Imagine a control tower that monitors and actively secures your codebase across version control systems (VCS). With Wiz’s latest GitLab and Azure DevOps integrations, you get a unified security solution that protects your code–wherever it lives. In this blog, we’ll dive into how Wiz leverages its Security Graph, ensures comprehensive configuration checks, and advanced code scanning to secure your code and the entire development pipeline.
The Wiz Security Graph: Delivering a Holistic View
The Security Graph is the backbone of the Wiz platform. It helps users visualize code repositories by integrating VCS organization accounts as Cloud Organizations and provides a holistic view of development environments with the details that matter repositories details, branches, teams, and user roles. This allows security teams to query and visualize the technological footprint, ownership, and structure of their codebase, facilitating better security oversight.
Understanding Ownership and Responsibility
Effective risk management requires a clear understanding of ownership within the development environment. The Wiz Security Graph can be queried to surface relationships between VCS instances or organizations and their users. This includes access role bindings to identify admins, members, and collaborators, mirroring VCS team structures in the Security Graph. Clear ownership context is essential for timely and efficient remediation of critical vulnerabilities.
Advanced Code Scanning, Coupled with VCS Configuration Checks
Wiz empowers organizations to secure cloud-native application development by deploying a host of scanners to source code, via native VCS integrations, to look for:
Vulnerabilities: Wiz detects vulnerabilities and license risks in third-party code libraries–helping you mitigate potential threats from direct and transitive dependencies.
IaC Misconfigurations: Wiz deploys over 1,400 rules to detect misconfigurations in Infrastructure as Code (IaC) templates such as Terraform, CloudFormation, Kubernetes, and more. This ensures that your infrastructure is secure from the ground up.
Secrets and Sensitive Data: With over 150 rules, Wiz detects the exposure of secrets like cloud and SaaS API tokens, database credentials, and sensitive data (e.g., PII, PHI, financial information) in code.
Malware: Wiz extends its malicious software and malware detection (hash-based and pattern-based) to code repositories to keep it from spreading to your CI runners and other workloads.
Organizations looking to execute a layered security strategy can also leverage the WizCLI to scan code and container images in CI pipelines. This approach complements code repository scanning (scheduled or when developers create pull requests) and creates an additional line of defense.
The WizCLI can be easily integrated within any CI/CD workflow, including those managed through GitHub Actions, GitLab CI/CD, and Azure Pipelines, by adding just a few lines to the existing configuration files. WizCLI and VCS integrations are powered by the same and one unified security policy engine. In addition, a unified view of both code and CI/CD scan findings is available, streamlining the security review process.
Often overlooked is the security posture of VCS systems, which if not managed correctly, expands the source and build systems’ attack surface. Wiz addresses this by taking a holistic approach to secure both code and build systems that comprise the software pipeline. Wiz monitors the configuration and posture of your build systems. The net result is secure code, delivered through a hardened and trusted software pipeline.
Comprehensive Rules Coverage: Wiz implements over 40 Cloud Configuration Rules targeting VCS settings, ensuring secure configurations for authentication, access controls, workflow permissions, and logging. These rules map to industry standards such as OpenSSF SCM Best Practices, OWASP TOP10 CI/CD risks, GitHub CIS, and GitLab CIS benchmarks.
Contextualized Security Findings: By correlating code vulnerabilities with VCS and CI/CD context, Wiz provides deep insights into potential risks. For instance, it highlights repositories building Docker containers or Kubernetes clusters with high privileges that may bypass critical security measures, such as requiring code reviews or mandatory checks to pass before merging into the default branch. It also highlights hardcoded cloud secrets that enable lateral movement across accounts or access to sensitive data hosted in static storage services.
Prioritized Risk and Attack Paths: The contextual analysis offered by Wiz allows for the prioritization of toxic combinations affecting your business-critical resources first.
The version control repositories page features a comprehensive table listing all repositories within your monitored perimeter. After the initial scan of the default branch for each repository, Wiz populates the health status and categorizes findings by severity across vulnerabilities, misconfigurations, secrets, and more. This data is continuously refreshed and re-evaluated with each new scan or pull request merge, to show the latest state.
Getting Started with Wiz for GitHub, GitLab, and Azure DevOps
Start your journey toward a secure development environment by gaining visibility into risks across your GitHub, GitLab, and Azure DevOps assets. Read the latest docs to integrate Wiz with your version control systems and immediately start addressing vulnerabilities, misconfigurations, secrets, and more.
For a deeper dive, schedule a demo with our team and discover how Wiz can transform your approach to secure cloud-native application development.
