Export findings to Wiz

Learn how to export findings from Endor Labs to Wiz to enable code-to-cloud correlation in the Wiz Security Graph.

This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Learn how to export findings from Endor Labs to Wiz to enable code-to-cloud correlation in the Wiz Security Graph.

Endor Labs provides a holistic view of your code and software supply chain security so you can focus on the findings that matter most. Endor Labs pushes findings to Wiz after every scheduled scan on the default branch and maps them to Wiz’s enrichment schemas.

Export findings from Endor Labs to Wiz by establishing a secure connection with Wiz API endpoints. The integration sends SCA and SAST findings identified during repository scans to Wiz, and Wiz ingests them into the Wiz Security Graph.

Branch restrictions

Wiz exports apply only to the default branch. Currently, you cannot export pull request scans and non-default branch scans.

Prerequisites

Ensure that the following prerequisites are complete:

To use the Endor Labs integration, your Wiz tenant must have the Wiz Code License.
Connect your source code manager to Wiz so that Wiz scans repositories and findings become available. Wiz currently supports the following providers:
- GitHub
- GitLab
- Bitbucket
- Azure DevOps
This connection ensures that REPOSITORY_BRANCH assets exist in Wiz’s inventory. Without this connection, Wiz accepts findings but SKIPS them during ingestion because Wiz cannot resolve the repository.
Add the Endor Labs integration from the Wiz Integration Network. When you create the integration, Wiz shows the required API scopes for the service account. Save the following values because you will need them when creating the Wiz exporter in Endor Labs:
- Client ID
- Client Secret
- API Endpoint URL
- Authentication URL
Download and install endorctl. See Install endorctl.

Create a Wiz exporter

Create a Wiz exporter with the Endor Labs API to configure the export destination and data types.

The following table lists the configuration options required to create the exporter.

Parameter	Description
`<namespace>`	Your Endor Labs namespace.
`<exporter-name>`	A descriptive name for the exporter.
`<api-endpoint-url>`	Your Wiz tenant’s region-specific GraphQL endpoint. For example, `https://api.us18.app.wiz.io/graphql`.
`<auth-endpoint-url>`	The Wiz authentication endpoint. For example, `https://auth.app.wiz.io/oauth/token`.
`<client-id>`	The Client ID from your Wiz service account.
`<client-secret>`	The Client Secret from your Wiz service account.

Run the following command to create a Wiz exporter.

endorctl api create \
  --namespace=<namespace> \
  --resource=Exporter \
  --data '{
    "meta": {
      "name": "<exporter-name>"
    },
    "propagate": true,
    "spec": {
      "exporter_type": "EXPORTER_TYPE_WIZ",
      "wiz_config": {
        "api_endpoint_url": "<api-endpoint-url>",
        "oauth_client_credentials": {
          "auth_endpoint_url": "<auth-endpoint-url>",
          "client_id": "<client-id>",
          "client_secret": "<client-secret>"
        }
      },
      "message_type_configs": [
        {
          "message_type": "MESSAGE_TYPE_FINDING",
          "message_export_format": "MESSAGE_EXPORT_FORMAT_JSON"
        }
      ]
    }
  }'

For example, to create a Wiz exporter named wiz-findings-export in the namespace doe.deer that exports findings to Wiz:

endorctl api create \
  --namespace=doe.deer \
  --resource=Exporter \
  --data '{
    "meta": {
      "name": "wiz-findings-export"
    },
    "propagate": true,
    "spec": {
      "exporter_type": "EXPORTER_TYPE_WIZ",
      "wiz_config": {
        "api_endpoint_url": "https://api.us18.app.wiz.io/graphql",
        "oauth_client_credentials": {
          "auth_endpoint_url": "https://auth.app.wiz.io/oauth/token",
          "client_id": "your-wiz-client-id",
          "client_secret": "your-wiz-client-secret"
        }
      },
      "message_type_configs": [
        {
          "message_type": "MESSAGE_TYPE_FINDING",
          "message_export_format": "MESSAGE_EXPORT_FORMAT_JSON"
        }
      ]
    }
  }'

Configure the scan profile to use the Wiz exporter

After creating the exporter, associate it with your scan profile. You can also set the scan profile as the default for your namespace so all projects use it automatically. See Scan profiles for more information.

Configure the scan profile

Select Settings from the left sidebar.
Select Scan Profiles.
Select the scan profile you want to configure and click Edit Scan Profile.
Select your exporter under Exporters and click Save Scan Profile.

Configure the project to use the scan profile

Associate your project with a scan profile to enable automatic export of scan data.

Select Projects from the left sidebar and select the project you want to configure.
Select Settings and select the scan profile you want to use under Scan Profile.

View findings in Wiz

Once Wiz successfully ingests findings, you can view them directly in the Wiz Findings dashboard. Wiz correlates these findings with your cloud assets and repositories in the Wiz Security Graph. You can filter by origin to easily locate findings from Endor Labs.

Finding lifecycle in Wiz

Endor Labs exports findings to Wiz after every scheduled scan on the default branch. Wiz manages finding state based on data sources:

Full state snapshot: Each upload represents the complete current state of findings for a project and branch. Wiz treats it as a full replacement.
Upload limit: Wiz allows up to three uploads per branch per day. Wiz may not process additional uploads for the same branch within 24 hours.
Automatic resolution: If a finding was present in a previous upload but is absent in the current upload for the same scope, Wiz automatically marks it as resolved and closes any associated Wiz Issues.
Staleness: Findings not refreshed within 7 days are automatically removed by Wiz. Wiz recommends uploading at least every 24 hours to align with their scanning cycle.

Ingestion status

When an upload completes, Wiz processes the results asynchronously.

The following table lists the ingestion outcomes.

Status	Meaning
`PENDING`	Upload is queued; processing has not started.
`IN_PROGRESS`	Wiz is still processing the file.
`SUCCESS`	Wiz ingested all findings and linked them to assets.
`SKIPPED`	Wiz parsed findings but could not resolve assets (repository not connected to Wiz).
`FAILURE`	Schema validation failed or an error occurred.

Note

Even when the system activity status is SUCCESS, Wiz ingests the payload at its own pace. We recommend waiting up to 24 hours for findings to appear in Wiz.

FAQs

Why are findings SKIPPED in Wiz?

Wiz links findings only to existing REPOSITORY_BRANCH assets in Wiz. Connect the SCM to Wiz so that repositories exist in Wiz’s inventory. If the repository is not connected to Wiz, the upload succeeds but Wiz skips the ingestion of the upload.

Can Wiz data be pulled back into Endor Labs?

No, this is a one-way integration that only supports pushing findings from Endor Labs to Wiz.

How long do findings stay in Wiz?

Wiz automatically removes findings that are not refreshed within seven days. To keep your findings current, schedule scans to run regularly. Wiz limits uploads to a maximum of three per branch per day.

When do findings appear in Wiz after an upload?

Even when the system activity status is SUCCESS, Wiz ingests the payload at its own pace. We recommend waiting up to 24 hours for findings to reflect in Wiz.

What happens if a repository has multiple branches?

Endor Labs exports findings to Wiz only from the repository’s default branch. Scans on other branches do not export findings to Wiz.