new #23

Workflow file for this run

.github/workflows/security-scans.yml at b5177ef

	name: Run Wiz CLI Directory and IaC Scan

	on:
	push:
	branches:
	- main
	pull_request:
	branches:
	- main

	permissions:
	contents: read
	pull-requests: write
	security-events: write

	# A workflow run is made up of one or more jobs that can run sequentially or in parallel
	jobs:
	Wiz-Security-Scans:
	runs-on: ubuntu-latest
	env:
	WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }}
	WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }}
	WIZ_IAC_POLICY: "otlin Default IaC policy"
	WIZ_SECRETS_POLICY: "otlin Default secrets policy"
	WIZ_VULN_POLICY: "otlin Default vulnerabilities policy"

	steps:
	# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
	- name: Checkout
	uses: actions/checkout@v4

	- name: Download Wiz CLI
	run: curl -o wizcli https://wizcli.app.wiz.io/latest/wizcli && chmod +x wizcli

	- name: Authenticate to Wiz
	run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"

	- name: Run Wiz CLI IaC Scan
	run: ./wizcli iac scan --path "." -p "$WIZ_IAC_POLICY" -p "$WIZ_SECRETS_POLICY" --tag github_action_run_id=${{ github.run_id }} -o iac-scan-results.sarif,sarif,true

	- name: Upload SARIF file IaC
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: iac-scan-results.sarif
	category: wiz-iac

	- name: Run Wiz CLI Directory Scan
	run: ./wizcli dir scan --path "." -p "$WIZ_VULN_POLICY" -p "$WIZ_SECRETS_POLICY" --tag github_action_run_id=${{ github.run_id }} -o dir-scan-results.sarif,sarif,true

	- name: Upload SARIF file Dir
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: dir-scan-results.sarif
	category: wiz-dir

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

new #23

Workflow file

new #23

Jobs

Run details

Workflow file for this run