This repository is dedicated to the development of a VS Code extension for Wiz CLI.
Automates Wiz CLI scan execution through VS Code commands
IaC scanning for selected file/folder in explorer
IaC scanning for current, or selected, workspace folder
Docker image vulnerability/secret scanning
Directory scanning for secrets and binary/library vulnerabilities
Findings from scans are shown in the "Findings Explorer"
Information for each finding is shown in "Findings Help" when selected
Downloads the latest version of Wiz CLI
Shows the version of the currently installed Wiz CLI
The Wiz CLI must be installed on the development machine.
This can be done beforehand, or through the Wiz CLI: Download latest Wiz CLI command.
A Wiz service account with create:security_scans permissions at a minimum.
Adding read:projects allows for interactive project selection.
Adding read:scan_policies allows for interactive policy selection.
Wiz Service Account
Minimum VS Code Version
MacOS and Windows
Terminal Shell Support
cmd.exe, pwsh, powershell, zsh (macos)
Once the extension is installed, you will need to configure the extension with your Wiz service account credentials.
In VS Code, open the Settings editor (on macOS - command + ,; on Windows/Linux - ctrl + ,).
At the top search bar, type “Wiz” to easily locate the extension settings.
Provide the Client ID of your Wiz service account for the Wiz: Client ID setting.
Run the Wiz CLI: Set the Service Account Secret command in the VS Code command palette and supply the Client Secret of your Wiz service account when prompted. At this point, you should be ready to perform scans with the default scan configuration.
(Optional) Adjust scan settings by using the table below.
At this point you should be ready to perform scans with the default scan configuration. If you wish to adjust any scan settings, you can find a full table of configuration options below.
Wiz CLI: Download latest Wiz CLI
Downloads the latest version of Wiz CLI
Wiz CLI: Set the Service Account Secret
Sets the Client Secret for the Wiz service account used by the extension
Wiz CLI: Refresh Scan Results
Refreshes the results in the Findings Explorer section based on the latest scan
Wiz CLI: Directory Scan Selection
Scans a specified directory for secrets and vulnerabilities
Wiz CLI: IaC Scan Selection
Scans the selected item in the Explorer section
Wiz CLI: IaC Scan Workspace Folder
Scans the Workspace folder selected by the user
Wiz CLI: Image Scan
Scans a specified container image for vulnerabilities
Wiz CLI: Open Settings
Opens the VS Code settings for the extension
Wiz CLI: Select Directory Scan Policies
Interactive selection of Directory scan policies
Wiz CLI: Select IaC Scan Policies
Interactive selection of IaC scan policies
Wiz CLI: Select Image Scan Policies
Interactive selection of Image scan policies
Wiz CLI: Show the current version of Wiz CLI
Shows the currently-installed version of Wiz CLI
Wiz CLI: Update Project Setting
Updates the Project UUID for which scans should be scoped
The full path to the Wiz CLI binary, including the file name (e.g. /some/path/wizcli or c:\wiz\wizcli.exe)
The Client ID of a Wiz service account with the minimal required permissions for scans (i.e. create:security_scans)
The secure file path of the encoded Client Secret of the Wiz service account
The Wiz CI/CD Directory policies for scans. This value can be comma separated multi-value
The Wiz CI/CD IaC policies for scans. This value can be comma separated multi-value
The Wiz CI/CD Image policies for scans. This value can be comma separated multi-value
Only display results that failed the applied policies
The UUID of the Wiz project for which scans should be scoped. Defaults to the Wiz service account scope.
The secure directory location to save the Wiz authorization token
Tags in this format: key=value, whose keys are all lowercase. Tags can have no values. Separate tags by using commas. (e.g. owner=FirstName,environment)
The Wiz Environment. Leave blank if uncertain
* All settings changes require a restart of VS Code.
Does not support multi-select
Does not support keybindings
For the most up-to-date usage instructions, please navigate to the Wiz documentation here.
Improved output for Docker communication errors
Improved sorting in Project selection QuickPick
Updated download links to be architecture specific
Added interactive selection of Directory, IaC, and Image scan policies
Added interactive selection of Project UUID
Added Scan Overview view to the extension drawer
Added additional sanity checks to configuration parameters
Added support for proxy servers using VS Code proxy settings, HTTPS_PROXY or HTTP_PROXY environment variables.
Added support for project-level scoping in Wiz
Added ability to open reports from the Findings Explorer
Added CPE data to Findings Explorer
Added command to run Directory scans
Added right-click IaC scanning for files/folders
Improved workflow to view scan results
Improved authentication flow to only re-auth when needed, saving a few seconds per scan.
Added additional context (expected, found, matched content) to the IaC findings help.
Persist command buttons in the Wiz drawer
Improved workflow to view/manage scan result files
Fixed Docker image enumeration for untagged images
Use the VS Code global storage path when a workspace isn't open
Improved extension configuration validation
Updated the User Experience for the extension to incorporate VS Code UI elements.
Findings now load into the Findings Explorer tree view.
When findings are selected, information is loaded into the Findings Help and the appropriate file is opened where applicable.
Wiz CLI now executes in the background, and utilizes an Output Channel for log messages.
Added Docker image enumeration when selecting to run an image scan.
Refactored the codebase to modularize different components of the extension for easier debugging and workflows.
Updated Wiz CLI download path to use latest, and appropriate environment
Updated Wiz CLI download UX for better notifications and error handling
Added --policy-hits-only parameter and set it as default
Added command for scanning entire VS Code workspace