Wiz
Our Wiz integration allows you to import projects, issues, controls, and serviceTickets from your Wiz account into Port, according to your mapping and definitions.
Common use cases
- Map
projects,issues,controls, andserviceTicketsin your Wiz organization environment. - Watch for object changes (create/update/delete) in real-time, and automatically apply the changes to your entities in Port.
Prerequisites
Port Credentials
To get your Port credentials, go to your Port application, click on the ... button in the top right corner, and select Credentials. Here you can view and copy your CLIENT_ID and CLIENT_SECRET:
Wiz Credentials
You need the following connection details to configure Wiz:
- Wiz API URL (API Endpoint URL)
- Wiz Token URL
- Client ID and Client Secret
There are two possible endpoints depending on your service account's identity provider:
- Amazon Cognito: https://auth.app.wiz.io/oauth/token
- Auth0: https://auth.wiz.io/oauth/token
Learn more here.
- Finding Your Wiz API URL:
- Login to Wiz account.
- Click the User Profile icon available at the top right of the screen and click the User Settings option.
- Click the Tenant option from the left options menu.
- The system displays the API Endpoint URL.
- Copy and save the API URL to use while configuring the Wiz intergration.
For more details, refer to the documentation
- Getting the Client ID and Client Secret
You must create a service account in Wiz to generate the Client ID and Client Secret. Follow the below steps to get the Client ID and Client Secret:
- Login to Wiz with the Project Admin role.
- Click the Settings icon available at the top-right of the page.
- On the Settings page, Click Service Accounts from the left menu.
- Create a Service Account:
- Click Add Service Account.
- Provide a descriptive Service Account Name.
- Type: Select Custom Integration (GraphQL API).
- Project: Choose the relevant project(s).
- API Scopes: Select only the
read:projectsandread:issuespermissions. - Click Add Service Account at the bottom of the page to save.
- Retrieve Credentials: Wiz will display your Client ID and Client Secret.
- Save Credentials: Copy and store them securely for use in Port.
Installation
Choose one of the following installation methods:
- Hosted by Port
- Real Time & Always On
- Scheduled
Using this installation option means that the integration will be hosted by Port, with a customizable resync interval to ingest data into Port.
To install, follow the following steps:
-
Go to the Data sources page of your portal.
-
Click on the
+ Data sourcebutton in the top-right corner. -
Click on the relevant integration in the list.
-
Under
Select your installation method, chooseHosted by Port. -
Configure the
integration settingsandapplication settingsas you wish (see below for details).
Application settings
Every integration hosted by Port has the following customizable application settings:
-
Resync interval: The frequency at which Port will ingest data from the integration. There are various options available, ranging from every 1 hour to once a day. -
Send raw data examples: A boolean toggle (enabledby default). If enabled, raw data examples will be sent from the integration to Port. These examples are used when testing your mapping configuration, they allow you to run yourjqexpressions against real data and see the results.
Integration settings
Every integration has its own tool-specific settings, under the Integration settings section.
Each of these settings has an ⓘ icon next to it, which you can hover over to see a description of the setting.
Port secrets
Some integration settings require sensitive pieces of data, such as tokens.
For these settings, Port secrets will be used, ensuring that your sensitive data is encrypted and secure.
When changing such a setting, you will be prompted to choose an existing secret or create a new one:
Currently, live events are not supported for integrations hosted by Port.
Resyncs will be performed periodically, based on the Resync interval you have configured, or manually triggered by you via Port's UI.
Therefore, real-time events such as GitOps pushes will not be ingested into Port immediately.
Live events are WIP and will be supported in the future.
Using this installation option means that the integration will be able to update Port in real time using webhooks.
This table summarizes the available parameters for the installation. Set them as you wish in the script below, then copy it and run it in your terminal:
| Parameter | Description | Required |
|---|---|---|
port.clientId | Your port client id (Get the credentials) | ✅ |
port.clientSecret | Your port client secret (Get the credentials) | ✅ |
port.baseUrl | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | ✅ |
integration.identifier | Change the identifier to describe your integration | ✅ |
integration.type | The integration type | ✅ |
integration.eventListener.type | The event listener type | ✅ |
integration.secrets.wizClientId | The Wiz Client ID | ✅ |
integration.secrets.wizClientSecret | The Wiz Client Secret | ✅ |
integration.config.wizApiUrl | The Wiz API URL. | ✅ |
integration.config.wizTokenUrl | The Wiz Token Authentication URL | ✅ |
integration.config.appHost | The host of the Port Ocean app. Used to set up the integration endpoint as the target for Webhooks created in Wiz | ❌ |
integration.secret.wizWebhookVerificationToken | This is a password you create, that is used to verify webhook events to Port | ❌ |
scheduledResyncInterval | The number of minutes between each resync | ❌ |
initializePortResources | Default true, When set to true the integration will create default blueprints and the port App config Mapping | ❌ |
sendRawDataExamples | Enable sending raw data examples from the third party API to port for testing and managing the integration mapping. Default is true | ❌ |
- Helm
- ArgoCD
To install the integration using Helm, run the following command:
helm repo add --force-update port-labs https://port-labs.github.io/helm-charts
helm upgrade --install my-wiz-integration port-labs/port-ocean \
--set port.clientId="PORT_CLIENT_ID" \
--set port.clientSecret="PORT_CLIENT_SECRET" \
--set port.baseUrl="https://api.getport.io" \
--set initializePortResources=true \
--set sendRawDataExamples=true \
--set scheduledResyncInterval=120 \
--set integration.identifier="my-wiz-integration" \
--set integration.type="wiz" \
--set integration.eventListener.type="POLLING" \
--set integration.secrets.wizClientId="WIZ_CLIENT_ID" \
--set integration.secrets.wizClientSecret="WIZ_CLIENT_SECRET" \
--set integration.secrets.wizApiUrl="WIZ_API_URL" \
--set integration.config.wizTokenUrl="WIZ_TOKEN_URL"
The baseUrl, port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance or Port API will be used.
Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.
- If you use the EU region of Port, available at https://app.getport.io, your Port API URL is
https://api.getport.io - If you use the US region of Port, available at https://app.us.getport.io, your Port API URL is
https://api.us.getport.io
To install the integration using ArgoCD, follow these steps:
- Create a
values.yamlfile inargocd/my-ocean-wiz-integrationin your git repository with the content:
Remember to replace the placeholders for WIZ_CLIENT_ID, WIZ_CLIENT_SECRET, WIZ_API_URL and WIZ_TOKEN_URL.
initializePortResources: true
scheduledResyncInterval: 120
integration:
identifier: my-ocean-wiz-integration
type: wiz
eventListener:
type: POLLING
config:
wizApiUrl: WIZ_API_URL
wizTokenUrl: WIZ_TOKEN_URL
secrets:
wizClientId: WIZ_CLIENT_ID
wizClientSecret: WIZ_CLIENT_SECRET
- Install the
my-ocean-wiz-integrationArgoCD Application by creating the followingmy-ocean-wiz-integration.yamlmanifest:
Remember to replace the placeholders for YOUR_PORT_CLIENT_ID YOUR_PORT_CLIENT_SECRET and YOUR_GIT_REPO_URL.
Multiple sources ArgoCD documentation can be found here.
ArgoCD Application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-ocean-wiz-integration
namespace: argocd
spec:
destination:
namespace: my-ocean-wiz-integration
server: https://kubernetes.default.svc
project: default
sources:
- repoURL: 'https://port-labs.github.io/helm-charts/'
chart: port-ocean
targetRevision: 0.1.14
helm:
valueFiles:
- $values/argocd/my-ocean-wiz-integration/values.yaml
parameters:
- name: port.clientId
value: YOUR_PORT_CLIENT_ID
- name: port.clientSecret
value: YOUR_PORT_CLIENT_SECRET
- name: port.baseUrl
value: https://api.getport.io
- repoURL: YOUR_GIT_REPO_URL
targetRevision: main
ref: values
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- Apply your application manifest with
kubectl:
kubectl apply -f my-ocean-wiz-integration.yaml
For advanced configuration such as proxies or self-signed certificates, click here.
- GitHub
- Jenkins
- Azure Devops
- GitLab
This workflow will run the Wiz integration once and then exit, this is useful for scheduled ingestion of data.
If you want the integration to update Port in real time using webhooks you should use the Real Time & Always On installation option
Make sure to configure the following Github Secrets:
| Parameter | Description | Required |
|---|---|---|
OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID | The Wiz Client ID token | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET | The Wiz Client Secret | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_API_URL | The Wiz API URL e.g. https://api.us17.app.wiz.io/graphql | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL | The Wiz Token URL e.g. https://auth.app.wiz.io/oauth/token | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_WEBHOOK_VERIFICATION_TOKEN | The token used to verify webhook requests into Port. | ❌ |
OCEAN__INITIALIZE_PORT_RESOURCES | Default true, When set to false the integration will not create default blueprints and the port App config Mapping | ❌ |
OCEAN__SEND_RAW_DATA_EXAMPLES | Enable sending raw data examples from the third party API to port for testing and managing the integration mapping. Default is true | ❌ |
OCEAN__INTEGRATION__IDENTIFIER | Provide a unique identifier for your integration. If not provided, the default identifier will be used. | ❌ |
OCEAN__PORT__CLIENT_ID | Your port client id (Get the credentials) | ✅ |
OCEAN__PORT__CLIENT_SECRET | Your port client secret (Get the credentials) | ✅ |
OCEAN__PORT__BASE_URL | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | ✅ |
Here is an example for wiz-integration.yml workflow file:
name: Wiz Exporter Workflow
# This workflow responsible for running Wiz exporter.
on:
workflow_dispatch:
jobs:
run-integration:
runs-on: ubuntu-latest
steps:
- uses: port-labs/ocean-sail@v1
with:
type: 'wiz'
port_client_id: ${{ secrets.OCEAN__PORT__CLIENT_ID }}
port_client_secret: ${{ secrets.OCEAN__PORT__CLIENT_SECRET }}
port_base_url: https://api.getport.io
config: |
wiz_client_id: ${{ secrets.OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID }}
wiz_client_secret: ${{ secrets.OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET }}
wiz_api_url: ${{ secrets.OCEAN__INTEGRATION__CONFIG__WIZ_API_URL }}
wiz_token_url: ${{ secrets.OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL }}
This pipeline will run the Wiz integration once and then exit, this is useful for scheduled ingestion of data.
Your Jenkins agent should be able to run docker commands.
If you want the integration to update Port in real time using webhooks you should use the Real Time & Always On installation option.
Make sure to configure the following Jenkins Credentials
of Secret Text type:
| Parameter | Description | Required |
|---|---|---|
OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID | The Wiz Client ID token | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET | The Wiz Client Secret | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_API_URL | The Wiz API URL e.g. https://api.us17.app.wiz.io/graphql | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL | The Wiz Token URL e.g. https://auth.app.wiz.io/oauth/token | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_WEBHOOK_VERIFICATION_TOKEN | The token used to verify webhook requests into Port. | ��❌ |
OCEAN__INITIALIZE_PORT_RESOURCES | Default true, When set to false the integration will not create default blueprints and the port App config Mapping | ❌ |
OCEAN__SEND_RAW_DATA_EXAMPLES | Enable sending raw data examples from the third party API to port for testing and managing the integration mapping. Default is true | ❌ |
OCEAN__INTEGRATION__IDENTIFIER | Provide a unique identifier for your integration. If not provided, the default identifier will be used. | ❌ |
OCEAN__PORT__CLIENT_ID | Your port client id (Get the credentials) | ✅ |
OCEAN__PORT__CLIENT_SECRET | Your port client secret (Get the credentials) | ✅ |
OCEAN__PORT__BASE_URL | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | ✅ |
Here is an example for Jenkinsfile groovy pipeline file:
pipeline {
agent any
stages {
stage('Run Wiz Integration') {
steps {
script {
withCredentials([
string(credentialsId: 'OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID', variable: 'OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID'),
string(credentialsId: 'OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET', variable: 'OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET'),
string(credentialsId: 'OCEAN__INTEGRATION__CONFIG__WIZ_API_URL', variable: 'OCEAN__INTEGRATION__CONFIG__WIZ_API_URL'),
string(credentialsId: 'OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL', variable: 'OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL'),
string(credentialsId: 'OCEAN__PORT__CLIENT_ID', variable: 'OCEAN__PORT__CLIENT_ID'),
string(credentialsId: 'OCEAN__PORT__CLIENT_SECRET', variable: 'OCEAN__PORT__CLIENT_SECRET'),
]) {
sh('''
#Set Docker image and run the container
integration_type="wiz"
version="latest"
image_name="ghcr.io/port-labs/port-ocean-${integration_type}:${version}"
docker run -i --rm --platform=linux/amd64 \
-e OCEAN__EVENT_LISTENER='{"type":"ONCE"}' \
-e OCEAN__INITIALIZE_PORT_RESOURCES=true \
-e OCEAN__SEND_RAW_DATA_EXAMPLES=true \
-e OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID=$OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID \
-e OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET=$OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET \
-e OCEAN__INTEGRATION__CONFIG__WIZ_API_URL=$OCEAN__INTEGRATION__CONFIG__WIZ_API_URL \
-e OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL=$OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL \
-e OCEAN__PORT__CLIENT_ID=$OCEAN__PORT__CLIENT_ID \
-e OCEAN__PORT__CLIENT_SECRET=$OCEAN__PORT__CLIENT_SECRET \
-e OCEAN__PORT__BASE_URL='https://api.getport.io' \
$image_name
exit $?
''')
}
}
}
}
}
}
This pipeline will run the Wiz integration once and then exit, this is useful for scheduled ingestion of data.
Your Azure Devops agent should be able to run docker commands. Learn more about agents here.
If you want the integration to update Port in real time using webhooks you should use the Real Time & Always On installation option.
Variable groups store values and secrets you'll use in your pipelines across your project. Learn more
Setting Up Your Credentials
- Create a Variable Group: Name it port-ocean-credentials. Store the required variables from the table.
- Authorize Your Pipeline:
- Go to "Library" -> "Variable groups."
- Find port-ocean-credentials and click on it.
- Select "Pipeline Permissions" and add your pipeline to the authorized list.
| Parameter | Description | Required |
|---|---|---|
OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID | The Wiz Client ID token | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET | The Wiz Client Secret | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_API_URL | The Wiz API URL e.g. https://api.us17.app.wiz.io/graphql | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL | The Wiz Token URL e.g. https://auth.app.wiz.io/oauth/token | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_WEBHOOK_VERIFICATION_TOKEN | The token used to verify webhook requests into Port. | ❌ |
OCEAN__INITIALIZE_PORT_RESOURCES | Default true, When set to false the integration will not create default blueprints and the port App config Mapping | ❌ |
OCEAN__SEND_RAW_DATA_EXAMPLES | Enable sending raw data examples from the third party API to port for testing and managing the integration mapping. Default is true | ❌ |
OCEAN__INTEGRATION__IDENTIFIER | Provide a unique identifier for your integration. If not provided, the default identifier will be used. | ❌ |
OCEAN__PORT__CLIENT_ID | Your port client id (Get the credentials) | ✅ |
OCEAN__PORT__CLIENT_SECRET | Your port client secret (Get the credentials) | ✅ |
OCEAN__PORT__BASE_URL | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | ✅ |
Here is an example for wiz-integration.yml pipeline file:
trigger:
- main
pool:
vmImage: "ubuntu-latest"
variables:
- group: port-ocean-credentials
steps:
- script: |
# Set Docker image and run the container
integration_type="wiz"
version="latest"
image_name="ghcr.io/port-labs/port-ocean-$integration_type:$version"
docker run -i --rm \
-e OCEAN__EVENT_LISTENER='{"type":"ONCE"}' \
-e OCEAN__INITIALIZE_PORT_RESOURCES=true \
-e OCEAN__SEND_RAW_DATA_EXAMPLES=true \
-e OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID=$(OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID) \
-e OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET=$(OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET) \
-e OCEAN__INTEGRATION__CONFIG__WIZ_API_URL=$(OCEAN__INTEGRATION__CONFIG__WIZ_API_URL) \
-e OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL=$(OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL) \
-e OCEAN__PORT__CLIENT_ID=$(OCEAN__PORT__CLIENT_ID) \
-e OCEAN__PORT__CLIENT_SECRET=$(OCEAN__PORT__CLIENT_SECRET) \
-e OCEAN__PORT__BASE_URL='https://api.getport.io' \
$image_name
exit $?
displayName: 'Ingest Data into Port'
This pipeline will run the Wiz integration once and then exit, this is useful for scheduled ingestion of data.
If you want the integration to update Port in real time using webhooks you should use the Real Time & Always On installation option.
Make sure to configure the following GitLab variables:
| Parameter | Description | Required |
|---|---|---|
OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID | The Wiz Client ID token | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET | The Wiz Client Secret | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_API_URL | The Wiz API URL e.g. https://api.us17.app.wiz.io/graphql | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL | The Wiz Token URL e.g. https://auth.app.wiz.io/oauth/token | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_WEBHOOK_VERIFICATION_TOKEN | The token used to verify webhook requests into Port. | ❌ |
OCEAN__INITIALIZE_PORT_RESOURCES | Default true, When set to false the integration will not create default blueprints and the port App config Mapping | ❌ |
OCEAN__SEND_RAW_DATA_EXAMPLES | Enable sending raw data examples from the third party API to port for testing and managing the integration mapping. Default is true | ❌ |
OCEAN__INTEGRATION__IDENTIFIER | Provide a unique identifier for your integration. If not provided, the default identifier will be used. | ❌ |
OCEAN__PORT__CLIENT_ID | Your port client id (Get the credentials) | ✅ |
OCEAN__PORT__CLIENT_SECRET | Your port client secret (Get the credentials) | ✅ |
OCEAN__PORT__BASE_URL | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | ✅ |
Here is an example for .gitlab-ci.yml pipeline file:
default:
image: docker:24.0.5
services:
- docker:24.0.5-dind
before_script:
- docker info
variables:
INTEGRATION_TYPE: wiz
VERSION: latest
stages:
- ingest
ingest_data:
stage: ingest
variables:
IMAGE_NAME: ghcr.io/port-labs/port-ocean-$INTEGRATION_TYPE:$VERSION
script:
- |
docker run -i --rm --platform=linux/amd64 \
-e OCEAN__EVENT_LISTENER='{"type":"ONCE"}' \
-e OCEAN__INITIALIZE_PORT_RESOURCES=true \
-e OCEAN__SEND_RAW_DATA_EXAMPLES=true \
-e OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID=$OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID \
-e OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET=$OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET \
-e OCEAN__INTEGRATION__CONFIG__WIZ_API_URL=$OCEAN__INTEGRATION__CONFIG__WIZ_API_URL \
-e OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL=$OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL \
-e OCEAN__PORT__CLIENT_ID=$OCEAN__PORT__CLIENT_ID \
-e OCEAN__PORT__CLIENT_SECRET=$OCEAN__PORT__CLIENT_SECRET \
-e OCEAN__PORT__BASE_URL='https://api.getport.io' \
$IMAGE_NAME
rules: # Run only when changes are made to the main branch
- if: '$CI_COMMIT_BRANCH == "main"'
The baseUrl, port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance or Port API will be used.
Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.
- If you use the EU region of Port, available at https://app.getport.io, your Port API URL is
https://api.getport.io - If you use the US region of Port, available at https://app.us.getport.io, your Port API URL is
https://api.us.getport.io
For advanced configuration such as proxies or self-signed certificates, click here.
Ingesting Wiz objects
The Wiz integration uses a YAML configuration to describe the process of loading data into the developer portal.
Here is an example snippet from the config which demonstrates the process for getting project data from Wiz:
createMissingRelatedEntities: true
deleteDependentEntities: true
resources:
- kind: project
selector:
query: 'true'
port:
entity:
mappings:
blueprint: '"wizProject"'
identifier: .id
title: .name
properties:
archived: .archived
businessUnit: .businessUnit
description: .description
The integration makes use of the JQ JSON processor to select, modify, concatenate, transform and perform other operations on existing fields and values from Wiz's API events.
Configuration structure
The integration configuration determines which resources will be queried from Wiz, and which entities and properties will be created in Port.
-
The root key of the integration configuration is the
resourceskey:resources:
- kind: project
selector:
... -
The
kindkey is a specifier for a Wiz object:resources:
- kind: project
selector:
... -
The
selectorand thequerykeys allow you to filter which objects of the specifiedkindwill be ingested into your software catalog:resources:
- kind: project
selector:
query: "true" # JQ boolean expression. If evaluated to false - this object will be skipped.
port: -
The
port,entityand themappingskeys are used to map the Wiz object fields to Port entities. To create multiple mappings of the same kind, you can add another item in theresourcesarray;resources:
- kind: project
selector:
query: "true"
port:
entity:
mappings: # Mappings between one Wiz object to a Port entity. Each value is a JQ query.
identifier: .id
title: .attributes.name
blueprint: '"wizProject"'
identifier: .id
title: .name
properties:
archived: .archived
businessUnit: .businessUnit
description: .description
- kind: project # In this instance project is mapped again with a different filter
selector:
query: '.name == "MyProjectName"'
port:
entity:
mappings: ...Blueprint keyNote the value of the
blueprintkey - if you want to use a hardcoded string, you need to encapsulate it in 2 sets of quotes, for example use a pair of single-quotes (') and then another pair of double-quotes (")
Ingest data into Port
To ingest Wiz objects using the integration configuration, you can follow the steps below:
- Go to the DevPortal Builder page.
- Select a blueprint you want to ingest using Wiz.
- Choose the Ingest Data option from the menu.
- Select Wiz under the Code quality & security providers category.
- Modify the configuration according to your needs.
- Click
Resync.
Examples
Examples of blueprints and the relevant integration configurations:
Project
Project blueprint
{
"identifier": "wizProject",
"description": "This blueprint represents a wiz project",
"title": "Wiz Project",
"icon": "Box",
"schema": {
"properties": {
"archived": {
"type": "boolean",
"title": "Archived?",
"description": "Is the project archived?"
},
"businessUnit": {
"type": "string",
"title": "Business Unit",
"description": "the business unit of the project"
},
"description": {
"type": "string",
"title": "Description",
"description": "the project description"
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"relations": {
"issues": {
"target": "wizIssue",
"title": "Issues",
"description": "The issues affecting this project",
"required": false,
"many": true
}
}
}
Integration configuration
resources:
- kind: project
selector:
query: 'true'
port:
entity:
mappings:
blueprint: '"wizProject"'
identifier: .id
title: .name
properties:
archived: .archived
businessUnit: .businessUnit
description: .description
Control
Control blueprint
{
"identifier": "wizControl",
"description": "This blueprint represents a wiz source rule",
"title": "Wiz Control",
"icon": "Flag",
"schema": {
"properties": {
"controlDescription": {
"type": "string",
"title": "Control Description",
"description": "the control description"
},
"resolutionRecommendation": {
"type": "string",
"title": "Control Recommendation",
"description": "the control recommendation on resolving issues"
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"relations": {}
}
Integration configuration
createMissingRelatedEntities: true
deleteDependentEntities: true
resources:
- kind: control
selector:
query: 'true'
port:
entity:
mappings:
blueprint: '"wizControl"'
identifier: .id
title: .name
properties:
controlDescription: .controlDescription
resolutionRecommendation: .resolutionRecommendation
Issue
Issue blueprint
{
"identifier": "wizIssue",
"description": "This blueprint represents a wiz issue",
"title": "Wiz Issue",
"icon": "Alert",
"schema": {
"properties": {
"url": {
"type": "string",
"title": "Issue URL",
"format": "url",
"description": "the link to the issue"
},
"status": {
"title": "Status",
"type": "string",
"enum": [
"OPEN",
"IN_PROGRESS",
"RESOLVED",
"REJECTED"
],
"enumColors": {
"OPEN": "blue",
"IN_PROGRESS": "orange",
"RESOLVED": "green",
"REJECTED": "darkGray"
}
},
"severity": {
"title": "Severity",
"type": "string",
"enum": [
"INFORMATIONAL",
"LOW",
"MEDIUM",
"HIGH",
"CRITICAL"
],
"enumColors": {
"INFORMATIONAL": "blue",
"LOW": "yellow",
"MEDIUM": "orange",
"HIGH": "red",
"CRITICAL": "red"
}
},
"vulnerabilityType": {
"title": "Vulnerability Type",
"type": "string"
},
"wizIssueID": {
"title": "Wiz Issue ID",
"type": "string"
},
"cloudResourceType": {
"title": "Cloud Resource Type",
"type": "string"
},
"resourceName": {
"title": "Resource Name",
"type": "string"
},
"cloudPlatform": {
"title": "Cloud Platform",
"type": "string"
},
"linkToResource": {
"title": "Link to Cloud Resource",
"type": "string",
"format": "url"
},
"cloudResourceID": {
"title": "Cloud Resource ID",
"type": "string"
},
"cloudRegion": {
"title": "Cloud Region",
"type": "string"
},
"resourceGroupExternalId": {
"title": "Resource Group External ID",
"type": "string"
},
"subscriptionExternalId": {
"title": "Subscription External ID",
"type": "string"
},
"subscriptionName": {
"title": "Subscription Name",
"type": "string"
},
"subscriptionTags": {
"title": "Subscription Tags",
"type": "object"
},
"resourceTags": {
"title": "Resource Tags",
"type": "object"
},
"vulnerability": {
"title": "Vulnerability",
"type": "object",
"description": "The identified security risk"
},
"notes": {
"title": "Notes",
"type": "array"
},
"createdAt": {
"title": "Created At",
"type": "string",
"format": "date-time"
},
"updatedAt": {
"title": "Updated At",
"type": "string",
"format": "date-time"
},
"dueAt": {
"title": "Due At",
"type": "string",
"format": "date-time"
},
"resolvedAt": {
"title": "Resolved At",
"type": "string",
"format": "date-time"
},
"statusChangedAt": {
"title": "Status ChangedAt",
"type": "string",
"format": "date-time"
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"relations": {
"projects": {
"target": "wizProject",
"title": "Affected Projects",
"description": "The projects affected by this issue",
"required": false,
"many": true
},
"serviceTickets": {
"target": "wizServiceTicket",
"title": "Service Tickets",
"description": "The service tickets belonging to this issue",
"required": false,
"many": true
},
"control": {
"target": "wizControl",
"title": "Control",
"description": "The control that flagged this issue",
"required": false,
"many": false
}
}
}
Integration configuration
createMissingRelatedEntities: true
deleteDependentEntities: true
resources:
- kind: issue
selector:
query: 'true'
port:
entity:
mappings:
blueprint: '"wizIssue"'
identifier: .id
title: .entitySnapshot.name + " | " + .entitySnapshot.type
properties:
url: .id as $id | "https://app.wiz.io/issues#~(issue~'" + $id + ")"
status: .status
severity: .severity
vulnerabilityType: .type
notes: .notes
wizIssueID: .entitySnapshot.id
cloudResourceType: .entitySnapshot.type
resourceName: .entitySnapshot.name
cloudPlatform: .entitySnapshot.cloudPlatform
linkToResource: if .entitySnapshot.cloudProviderURL == "" then null else .entitySnapshot.cloudProviderURL end
cloudResourceID: .entitySnapshot.providerId
cloudRegion: .entitySnapshot.region
resourceGroupExternalId: .entitySnapshot.resourceGroupExternalId
subscriptionExternalId: .entitySnapshot.subscriptionExternalId
subscriptionName: .entitySnapshot.subscriptionName
subscriptionTags: .entitySnapshot.subscriptionTags
resourceTags: .entitySnapshot.tags
vulnerability: .entitySnapshot
createdAt: .createdAt
updatedAt: .updatedAt
statusChangedAt: .statusChangedAt
resolvedAt: .resolvedAt
relations:
projects: .projects[].id
serviceTickets: .serviceTickets[].externalId
control: .sourceRule.id
Service Ticket
Service Ticket blueprint
{
"identifier": "wizServiceTicket",
"description": "This blueprint represents a wiz service ticket",
"title": "Wiz Service Ticket",
"icon": "Book",
"schema": {
"properties": {
"url": {
"type": "string",
"title": "Ticket URL",
"format": "url",
"description": "the service ticket URL"
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"relations": {}
}
Integration configuration
createMissingRelatedEntities: true
deleteDependentEntities: true
resources:
- kind: serviceTicket
selector:
query: 'true'
port:
entity:
mappings:
blueprint: '"wizServiceTicket"'
identifier: .externalId
title: .name
properties:
url: .url
Alternative installation via webhook
While the Ocean integration described above is the recommended installation method, you may prefer to use a webhook to ingest data from Wiz. If so, use the following instructions:
Webhook installation (click to expand)
In this example you are going to create a webhook integration between Wiz and Port, which will ingest Wiz issue entities into Port.
Port configuration
Create the following blueprint definition:
Wiz issue blueprint
{
"identifier": "wizIssue",
"description": "This blueprint represents a wiz issue",
"title": "Wiz Issue",
"icon": "Alert",
"schema": {
"properties": {
"status": {
"title": "Status",
"type": "string",
"enum": [
"OPEN",
"IN_PROGRESS",
"RESOLVED",
"REJECTED"
],
"enumColors": {
"OPEN": "blue",
"IN_PROGRESS": "orange",
"RESOLVED": "green",
"REJECTED": "darkGray"
}
},
"severity": {
"title": "Severity",
"type": "string",
"enum": [
"INFORMATIONAL",
"LOW",
"MEDIUM",
"HIGH",
"CRITICAL"
],
"enumColors": {
"INFORMATIONAL": "blue",
"LOW": "yellow",
"MEDIUM": "orange",
"HIGH": "red",
"CRITICAL": "red"
}
},
"control": {
"title": "Control",
"type": "string",
"description": "A security graph query defining a risk"
},
"vulnerability": {
"title": "Vulnerability",
"type": "object",
"description": "The identified security risk"
},
"createdAt": {
"title": "Created At",
"type": "string",
"format": "date-time"
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"relations": {}
}
Create the following webhook configuration using Port's UI
Wiz issue webhook configuration
-
Basic details tab - fill the following details:
- Title :
Wiz Mapper; - Identifier :
wiz_mapper; - Description :
A webhook configuration to map Wiz issues to Port; - Icon :
Box;
- Title :
-
Integration configuration tab - fill the following JQ mapping:
[
{
"blueprint": "wizIssue",
"entity": {
"identifier": ".body.issue.id",
"title": ".body.resource.name",
"properties": {
"status": ".body.issue.status",
"severity": ".body.issue.severity",
"control": ".body.control.name",
"vulnerability": ".body.resource",
"createdAt": ".body.issue.created"
}
}
}
]
Create a webhook in Wiz
- Send an email to win@wiz.io requesting for access to the developer documentation or reach out to your Wiz account manager.
- Follow this guide in the documentation to create a webhook.
Done! Any issue created in Wiz will trigger a webhook event to the webhook URL provided by Port. Port will parse the events according to the mapping and update the catalog entities accordingly.
Let's Test It
This section includes a sample response data from Wiz. In addition, it includes the entity created from the resync event based on the Ocean configuration provided in the previous section.
Payload
Here is an example of the payload structure from Wiz:
Project response data
{
"id": "d6ac50bb-aec0-52fc-80ab-bacd7b02f178",
"name": "Project1",
"isFolder": false,
"archived": false,
"businessUnit": "Dev",
"description": "Test project"
}
Control response data
{
"__typename": "Control",
"id": "9d7ef6e4-baed-47ba-99ec-a78a801f1e19",
"name": "Publicly Exposed Assets with DataFindings ",
"controlDescription": "",
"resolutionRecommendation": "",
"securitySubCategories": [
{
"title": "Data Security",
"category": {
"name": "8 Data Security",
"framework": {
"name": "Wiz"
}
}
}
]
}
Issue response data
{
"id": "fffedba9-587f-4251-8c96-d966c183f10c",
"sourceRule": {
"__typename": "Control",
"id": "9d7ef6e4-baed-47ba-99ec-a78a801f1e19",
"name": "Publicly Exposed Assets with DataFindings ",
"controlDescription": "",
"resolutionRecommendation": "",
"securitySubCategories": [
{
"title": "Data Security",
"category": {
"name": "8 Data Security",
"framework": {
"name": "Wiz"
}
}
}
]
},
"createdAt": "2023-08-23T07:56:09.903743Z",
"updatedAt": "2023-09-12T08:33:16.327851Z",
"dueAt": null,
"type": "TOXIC_COMBINATION",
"resolvedAt": "2023-08-30T08:17:54.613564Z",
"statusChangedAt": "2023-08-30T08:17:54.613564Z",
"projects": [
{
"id": "d6ac50bb-aec0-52fc-80ab-bacd7b02f178",
"name": "Project1",
"slug": "project1",
"businessUnit": "Dev",
"riskProfile": {
"businessImpact": "MBI"
}
}
],
"status": "RESOLVED",
"severity": "HIGH",
"entitySnapshot": {
"id": "3d7dafdc-0087-55e0-81fd-a9e2b152fb47",
"type": "DATA_FINDING",
"nativeType": "",
"name": "GDPR 2415",
"status": null,
"cloudPlatform": null,
"cloudProviderURL": "",
"providerId": "data##wizt-recEIECHXqlRPMZRw##wfke-jpb8-twwk-l7mm",
"region": "",
"resourceGroupExternalId": "",
"subscriptionExternalId": "",
"subscriptionName": "",
"subscriptionTags": null,
"tags": {},
"externalId": "data##wizt-recEIECHXqlRPMZRw##wfke-jpb8-twwk-l7mm"
},
"serviceTickets": [],
"notes": [
{
"createdAt": "2023-09-12T08:33:16.29091Z",
"updatedAt": "2023-09-12T08:33:16.366971Z",
"text": "test",
"user": null,
"serviceAccount": {
"name": "bot-ise"
}
},
{
"createdAt": "2023-09-12T08:22:20.13926Z",
"updatedAt": "2023-09-12T08:33:16.369728Z",
"text": "test",
"user": null,
"serviceAccount": {
"name": "bot-ise"
}
},
{
"createdAt": "2023-09-12T08:21:49.663314Z",
"updatedAt": "2023-09-12T08:33:16.371541Z",
"text": "test",
"user": null,
"serviceAccount": {
"name": "bot-ise"
}
}
]
}
Service Ticket response data
{
"externalId": "data##wizt-customID##ja63-kx0z-f27x-mpvl",
"name": "Security Vulnerability in AWS S3 Bucket",
"url": "https://api.wiz.com/wiz/service-tickets/data##wizt-customID##ja63-kx0z-f27x-mpvl"
}
Mapping Result
The combination of the sample payload and the Ocean configuration generates the following Port entity:
Project entity in Port(Click to expand)
{
"identifier": "d6ac50bb-aec0-52fc-80ab-bacd7b02f178",
"title": "Project1",
"blueprint": "wizProject",
"team": [],
"icon": "NewRelic",
"properties": {
"archived": false,
"businessUnit": "Dev",
"description": "Test project"
},
"createdAt": "2024-2-6T09:30:57.924Z",
"createdBy": "hBx3VFZjqgLPEoQLp7POx5XaoB0cgsxW",
"updatedAt": "2024-2-6T11:49:20.881Z",
"updatedBy": "hBx3VFZjqgLPEoQLp7POx5XaoB0cgsxW"
}
Control entity in Port(Click to expand)
{
"identifier": "9d7ef6e4-baed-47ba-99ec-a78a801f1e19",
"title": "Publicly Exposed Assets with DataFindings",
"blueprint": "wizControl",
"icon": "Flag",
"properties": {
"controlDescription": "",
"resolutionRecommendation": ""
},
"createdAt": "2024-2-6T09:30:57.924Z",
"createdBy": "hBx3VFZjqgLPEoQLp7POx5XaoB0cgsxW",
"updatedAt": "2024-2-6T11:49:20.881Z",
"updatedBy": "hBx3VFZjqgLPEoQLp7POx5XaoB0cgsxW"
}
Issue entity in Port(Click to expand)
{
"identifier": "fffedba9-587f-4251-8c96-d966c183f10c",
"title": "GDPR 2415 | DATA_FINDING",
"blueprint": "wizIssue",
"icon": "Alert",
"properties": {
"url": "https://app.wiz.io/issues#~(issue~'fffedba9-587f-4251-8c96-d966c183f10c)",
"status": "RESOLVED",
"severity": "HIGH",
"type": "TOXIC_COMBINATION",
"notes": [],
"vulnerability": {
"id": "3d7dafdc-0087-55e0-81fd-a9e2b152fb47",
"type": "DATA_FINDING",
"nativeType": "",
"name": "GDPR 2415",
"status": null,
"cloudPlatform": null,
"cloudProviderURL": "",
"providerId": "data##wizt-recEIECHXqlRPMZRw##wfke-jpb8-twwk-l7mm",
"region": "",
"resourceGroupExternalId": "",
"subscriptionExternalId": "",
"subscriptionName": "",
"subscriptionTags": null,
"tags": {},
"externalId": "data##wizt-recEIECHXqlRPMZRw##wfke-jpb8-twwk-l7mm"
},
"createdAt": "2023-08-23T07:56:09.903743Z",
"updatedAt": "2023-09-12T08:33:16.327851Z",
"resolvedAt": "2023-08-30T08:17:54.613564Z",
"statusChangedAt": "2023-08-30T08:17:54.613564Z",
},
"relations": {
"projects": ["d6ac50bb-aec0-52fc-80ab-bacd7b02f178"],
"serviceTickets": [],
"control": "9d7ef6e4-baed-47ba-99ec-a78a801f1e19"
},
"createdAt": "2023-08-23T07:56:09.903743Z",
"createdBy": "hBx3VFZjqgLPEoQLp7POx5XaoB0cgsxW",
"updatedAt": "2023-09-12T08:33:16.327851Z",
"updatedBy": "hBx3VFZjqgLPEoQLp7POx5XaoB0cgsxW"
}
Service Ticket entity in Port(Click to expand)
{
"identifier": "data##wizt-customID##ja63-kx0z-f27x-mpvl",
"title": "Security Vulnerability in AWS S3 Bucket",
"blueprint": "serviceTicket",
"icon": "Book",
"properties": {
"url": "https://api.wiz.com/wiz/service-tickets/data##wizt-customID##ja63-kx0z-f27x-mpvl"
},
"relations": {},
"createdAt": "2023-08-23T07:56:09.903743Z",
"createdBy": "hBx3VFZjqgLPEoQLp7POx5XaoB0cgsxW",
"updatedAt": "2023-09-12T08:33:16.327851Z",
"updatedBy": "hBx3VFZjqgLPEoQLp7POx5XaoB0cgsxW"
}