From d8a01f9aa1353843ee92184aa8687673bcdf87b6 Mon Sep 17 00:00:00 2001 From: Bob Roebling Date: Thu, 23 Apr 2026 00:58:00 -0500 Subject: [PATCH 1/2] feature: update Wiz scan workflow (latest) --- .github/workflows/wizscan.yml | 80 ++++++++++++++++++++++++++--------- 1 file changed, 60 insertions(+), 20 deletions(-) diff --git a/.github/workflows/wizscan.yml b/.github/workflows/wizscan.yml index 4e69cc7..149e2f0 100644 --- a/.github/workflows/wizscan.yml +++ b/.github/workflows/wizscan.yml @@ -8,50 +8,90 @@ jobs: permissions: id-token: write contents: read + env: - SCAN_PATH: '.' # Set the relative path in the repo to scan - POLICY: '1_High_Misconfiguration' # Set the desired Wiz-cli policy to use + SCAN_PATH: '.' + POLICY: '1_High_Misconfiguration' DOCKER_POLICY: 'custom-policy-high-critical-CVE-vulnerabilities' - # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest defaults: run: shell: bash steps: - # Checkout the repository to the GitHub Actions runner - name: Checkout - uses: actions/checkout@v3 - - name: Configure AWS credentials from Test account + uses: actions/checkout@v4 + + - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v2 with: role-to-assume: arn:aws:iam::014524682603:role/oidc-for-github aws-region: us-east-1 - - name: Get secrets by name and by ARN + - name: Get secrets from AWS Secrets Manager uses: aws-actions/aws-secretsmanager-get-secrets@v1 with: secret-ids: | - WIZ_CLIENT_ID,WIZ_CLIENT_ID - WIZ_CLIENT_SECRET,WIZ_CLIENT_SECRET + WIZ_CLIENT_ID_V1,WIZ_CLIENT_ID_V1 + WIZ_CLIENT_SECRET_V1,WIZ_CLIENT_SECRET_V1 JFROG_CREDENTIALS,jfrog JFROG_NPMRC_FILE,jfrog_npmrc_node18 - - name: Download Wiz-cli - run: curl -o wizcli https://wizcli.app.wiz.io/latest/wizcli && chmod +x wizcli + - name: Debug secrets (safe check) + run: | + echo "Client ID length: ${#WIZ_CLIENT_ID_V1}" + echo "Client Secret length: ${#WIZ_CLIENT_SECRET_V1}" + + - name: Download Wiz CLI + run: | + curl -Lo wizcli.gz https://downloads.wiz.io/v1/wizcli/latest/wizcli-linux-amd64.gz + gunzip wizcli.gz + chmod +x wizcli - - name: Authenticate to Wiz - run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET" - - name: Login to Docker registry - run: echo "$JFROG_CREDENTIALS" | docker login --username "techops.jfa.prod@omf.com" --password-stdin "jfafn.jfrog.io" - + run: echo "$JFROG_CREDENTIALS" | docker login --username "techops.jfa.prod@omf.com" --password-stdin "jfafn.jfrog.io" + - name: Download .npmrc file - run: echo "$JFROG_NPMRC_FILE" > .npmrc + run: echo "$JFROG_NPMRC_FILE" > .npmrc - name: Docker Build & Scan - run: if test -f "Dockerfile"; then docker build -t $GITHUB_REPOSITORY:$GITHUB_SHA . ; docker images; ./wizcli docker scan --image $GITHUB_REPOSITORY:$GITHUB_SHA --tag repo=$GITHUB_REPOSITORY --tag branch=$GITHUB_REF_NAME --tag commit=$GITHUB_SHA -p "$DOCKER_POLICY" --policy-hits-only; fi + run: | + if test -f "Dockerfile"; then + docker build -t $GITHUB_REPOSITORY:$GITHUB_SHA . + docker images + ./wizcli docker scan \ + --image $GITHUB_REPOSITORY:$GITHUB_SHA \ + --tag repo=$GITHUB_REPOSITORY \ + --tag branch=$GITHUB_REF_NAME \ + --tag commit=$GITHUB_SHA \ + -p "$DOCKER_POLICY" \ + --policy-hits-only \ + --client-id "$WIZ_CLIENT_ID_V1" \ + --client-secret "$WIZ_CLIENT_SECRET_V1" + fi + - name: Run wiz-cli IaC scan - run: ./wizcli iac scan --path $SCAN_PATH --policy "$POLICY" --tag repo=$GITHUB_REPOSITORY --tag branch=$GITHUB_REF_NAME --tag commit=$GITHUB_SHA --policy-hits-only --timeout 30m + run: | + ./wizcli iac scan \ + --path $SCAN_PATH \ + --policy "$POLICY" \ + --tag repo=$GITHUB_REPOSITORY \ + --tag branch=$GITHUB_REF_NAME \ + --tag commit=$GITHUB_SHA \ + --policy-hits-only \ + --timeout 30m \ + --client-id "$WIZ_CLIENT_ID_V1" \ + --client-secret "$WIZ_CLIENT_SECRET_V1" + - name: Run wiz-cli custom-policy-secrets scan - run: ./wizcli iac scan --path $SCAN_PATH --policy "custom-policy-secrets" --tag repo=$GITHUB_REPOSITORY --tag branch=$GITHUB_REF_NAME --tag commit=$GITHUB_SHA --policy-hits-only --timeout 30m + run: | + ./wizcli iac scan \ + --path $SCAN_PATH \ + --policy "custom-policy-secrets" \ + --tag repo=$GITHUB_REPOSITORY \ + --tag branch=$GITHUB_REF_NAME \ + --tag commit=$GITHUB_SHA \ + --policy-hits-only \ + --timeout 30m \ + --client-id "$WIZ_CLIENT_ID_V1" \ + --client-secret "$WIZ_CLIENT_SECRET_V1" \ No newline at end of file From aa831cb65dd1f6d5a0b9165738a05b8b54d922d0 Mon Sep 17 00:00:00 2001 From: Bob Roebling Date: Thu, 23 Apr 2026 07:32:19 -0500 Subject: [PATCH 2/2] feature: update Wiz scan workflow (latest) --- .github/workflows/wizscan.yml | 162 +++++++++++++++++----------------- 1 file changed, 81 insertions(+), 81 deletions(-) diff --git a/.github/workflows/wizscan.yml b/.github/workflows/wizscan.yml index 149e2f0..9997a1b 100644 --- a/.github/workflows/wizscan.yml +++ b/.github/workflows/wizscan.yml @@ -2,96 +2,96 @@ name: 'wiz-cli' on: [pull_request] jobs: - wiz-cli-iac-scan: - name: 'Wiz-cli IaC Scan' - runs-on: ubuntu-latest - permissions: - id-token: write - contents: read +wiz-cli-iac-scan: +name: 'Wiz-cli IaC Scan' +runs-on: ubuntu-latest +permissions: +id-token: write +contents: read - env: - SCAN_PATH: '.' - POLICY: '1_High_Misconfiguration' - DOCKER_POLICY: 'custom-policy-high-critical-CVE-vulnerabilities' +env: +SCAN_PATH: '.' +POLICY: '1_High_Misconfiguration' +DOCKER_POLICY: 'custom-policy-high-critical-CVE-vulnerabilities' - defaults: - run: - shell: bash +defaults: +run: +shell: bash - steps: - - name: Checkout - uses: actions/checkout@v4 +steps: +- name: Checkout +uses: actions/checkout@v4 - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: arn:aws:iam::014524682603:role/oidc-for-github - aws-region: us-east-1 +- name: Configure AWS credentials +uses: aws-actions/configure-aws-credentials@v2 +with: +role-to-assume: arn:aws:iam::014524682603:role/oidc-for-github +aws-region: us-east-1 - - name: Get secrets from AWS Secrets Manager - uses: aws-actions/aws-secretsmanager-get-secrets@v1 - with: - secret-ids: | - WIZ_CLIENT_ID_V1,WIZ_CLIENT_ID_V1 - WIZ_CLIENT_SECRET_V1,WIZ_CLIENT_SECRET_V1 - JFROG_CREDENTIALS,jfrog - JFROG_NPMRC_FILE,jfrog_npmrc_node18 +- name: Get secrets from AWS Secrets Manager +uses: aws-actions/aws-secretsmanager-get-secrets@v1 +with: +secret-ids: | +WIZ_CLIENT_ID_V1,WIZ_CLIENT_ID_V1 +WIZ_CLIENT_SECRET_V1,WIZ_CLIENT_SECRET_V1 +JFROG_CREDENTIALS,jfrog +JFROG_NPMRC_FILE,jfrog_npmrc_node18 - - name: Debug secrets (safe check) - run: | - echo "Client ID length: ${#WIZ_CLIENT_ID_V1}" - echo "Client Secret length: ${#WIZ_CLIENT_SECRET_V1}" +- name: Debug secrets (safe check) +run: | +echo "Client ID length: ${#WIZ_CLIENT_ID_V1}" +echo "Client Secret length: ${#WIZ_CLIENT_SECRET_V1}" - - name: Download Wiz CLI - run: | - curl -Lo wizcli.gz https://downloads.wiz.io/v1/wizcli/latest/wizcli-linux-amd64.gz - gunzip wizcli.gz - chmod +x wizcli +- name: Download Wiz CLI +run: | +curl -Lo wizcli.gz https://downloads.wiz.io/v1/wizcli/latest/wizcli-linux-amd64.gz +gunzip wizcli.gz +chmod +x wizcli - - name: Login to Docker registry - run: echo "$JFROG_CREDENTIALS" | docker login --username "techops.jfa.prod@omf.com" --password-stdin "jfafn.jfrog.io" +- name: Login to Docker registry +run: echo "$JFROG_CREDENTIALS" | docker login --username "techops.jfa.prod@omf.com" --password-stdin "jfafn.jfrog.io" - - name: Download .npmrc file - run: echo "$JFROG_NPMRC_FILE" > .npmrc +- name: Download .npmrc file +run: echo "$JFROG_NPMRC_FILE" > .npmrc - - name: Docker Build & Scan - run: | - if test -f "Dockerfile"; then - docker build -t $GITHUB_REPOSITORY:$GITHUB_SHA . - docker images - ./wizcli docker scan \ - --image $GITHUB_REPOSITORY:$GITHUB_SHA \ - --tag repo=$GITHUB_REPOSITORY \ - --tag branch=$GITHUB_REF_NAME \ - --tag commit=$GITHUB_SHA \ - -p "$DOCKER_POLICY" \ - --policy-hits-only \ - --client-id "$WIZ_CLIENT_ID_V1" \ - --client-secret "$WIZ_CLIENT_SECRET_V1" - fi +- name: Docker Build & Scan +run: | +if test -f "Dockerfile"; then +docker build -t $GITHUB_REPOSITORY:$GITHUB_SHA . +docker images +./wizcli docker scan \ +--image $GITHUB_REPOSITORY:$GITHUB_SHA \ +--tag repo=$GITHUB_REPOSITORY \ +--tag branch=$GITHUB_REF_NAME \ +--tag commit=$GITHUB_SHA \ +-p "$DOCKER_POLICY" \ +--policy-hits-only \ +--client-id "$WIZ_CLIENT_ID_V1" \ +--client-secret "$WIZ_CLIENT_SECRET_V1" +fi - - name: Run wiz-cli IaC scan - run: | - ./wizcli iac scan \ - --path $SCAN_PATH \ - --policy "$POLICY" \ - --tag repo=$GITHUB_REPOSITORY \ - --tag branch=$GITHUB_REF_NAME \ - --tag commit=$GITHUB_SHA \ - --policy-hits-only \ - --timeout 30m \ - --client-id "$WIZ_CLIENT_ID_V1" \ - --client-secret "$WIZ_CLIENT_SECRET_V1" +- name: Run wiz-cli IaC scan +run: | +./wizcli iac scan \ +--path $SCAN_PATH \ +--policy "$POLICY" \ +--tag repo=$GITHUB_REPOSITORY \ +--tag branch=$GITHUB_REF_NAME \ +--tag commit=$GITHUB_SHA \ +--policy-hits-only \ +--timeout 30m \ +--client-id "$WIZ_CLIENT_ID_V1" \ +--client-secret "$WIZ_CLIENT_SECRET_V1" - - name: Run wiz-cli custom-policy-secrets scan - run: | - ./wizcli iac scan \ - --path $SCAN_PATH \ - --policy "custom-policy-secrets" \ - --tag repo=$GITHUB_REPOSITORY \ - --tag branch=$GITHUB_REF_NAME \ - --tag commit=$GITHUB_SHA \ - --policy-hits-only \ - --timeout 30m \ - --client-id "$WIZ_CLIENT_ID_V1" \ - --client-secret "$WIZ_CLIENT_SECRET_V1" \ No newline at end of file +- name: Run wiz-cli custom-policy-secrets scan +run: +./wizcli iac scan \ +--path $SCAN_PATH \ +--policy "custom-policy-secrets" \ +--tag repo=$GITHUB_REPOSITORY \ +--tag branch=$GITHUB_REF_NAME \ +--tag commit=$GITHUB_SHA \ +--policy-hits-only \ +--timeout 30m \ +--client-id "$WIZ_CLIENT_ID_V1" \ +--client-secret "$WIZ_CLIENT_SECRET_V1" \ No newline at end of file