Wiz CLI Azure DevOps Pipeline Extension
Wiz CLI Azure DevOps Extension helps you automate the detection of misconfigurations, vulnerabilities and secrets in your Azure DevOps Pipelines.
Demo
Features
- Automates Wiz CLI scan execution through Azure DevOps Pipelines
- IaC scanning for misconfigurations and secrets
- Docker image vulnerability, secret and sensitive data scanning
- Docker image tagging for Image Trust
- Directory scanning for secrets, binary/library vulnerabilities and sensitive data
- Virtual machine and virtual machine image scanning
- Findings from scans are shown in both the console output and a provided Wiz report
- Downloads latest version of the Wiz CLI if it doesn't already exist on the runner
Requirements
- A Wiz service account with
create:security_scans permissions at a minimum.
- Adding
read:scan_policies to allow for viewing the relevant CI/CD policies in the portal.
| Object |
Requirements |
| Wiz CLI |
latest version |
| Wiz Service Account |
create:security_scans |
| Runner Platforms Supported |
Linux, Windows |
Usage
For the most up-to-date usage instructions, please navigate to the Wiz documentation here.
Release Notes
0.3.3
- Removed
Status column in console output
0.3.2
- Fixed bug with new
Status column in console output failing on undefined fields
0.3.1
- Fixed bug with Windows runners and the temporary directory
- Added
Status column in console output for CVEs (FAILED_BY_POLICY, IGNORED, BELOW_THRESHOLD)
0.3.0
0.2.16
- Add support for
--name scan identifier in the dir scan command
- Add support for node versions: 10, 16, 20
0.2.15
- Add support for configuring the wizcli path with
wizCliPath
0.2.14
- Fix bug in empty IAC scan results when
--policy-hits-only=true
- Add SBOM support (
sbomOutput and sbomFormat)
0.2.13
- Add
--dockerfile support for container image scans
- Add
--output support for scan results
0.2.12
- Add proper support for non-prod tenants
- NOTE: WizCLI path is currently hardcoded to
/tmp/wizcli
0.2.11
- Add
docker tag support when running as SUDO
0.2.10
- UI - removed the severity column background color and changed text color instead
0.2.9
- Added
mountWithLayers output to console and UI
0.2.8
- UI - Add
Grace Period End column to image/directory vulnerabilities
0.2.7
- UI - restrict tab names to 40 characters for Directory and IAC scans.
- UI - tab names for images just returns the image:tag
- UI - hide vulnerability tables that are empty
0.2.6
- Fixed bug with non
mountWithLayers image scans
0.2.5
- Added support for the iac scan option
--parameter-files command.
- Added support for
--driver on Linux runners.
- There are two fields required
driver:mountWithLayers and sudo:true
- Currently, only the layerID will show up in the scan results, next release will have the UI updates
- Added support for the
wizcli docker tag command.
- Added support for using a custom
DOCKER_HOST.
0.2.4
- Added support for the
--no-publish command.
0.2.3
- Fixed issue with --sensitive-data not working with the
image command.
0.2.2
- Added --sensitive-data capabilities for Image and Directory scans
0.2.1
- Support for manual configuration of CI Metadata
- Added --legacy-secret-scanner configuration for IAC scans
- Added --no-dotnet-binary-scanning for Image and Directory scans
0.2.0
- Support for Windows runners
0.1.11
- Added the vmImage and vm scan commands
0.1.10
- New summary configuration field that will prevent detailed results in the console output and UI report
0.1.9
- Verify WizCLI is executable
0.1.8
- Resolved fedramp authentication issues
- Add SucceededWithIssues as a possible Task Result
0.1.7
- Resolved wizenv issue: failed to get auth url: env type [app] isn't mapped!
0.1.6
- Added proper support for gov, fedramp tenants (using the wizenv field)
- wizcli always downloads from the public URL
0.1.5
- Update Marketplace Listing
0.1.3
- Mark extension as public, GA release
0.1.2
- Converted UI to tables
- Fixed minor UI inconsistencies
0.1.1
- Fixed UI bug where policies were on a single line
- Added CI/CD Metadata
0.1.0
| |
