Wiz
Our Wiz integration allows you to import projects
, issues
, controls
, and serviceTickets
from your Wiz account into Port, according to your mapping and definitions.
Common use cases
- Map
projects
,issues
,controls
, andserviceTickets
in your Wiz organization environment. - Watch for object changes (create/update/delete) in real-time, and automatically apply the changes to your entities in Port.
Prerequisites
Port Credentials
To get your Port credentials, go to your Port application, click on the ...
button in the top right corner, and select Credentials
. Here you can view and copy your CLIENT_ID
and CLIENT_SECRET
:
![](/img/software-catalog/credentials-modal.png)
Wiz Credentials
You need the following connection details to configure Wiz:
- Wiz API URL (API Endpoint URL)
- Wiz Token URL
- Client ID and Client Secret
There are two possible endpoints depending on your service account's identity provider:
- Amazon Cognito: https://auth.app.wiz.io/oauth/token
- Auth0: https://auth.wiz.io/oauth/token
Learn more here.
- Finding Your Wiz API URL:
- Login to Wiz account.
- Click the User Profile icon available at the top right of the screen and click the User Settings option.
- Click the Tenant option from the left options menu.
- The system displays the API Endpoint URL.
- Copy and save the API URL to use while configuring the Wiz intergration.
![](/img/build-your-software-catalog/sync-data-to-catalog/code-quality-security/wizApiUrl.png)
For more details, refer to the documentation
- Getting the Client ID and Client Secret
You must create a service account in Wiz to generate the Client ID and Client Secret. Follow the below steps to get the Client ID and Client Secret:
- Login to Wiz with the Project Admin role.
- Click the Settings icon available at the top-right of the page.
![](/img/build-your-software-catalog/sync-data-to-catalog/code-quality-security/wizAddSvcAccount.png)
- On the Settings page, Click Service Accounts from the left menu.
- Create a Service Account:
- Click Add Service Account.
- Provide a descriptive Service Account Name.
- Type: Select Custom Integration (GraphQL API).
- Project: Choose the relevant project(s).
- API Scopes: Select only the
read:projects
andread:issues
permissions. - Click Add Service Account at the bottom of the page to save.
![](/img/build-your-software-catalog/sync-data-to-catalog/code-quality-security/wizCreds.png)
- Retrieve Credentials: Wiz will display your Client ID and Client Secret.
- Save Credentials: Copy and store them securely for use in Port.
![](/img/build-your-software-catalog/sync-data-to-catalog/code-quality-security/wizSecrets.png)
Installation
Choose one of the following installation methods:
- Hosted by Port
- Real Time & Always On
- Scheduled
Using this installation option means that the integration will be hosted by Port, with a customizable resync interval to ingest data into Port.
To install, follow the following steps:
-
Go to the Data sources page of your portal.
-
Click on the
+ Data source
button in the top-right corner. -
Click on the relevant integration in the list.
-
Under
Select your installation method
, chooseHosted by Port
. -
Configure the
integration settings
andapplication settings
as you wish (see below for details).
Application settings
Every integration hosted by Port has the following customizable application settings:
-
Resync interval
: The frequency at which Port will ingest data from the integration. There are various options available, ranging from every 1 hour to once a day. -
Send raw data examples
: A boolean toggle (enabled
by default). If enabled, raw data examples will be sent from the integration to Port. These examples are used when testing your mapping configuration, they allow you to run yourjq
expressions against real data and see the results.
Integration settings
Every integration has its own tool-specific settings, under the Integration settings
section.
Each of these settings has an ⓘ icon next to it, which you can hover over to see a description of the setting.
Port secrets
Some integration settings require sensitive pieces of data, such as tokens.
For these settings, Port secrets will be used, ensuring that your sensitive data is encrypted and secure.
When changing such a setting, you will be prompted to choose an existing secret or create a new one:
![](/img/build-your-software-catalog/sync-data-to-catalog/oceanSaasSecretExample.png)
Currently, live events are not supported for integrations hosted by Port.
Resyncs will be performed periodically, based on the Resync interval
you have configured, or manually triggered by you via Port's UI.
Therefore, real-time events such as GitOps pushes will not be ingested into Port immediately.
Live events are WIP and will be supported in the future.
Using this installation option means that the integration will be able to update Port in real time using webhooks.
This table summarizes the available parameters for the installation. Set them as you wish in the script below, then copy it and run it in your terminal:
Parameter | Description | Required |
---|---|---|
port.clientId | Your port client id (Get the credentials) | ✅ |
port.clientSecret | Your port client secret (Get the credentials) | ✅ |
port.baseUrl | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | ✅ |
integration.identifier | Change the identifier to describe your integration | ✅ |
integration.type | The integration type | ✅ |
integration.eventListener.type | The event listener type | ✅ |
integration.secrets.wizClientId | The Wiz Client ID | ✅ |
integration.secrets.wizClientSecret | The Wiz Client Secret | ✅ |
integration.config.wizApiUrl | The Wiz API URL. | ✅ |
integration.config.wizTokenUrl | The Wiz Token Authentication URL | ✅ |
integration.config.appHost | The host of the Port Ocean app. Used to set up the integration endpoint as the target for Webhooks created in Wiz | ❌ |
integration.secret.wizWebhookVerificationToken | This is a password you create, that is used to verify webhook events to Port | ❌ |
scheduledResyncInterval | The number of minutes between each resync | ❌ |
initializePortResources | Default true, When set to true the integration will create default blueprints and the port App config Mapping | ❌ |
sendRawDataExamples | Enable sending raw data examples from the third party API to port for testing and managing the integration mapping. Default is true | ❌ |
- Helm
- ArgoCD
To install the integration using Helm, run the following command:
helm repo add --force-update port-labs https://port-labs.github.io/helm-charts
helm upgrade --install my-wiz-integration port-labs/port-ocean \
--set port.clientId="PORT_CLIENT_ID" \
--set port.clientSecret="PORT_CLIENT_SECRET" \
--set port.baseUrl="https://api.getport.io" \
--set initializePortResources=true \
--set sendRawDataExamples=true \
--set scheduledResyncInterval=120 \
--set integration.identifier="my-wiz-integration" \
--set integration.type="wiz" \
--set integration.eventListener.type="POLLING" \
--set integration.secrets.wizClientId="WIZ_CLIENT_ID" \
--set integration.secrets.wizClientSecret="WIZ_CLIENT_SECRET" \
--set integration.secrets.wizApiUrl="WIZ_API_URL" \
--set integration.config.wizTokenUrl="WIZ_TOKEN_URL"
The baseUrl
, port_region
, port.baseUrl
, portBaseUrl
, port_base_url
and OCEAN__PORT__BASE_URL
parameters are used to select which instance or Port API will be used.
Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.
- If you use the EU region of Port, available at https://app.getport.io, your Port API URL is
https://api.getport.io
- If you use the US region of Port, available at https://app.us.getport.io, your Port API URL is
https://api.us.getport.io
To install the integration using ArgoCD, follow these steps:
- Create a
values.yaml
file inargocd/my-ocean-wiz-integration
in your git repository with the content:
Remember to replace the placeholders for WIZ_CLIENT_ID
, WIZ_CLIENT_SECRET
, WIZ_API_URL
and WIZ_TOKEN_URL
.
initializePortResources: true
scheduledResyncInterval: 120
integration:
identifier: my-ocean-wiz-integration
type: wiz
eventListener:
type: POLLING
config:
wizApiUrl: WIZ_API_URL
wizTokenUrl: WIZ_TOKEN_URL
secrets:
wizClientId: WIZ_CLIENT_ID
wizClientSecret: WIZ_CLIENT_SECRET
- Install the
my-ocean-wiz-integration
ArgoCD Application by creating the followingmy-ocean-wiz-integration.yaml
manifest:
Remember to replace the placeholders for YOUR_PORT_CLIENT_ID
YOUR_PORT_CLIENT_SECRET
and YOUR_GIT_REPO_URL
.
Multiple sources ArgoCD documentation can be found here.
ArgoCD Application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-ocean-wiz-integration
namespace: argocd
spec:
destination:
namespace: my-ocean-wiz-integration
server: https://kubernetes.default.svc
project: default
sources:
- repoURL: 'https://port-labs.github.io/helm-charts/'
chart: port-ocean
targetRevision: 0.1.14
helm:
valueFiles:
- $values/argocd/my-ocean-wiz-integration/values.yaml
parameters:
- name: port.clientId
value: YOUR_PORT_CLIENT_ID
- name: port.clientSecret
value: YOUR_PORT_CLIENT_SECRET
- name: port.baseUrl
value: https://api.getport.io
- repoURL: YOUR_GIT_REPO_URL
targetRevision: main
ref: values
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- Apply your application manifest with
kubectl
:
kubectl apply -f my-ocean-wiz-integration.yaml
For advanced configuration such as proxies or self-signed certificates, click here.
- GitHub
- Jenkins
- Azure Devops
- GitLab
This workflow will run the Wiz integration once and then exit, this is useful for scheduled ingestion of data.
If you want the integration to update Port in real time using webhooks you should use the Real Time & Always On installation option
Make sure to configure the following Github Secrets:
Parameter | Description | Required |
---|---|---|
OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID | The Wiz Client ID token | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET | The Wiz Client Secret | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_API_URL | The Wiz API URL e.g. https://api.us17.app.wiz.io/graphql | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL | The Wiz Token URL e.g. https://auth.app.wiz.io/oauth/token | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_WEBHOOK_VERIFICATION_TOKEN | The token used to verify webhook requests into Port. | ❌ |
OCEAN__INITIALIZE_PORT_RESOURCES | Default true, When set to false the integration will not create default blueprints and the port App config Mapping | ❌ |
OCEAN__SEND_RAW_DATA_EXAMPLES | Enable sending raw data examples from the third party API to port for testing and managing the integration mapping. Default is true | ❌ |
OCEAN__INTEGRATION__IDENTIFIER | Provide a unique identifier for your integration. If not provided, the default identifier will be used. | ❌ |
OCEAN__PORT__CLIENT_ID | Your port client id (Get the credentials) | ✅ |
OCEAN__PORT__CLIENT_SECRET | Your port client secret (Get the credentials) | ✅ |
OCEAN__PORT__BASE_URL | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | ✅ |
Here is an example for wiz-integration.yml
workflow file:
name: Wiz Exporter Workflow
# This workflow responsible for running Wiz exporter.
on:
workflow_dispatch:
jobs:
run-integration:
runs-on: ubuntu-latest
steps:
- uses: port-labs/ocean-sail@v1
with:
type: 'wiz'
port_client_id: ${{ secrets.OCEAN__PORT__CLIENT_ID }}
port_client_secret: ${{ secrets.OCEAN__PORT__CLIENT_SECRET }}
port_base_url: https://api.getport.io
config: |
wiz_client_id: ${{ secrets.OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID }}
wiz_client_secret: ${{ secrets.OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET }}
wiz_api_url: ${{ secrets.OCEAN__INTEGRATION__CONFIG__WIZ_API_URL }}
wiz_token_url: ${{ secrets.OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL }}
This pipeline will run the Wiz integration once and then exit, this is useful for scheduled ingestion of data.
Your Jenkins agent should be able to run docker commands.
If you want the integration to update Port in real time using webhooks you should use the Real Time & Always On installation option.
Make sure to configure the following Jenkins Credentials
of Secret Text
type:
Parameter | Description | Required |
---|---|---|
OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_ID | The Wiz Client ID token | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_CLIENT_SECRET | The Wiz Client Secret | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_API_URL | The Wiz API URL e.g. https://api.us17.app.wiz.io/graphql | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_TOKEN_URL | The Wiz Token URL e.g. https://auth.app.wiz.io/oauth/token | ✅ |
OCEAN__INTEGRATION__CONFIG__WIZ_WEBHOOK_VERIFICATION_TOKEN | The token used to verify webhook requests into Port. |