Wiz CLI Azure DevOps Extension helps you automate the detection of misconfigurations, vulnerabilities and secrets in your Azure DevOps Pipelines.
Demo
Features
Automates Wiz CLI scan execution through Azure DevOps Pipelines
IaC scanning for misconfigurations and secrets
Docker image vulnerability, secret and sensitive data scanning
Docker image tagging for Image Trust
Directory scanning for secrets, binary/library vulnerabilities and sensitive data
Virtual machine and virtual machine image scanning
Findings from scans are shown in both the console output and a provided Wiz report
Downloads latest version of the Wiz CLI if it doesn't already exist on the runner
Requirements
A Wiz service account with create:security_scans permissions at a minimum.
Adding read:scan_policies to allow for viewing the relevant CI/CD policies in the portal.
Object
Requirements
Wiz CLI
latest version
Wiz Service Account
create:security_scans
Runner Platforms Supported
Linux, Windows
Usage
For the most up-to-date usage instructions, please navigate to the Wiz documentation here.
Release Notes
0.5.14
Bug fix: Respect proxy parameter for wizcli downloads
0.5.13
V0 task will not download wizcli if it already exists on the runner
0.5.12
V1.0.8: added support extraArguments in scan configuration. These will be appended to the end of the scan command.
0.5.11
V1.0.7: added Download WizCli flag, enabled by default. If disabled, the task will use the wizcli already installed on the runner as given by the user in the wizCliPath field. This field should be the path of the wizcli executable.
0.5.10
Fix bug with v1: now blocks builds when policy failed.
0.5.9
Fix bug with v0 when gz url is not available
0.5.8
Optimize Wiz CLI download for faster execution
0.5.7
Major new version for the build task! [requires migration to wiz-task@1]
Using wizcli V1
New scanners: SAST, AI review
IaC scanning is now part of directory scan
Improved summary in console output and UI report
0.5.3
Fix summary: true not suppressing vulnerability summary table
0.5.2
Fixed file path validation to support Windows 8.3 short filenames (SERVIC~2, NETWOR~1, etc.)
Improved file path validation to allow legitimate characters like parentheses, spaces, and @ symbols
0.5.1
Fixed bug where tmpDir parameter was not consistently used throughout the task, causing failures when /tmp directory was read-only or unavailable
0.5.0
Extended --name parameter support to Directory scans for consistent naming capabilities across IAC and Directory scan types
Added wizDir parameter to allow custom WIZ_DIR configuration, overriding default paths (~/.wiz/ or /tmp/.wiz/ for sudo)
Fixed bug where environment variables (WIZ_ENV, WIZ_DIR, HTTPS_PROXY) were not passed to Wiz CLI in sudo mode by adding -E flag
Added Azure DevOps Service Connection support as an alternative to manual client credentials
Added tmpDir parameter for custom temporary directory paths
0.4.1
Updated task version to match extension version
0.4.0
Reorganized scan findings display into separate tabs for better readability
Added support for proxy
0.3.4
Added support for Malware detection in directory and image scans --file-hashes-scan
Added support for authentication retries
0.3.3
Removed Status column in console output
0.3.2
Fixed bug with new Status column in console output failing on undefined fields
0.3.1
Fixed bug with Windows runners and the temporary directory
Added Status column in console output for CVEs (FAILED_BY_POLICY, IGNORED, BELOW_THRESHOLD)
0.3.0
Fixed versioning bug
0.2.16
Add support for --name scan identifier in the dir scan command
Add support for node versions: 10, 16, 20
0.2.15
Add support for configuring the wizcli path with wizCliPath
0.2.14
Fix bug in empty IAC scan results when --policy-hits-only=true
Add SBOM support (sbomOutput and sbomFormat)
0.2.13
Add --dockerfile support for container image scans
Add --output support for scan results
0.2.12
Add proper support for non-prod tenants
NOTE: WizCLI path is currently hardcoded to /tmp/wizcli
0.2.11
Add docker tag support when running as SUDO
0.2.10
UI - removed the severity column background color and changed text color instead
0.2.9
Added mountWithLayers output to console and UI
0.2.8
UI - Add Grace Period End column to image/directory vulnerabilities
0.2.7
UI - restrict tab names to 40 characters for Directory and IAC scans.
UI - tab names for images just returns the image:tag
UI - hide vulnerability tables that are empty
0.2.6
Fixed bug with non mountWithLayers image scans
0.2.5
Added support for the iac scan option --parameter-files command.
Added support for --driver on Linux runners.
There are two fields required driver:mountWithLayers and sudo:true
Currently, only the layerID will show up in the scan results, next release will have the UI updates
Added support for the wizcli docker tag command.
Added support for using a custom DOCKER_HOST.
0.2.4
Added support for the --no-publish command.
0.2.3
Fixed issue with --sensitive-data not working with the image command.
0.2.2
Added --sensitive-data capabilities for Image and Directory scans
0.2.1
Support for manual configuration of CI Metadata
Added --legacy-secret-scanner configuration for IAC scans
Added --no-dotnet-binary-scanning for Image and Directory scans
0.2.0
Support for Windows runners
0.1.11
Added the vmImage and vm scan commands
0.1.10
New summary configuration field that will prevent detailed results in the console output and UI report
0.1.9
Verify WizCLI is executable
0.1.8
Resolved fedramp authentication issues
Add SucceededWithIssues as a possible Task Result
0.1.7
Resolved wizenv issue: failed to get auth url: env type [app] isn't mapped!
0.1.6
Added proper support for gov, fedramp tenants (using the wizenv field)
