Wiz

Wiz Integration with DefectDojo

Wiz gives security teams visibility into cloud risk that traditional scanners were never designed to provide — not just individual misconfigurations or CVEs, but the relationships between them: the exposed S3 bucket connected to an over-privileged role connected to a workload running a critical vulnerability. That context is genuinely valuable for prioritization. What Wiz doesn't provide is a vulnerability management workflow: persistent finding records, SLA enforcement, remediation assignment across teams, risk acceptance with audit trails, and longitudinal reporting that survives beyond the current state of your cloud environment. Integrating Wiz with DefectDojo closes that gap, turning Wiz's cloud security signal into a managed, trackable remediation program.

Why Wiz Matters

Wiz has established itself as one of the leading Cloud-Native Application Protection Platforms (CNAPPs) by combining agentless scanning with a graph-based model of cloud resource relationships.

• Wiz's Security Graph maps relationships between cloud resources — compute, identities, data stores, network paths — and uses that graph to identify combinations of issues that represent material risk, not just isolated findings
• Its agentless architecture means coverage across cloud workloads, containers, and serverless functions without deploying agents or modifying running infrastructure — reducing deployment friction significantly in large cloud environments
• Wiz covers the full cloud security stack in a single platform: CSPM (cloud misconfiguration), vulnerability management for workloads and containers, secrets detection, data security posture, identity risk, and Kubernetes security
• Attack path analysis surfaces the subset of findings that are actually exploitable given your specific cloud topology — a misconfiguration that can't be reached from the internet is deprioritized against one that can
• Wiz integrates natively with AWS, Azure, GCP, OCI, and Kubernetes, and can assess multi-cloud environments from a single console
• Findings are exportable via the Wiz API and CLI, producing structured data that DefectDojo can ingest for lifecycle management

Advantages of This Integration

Wiz tells you what your cloud risk looks like right now. DefectDojo tracks what your team did about it — and when, and who decided what.

• Persistent finding records across cloud state changes: Cloud environments are ephemeral. Resources spin up and down, findings appear and resolve without a human ever touching them. DefectDojo's reimport workflow captures that history, tracking when findings first appeared, when they resolved, and whether they re-emerged after remediation — giving you an audit-ready record that Wiz's live console doesn't retain.
• SLA enforcement across cloud finding types: Misconfigurations, workload vulnerabilities, secrets, and identity risks have different remediation owners and timelines. DefectDojo applies configurable SLA policies by severity, tracks breach dates, and surfaces overdue findings in dashboards — turning Wiz's severity ratings into enforceable deadlines.
• Cross-team remediation assignment: Cloud findings typically span multiple owners — a misconfigured S3 bucket is a platform team issue, a vulnerable container image is an app team issue, an overly permissive IAM role is a security team issue. DefectDojo's assignment and notification model lets you route each finding to the right owner without a manual triage meeting.
• Risk acceptance with documented rationale: Not every Wiz finding warrants immediate remediation. Compensating controls, business requirements, or accepted residual risk are all legitimate outcomes. DefectDojo captures the justification, the approver, and the expiration date for every risk acceptance decision — auditable and persistent across re-scans.
• Portfolio-level cloud security reporting: Organizations running multi-account or multi-cloud environments get aggregated metrics across all environments in DefectDojo — open findings by severity, type, age, and SLA status. That aggregate view is what security leadership needs for board reporting and compliance evidence.
• Deduplication across environments and scan cycles: The same misconfiguration type appearing across 15 AWS accounts doesn't create 15 unrelated findings if you structure your DefectDojo products and deduplication rules appropriately. Patterns get addressed at the policy level, not individually.
• Integration with ticketing and change management: Triaged Wiz findings push from DefectDojo to Jira, ServiceNow, or GitHub Issues with full context — resource identifier, finding type, severity, and remediation guidance — giving infrastructure and application teams actionable tickets without requiring Wiz console access.

How This Integration Works

Wiz findings are exported via the Wiz CLI (wizcli) or API and imported into DefectDojo using the Wiz parser.

Step 1 — Export findings from Wiz

Using the Wiz CLI to export issues:

# Authenticate with Wiz

wizcli auth --id <client-id> --secret <client-secret>

# Export issues as CSV (DefectDojo Wiz parser expects CSV format)

wizcli issues export --output wiz-issues.csv --format csv

# Filter by severity for targeted exports

wizcli issues export --output wiz-critical-high.csv --format csv \

--severity CRITICAL,HIGH

Alternatively, use the Wiz GraphQL API to pull findings programmatically and export to CSV for import:

curl -X POST https://api.us1.app.wiz.io/graphql \

-H "Authorization: Bearer <wiz-api-token>" \

-H "Content-Type: application/json" \

-d '{"query": "{ issues(first: 500, filterBy: { severity: [CRITICAL, HIGH] }) { nodes { id title severity status } } }"}' \

> wiz-api-response.json

Step 2 — Import into DefectDojo

Use Wiz Scan as the scan type:

curl -X POST https://<defectdojo-host>/api/v2/import-scan/ \

-H "Authorization: Token <your-api-token>" \

-F "scan_type=Wiz Scan" \

-F "file=@wiz-issues.csv" \

-F "engagement=<engagement-id>" \

-F "product=<product-id>" \

-F "active=true" \

-F "verified=false"

Step 3 — Reimport for recurring exports

For environments where Wiz findings are exported on a regular cadence (daily, weekly), use reimport to update existing finding states rather than create duplicate records:

curl -X POST https://<defectdojo-host>/api/v2/reimport-scan/ \

-H "Authorization: Token <your-api-token>" \

-F "scan_type=Wiz Scan" \

-F "file=@wiz-issues.csv" \

-F "test=<test-id>"

Findings resolved in Wiz since the last export are marked resolved in DefectDojo. New findings are created. Risk-accepted findings are left untouched.

Data Granularity: What Gets Imported

Use Cases

For multi-account AWS environments: Security teams managing 50+ AWS accounts use Wiz to scan all accounts from a single integration. Daily exports import into DefectDojo, organized by account under a product-per-account or product-per-business-unit structure. Security leadership gets a unified view of Critical and High findings across the entire AWS estate — filterable by account, region, and resource type — without logging into individual accounts or parsing Wiz's live console for each one.

For Kubernetes workload vulnerability management: Wiz scans Kubernetes clusters and surfaces container image vulnerabilities alongside cluster misconfigurations. DefectDojo separates these into distinct engagements — workload vulnerabilities owned by application teams, cluster configuration findings owned by platform engineering — with separate SLA policies and assignment rules for each. Findings that span both (a vulnerable image running in a misconfigured cluster) are cross-referenced in DefectDojo notes during triage.

During an incident or post-mortem review: After a cloud security incident, DefectDojo's finding history shows which Wiz findings were open at the time of the incident, whether they were risk-accepted, and what the documented rationale was. This retrospective capability — knowing what was known and when — is not available from Wiz's live console, which reflects only current state.

For compliance evidence across cloud controls: Regulatory frameworks increasingly require evidence of continuous cloud security monitoring. DefectDojo's engagement history, finding lifecycle records, and risk acceptance audit trail covering Wiz's CSPM, vulnerability, and secrets findings provide structured evidence for SOC 2, ISO 27001, and FedRAMP without additional manual reporting work.

When operationalizing attack path findings: Wiz's attack path analysis identifies chains of issues that represent elevated risk. Security teams export attack-path-flagged findings separately and import them into a priority DefectDojo engagement with Critical severity treatment — ensuring these findings get accelerated SLA timelines and direct assignment to senior engineers regardless of their individual component severities.

Operational Tips

• Structure DefectDojo products to match your cloud account hierarchy: A product-per-AWS-account or product-per-environment (dev/staging/prod) mapping keeps ownership clear and makes SLA tracking meaningful. Avoid dumping all Wiz findings into a single product — it makes assignment and reporting unwieldy at scale.
• Export attack-path findings separately: Use Wiz's CLI filters to produce a dedicated export of findings involved in attack paths and import them into a separate high-priority DefectDojo engagement. This ensures your most critical cloud risk gets differentiated treatment rather than being ranked alongside routine misconfigurations.
• Set export schedules to match your SLA windows: If your Critical SLA is 48 hours, a weekly Wiz export means DefectDojo won't have the data to track SLA compliance accurately. For production environments, daily exports are the minimum for meaningful SLA tracking.
• Use tags to capture cloud context: Tag DefectDojo findings on import with cloud platform, account ID, and resource type. These tags enable filtering and reporting by cloud environment in DefectDojo — useful for identifying whether a finding pattern is account-specific or systemic across your cloud estate.
• Coordinate risk acceptance between Wiz and DefectDojo: Wiz supports its own issue acceptance workflow. When a finding is accepted in DefectDojo, note whether a corresponding acceptance was made in Wiz, and vice versa. Keeping these in sync avoids a situation where a finding is accepted in one platform but re-escalated in another.
• Treat INFORMATIONAL findings as a separate workstream: Wiz Informational findings are often best practice recommendations rather than active vulnerabilities. Import them as inactive in DefectDojo and review them on a separate cadence — quarterly security hardening reviews rather than the standard vulnerability remediation SLA.
• Leverage Wiz's remediation guidance in tickets: Wiz provides detailed, resource-specific remediation steps in its findings. When pushing findings from DefectDojo to Jira or ServiceNow, include Wiz's remediation field in the ticket description — infrastructure engineers can act on it immediately without needing Wiz console access or a handholding session with the security team.