Wiz CLI VS Code Extension

This repository is dedicated to the development of a VS Code extension for Wiz CLI.

Features

Automates Wiz CLI scan execution through VS Code commands
- IaC scanning for selected file/folder in explorer
- IaC scanning for current, or selected, workspace folder
- Docker image vulnerability/secret scanning
- Directory scanning for secrets and binary/library vulnerabilities
Findings from scans are shown in the "Findings Explorer"
- Information for each finding is shown in "Findings Help" when selected
Downloads the latest version of Wiz CLI
Shows the version of the currently installed Wiz CLI

Requirements

The Wiz CLI must be installed on the development machine.
- This can be done beforehand, or through the Wiz CLI: Download latest Wiz CLI command.
A Wiz service account with create:security_scans permissions at a minimum.
- Adding read:projects allows for interactive project selection.
- Adding read:scan_policies allows for interactive policy selection.

Object	Requirements
Wiz CLI	latest version
Wiz Service Account	create:security_scans
Minimum VS Code Version	^1.65.0
Platforms Supported	MacOS and Windows
Terminal Shell Support	cmd.exe, pwsh, powershell, zsh (macos)

Configuration

Once the extension is installed, you will need to configure the extension with your Wiz service account credentials.

In VS Code, open the Settings editor (on macOS - command + ,; on Windows/Linux - ctrl + ,).
At the top search bar, type “Wiz” to easily locate the extension settings.
Provide the Client ID of your Wiz service account for the Wiz: Client ID setting.
Run the Wiz CLI: Set the Service Account Secret command in the VS Code command palette and supply the Client Secret of your Wiz service account when prompted. At this point, you should be ready to perform scans with the default scan configuration.
(Optional) Adjust scan settings by using the table below.

At this point you should be ready to perform scans with the default scan configuration. If you wish to adjust any scan settings, you can find a full table of configuration options below.

Extension Commands

Command	Description
Wiz CLI: Download latest Wiz CLI	Downloads the latest version of Wiz CLI
Wiz CLI: Set the Service Account Secret	Sets the Client Secret for the Wiz service account used by the extension
Wiz CLI: Refresh Scan Results	Refreshes the results in the Findings Explorer section based on the latest scan
Wiz CLI: Directory Scan Selection	Scans a specified directory for secrets and vulnerabilities
Wiz CLI: IaC Scan Selection	Scans the selected item in the Explorer section
Wiz CLI: IaC Scan Workspace Folder	Scans the Workspace folder selected by the user
Wiz CLI: Image Scan	Scans a specified container image for vulnerabilities
Wiz CLI: Open Settings	Opens the VS Code settings for the extension
Wiz CLI: Select Directory Scan Policies	Interactive selection of Directory scan policies
Wiz CLI: Select IaC Scan Policies	Interactive selection of IaC scan policies
Wiz CLI: Select Image Scan Policies	Interactive selection of Image scan policies
Wiz CLI: Show the current version of Wiz CLI	Shows the currently-installed version of Wiz CLI
Wiz CLI: Update Project Setting	Updates the Project UUID for which scans should be scoped

Extension Settings

Setting	Description
`wiz.wizcliPath`	The full path to the Wiz CLI binary, including the file name (e.g. `/some/path/wizcli` or `c:\wiz\wizcli.exe`)
`wiz.clientId`	The Client ID of a Wiz service account with the minimal required permissions for scans (i.e. `create:security_scans`)
`wiz.clientSecretFile`	The secure file path of the encoded Client Secret of the Wiz service account
`wiz.directoryPolicy`	The Wiz CI/CD Directory policies for scans. This value can be comma separated multi-value
`wiz.iacPolicy`	The Wiz CI/CD IaC policies for scans. This value can be comma separated multi-value
`wiz.imagePolicy`	The Wiz CI/CD Image policies for scans. This value can be comma separated multi-value
`wiz.policyHitsOnly`	Only display results that failed the applied policies
`wiz.projectId`	The UUID of the Wiz project for which scans should be scoped. Defaults to the Wiz service account scope.
`wiz.dir`	The secure directory location to save the Wiz authorization token
`wiz.tags`	Tags in this format: `key=value`, whose keys are all lowercase. Tags can have no values. Separate tags by using commas. (e.g. `owner=FirstName`,`environment`)
`wiz.env`	The Wiz Environment. Leave blank if uncertain

* All settings changes require a restart of VS Code.

Limitations

Does not support multi-select
Does not support keybindings

Usage

For the most up-to-date usage instructions, please navigate to the Wiz documentation here.

Release Notes

0.11.2

Improved output for Docker communication errors

0.11.1

Improved sorting in Project selection QuickPick
Updated download links to be architecture specific

0.11.0

Added interactive selection of Directory, IaC, and Image scan policies
Added interactive selection of Project UUID

0.10.0

Added Scan Overview view to the extension drawer
Added additional sanity checks to configuration parameters

0.9.0

Added support for proxy servers using VS Code proxy settings, HTTPS_PROXY or HTTP_PROXY environment variables.
Added support for project-level scoping in Wiz

0.8.0

Added ability to open reports from the Findings Explorer

0.7.0

Added CPE data to Findings Explorer
Added command to run Directory scans

0.6.6

Added right-click IaC scanning for files/folders
Improved workflow to view scan results

0.6.5

Improved authentication flow to only re-auth when needed, saving a few seconds per scan.
Added additional context (expected, found, matched content) to the IaC findings help.

0.6.4

Persist command buttons in the Wiz drawer
Improved workflow to view/manage scan result files

0.6.3

Fixed Docker image enumeration for untagged images
Use the VS Code global storage path when a workspace isn't open
Improved extension configuration validation

0.6.0

Updated the User Experience for the extension to incorporate VS Code UI elements.
- Findings now load into the Findings Explorer tree view.
- When findings are selected, information is loaded into the Findings Help and the appropriate file is opened where applicable.
- Wiz CLI now executes in the background, and utilizes an Output Channel for log messages.
Added Docker image enumeration when selecting to run an image scan.
Refactored the codebase to modularize different components of the extension for easier debugging and workflows.

0.5.0

Updated Wiz CLI download path to use latest, and appropriate environment
Updated Wiz CLI download UX for better notifications and error handling
Added --policy-hits-only parameter and set it as default
Added command for scanning entire VS Code workspace
Added command for scanning container images

0.4.3

Reconfigured Wiz CLI download platform recognition

0.4.2

Addressed inconsistencies in clipboard retrieval

0.4.1

Added functionality to download Wiz CLI with no pre-existing setting

0.4.0

Removed menus and renamed command to Wiz CLI: IaC Scan Selection
Added a download action for Wiz CLI

0.3.5

Quoted all paths and changed from single to double for cmd.exe
Changed the guid to be monthdayhourminseconds format
Fixed quoting for auth on shell

0.3.4

Set quotes on path for the iac scan command

0.3.3

Changed the IAC Scan Files to IAC Scan Workspace Folder
Added Scan file action when file is highlighted

0.3.2

Added function to wizCliSetSecret
Added base64encoding for the secret
Set default paths to wizcreds and wizdir
Added prompt if secret is file is missing

0.3.1

Seperated the secret into a file for version 3

0.2.1

Updated for tags support

0.2.0

Moved the secret back to settings and added multi policy capability.

0.1.9

Better error handling for missing values and creds

0.1.8

Removed string for secret and replaced with a file path for better seperation of client_id and secret.

0.1.6

Updated for Wiz CLI auth to use session env variables
Added debug to allow retaining of the auth command

0.1.4

Bug fixes

0.1.0

Initial release
Updated for environment variables

Wiz CLI Extension

Wiz Cloud