $SCAN_PATH --policy "custom-policy-secrets" --tag repo=$GITHUB_REPOSITORY --tag branch=$GITHUB_REF_NAME --tag commit=$GITHUB_SHA  --policy-hits-only --timeout 30m
+wiz-cli-iac-scan:
+name: 'Wiz-cli IaC Scan'
+runs-on: ubuntu-latest
+permissions:
+id-token: write
+contents: read
+
+env:
+SCAN_PATH: '.'
+POLICY: '1_High_Misconfiguration'
+DOCKER_POLICY: 'custom-policy-high-critical-CVE-vulnerabilities'
+
+defaults:
+run:
+shell: bash
+
+steps:
+- name: Checkout
+uses: actions/checkout@v4
+
+- name: Configure AWS credentials
+uses: aws-actions/configure-aws-credentials@v2
+with:
+role-to-assume: arn:aws:iam::014524682603:role/oidc-for-github
+aws-region: us-east-1
+
+- name: Get secrets from AWS Secrets Manager
+uses: aws-actions/aws-secretsmanager-get-secrets@v1
+with:
+secret-ids: |
+WIZ_CLIENT_ID_V1,WIZ_CLIENT_ID_V1
+WIZ_CLIENT_SECRET_V1,WIZ_CLIENT_SECRET_V1
+JFROG_CREDENTIALS,jfrog
+JFROG_NPMRC_FILE,jfrog_npmrc_node18
+
+- name: Debug secrets (safe check)
+run: |
+echo "Client ID length: ${#WIZ_CLIENT_ID_V1}"
+echo "Client Secret length: ${#WIZ_CLIENT_SECRET_V1}"
+
+- name: Download Wiz CLI
+run: |
+curl -Lo wizcli.gz https://downloads.wiz.io/v1/wizcli/latest/wizcli-linux-amd64.gz
+gunzip wizcli.gz
+chmod +x wizcli
+
+- name: Login to Docker registry
+run: echo "$JFROG_CREDENTIALS" | docker login --username "techops.jfa.prod@omf.com" --password-stdin "jfafn.jfrog.io"
+
+- name: Download .npmrc file
+run: echo "$JFROG_NPMRC_FILE" > .npmrc
+
+- name: Docker Build & Scan
+run: |
+if test -f "Dockerfile"; then
+docker build -t $GITHUB_REPOSITORY:$GITHUB_SHA .
+docker images
+./wizcli docker scan \
+--image $GITHUB_REPOSITORY:$GITHUB_SHA \
+--tag repo=$GITHUB_REPOSITORY \
+--tag branch=$GITHUB_REF_NAME \
+--tag commit=$GITHUB_SHA \
+-p "$DOCKER_POLICY" \
+--policy-hits-only \
+--client-id "$WIZ_CLIENT_ID_V1" \
+--client-secret "$WIZ_CLIENT_SECRET_V1"
+fi
+
+- name: Run wiz-cli IaC scan
+run: |
+./wizcli iac scan \
+--path $SCAN_PATH \
+--policy "$POLICY" \
+--tag repo=$GITHUB_REPOSITORY \
+--tag branch=$GITHUB_REF_NAME \
+--tag commit=$GITHUB_SHA \
+--policy-hits-only \
+--timeout 30m \
+--client-id "$WIZ_CLIENT_ID_V1" \
+--client-secret "$WIZ_CLIENT_SECRET_V1"
+
+- name: Run wiz-cli custom-policy-secrets scan
+run: 
+./wizcli iac scan \
+--path $SCAN_PATH \
+--policy "custom-policy-secrets" \
+--tag repo=$GITHUB_REPOSITORY \
+--tag branch=$GITHUB_REF_NAME \
+--tag commit=$GITHUB_SHA \
+--policy-hits-only \
+--timeout 30m \
+--client-id "$WIZ_CLIENT_ID_V1" \
+--client-secret "$WIZ_CLIENT_SECRET_V1"
\ No newline at end of file