Export findings to Wiz

Learn how to export findings from Endor Labs to Wiz to enable code-to-cloud correlation in the Wiz Security Graph.

Endor Labs provides a holistic view of your code and software supply chain security so you can focus on the findings that matter most. Findings are pushed to Wiz after every scheduled scan on the default branch and mapped to Wiz’s enrichment schemas.

Export findings from Endor Labs to Wiz by establishing a secure connection with Wiz API endpoints. The integration sends SCA and SAST findings identified during repository scans to Wiz, where they are ingested into the Wiz Security Graph.

Branch restrictions

Wiz exports are restricted to the default branch. Currently, you cannot export pull request scans and non-default branch scans.

Prerequisites

Ensure that the following prerequisites are complete:

Connect your source code manager to Wiz so that repositories are scanned and findings are available. Wiz currently supports the following providers:
- GitHub
- GitLab
- Bitbucket
- Azure DevOps
This connection ensures that REPOSITORY_BRANCH assets exist in Wiz’s inventory. Without this connection, findings are accepted but will be SKIPPED during ingestion because Wiz cannot resolve the repository.
Add the Endor Labs integration from the Wiz Integration Network. When you create the integration. Wiz shows the required API scopes for the service account. Save the following values because you will need them when creating the Wiz exporter in Endor Labs:
- Client ID
- Client Secret
- API Endpoint URL
- Authentication URL
Download and install endorctl. See Install endorctl.

Create a Wiz exporter

Create a Wiz exporter with the Endor Labs API to configure the export destination and data types.

The following table lists the configuration options required to create the exporter.

Parameter	Description
`<namespace>`	Your Endor Labs namespace.
`<exporter-name>`	A descriptive name for the exporter.
`<api-endpoint-url>`	Your Wiz tenant’s region-specific GraphQL endpoint. For example, `https://api.us18.app.wiz.io/graphql`.
`<auth-endpoint-url>`	The Wiz authentication endpoint. For example, `https://auth.app.wiz.io/oauth/token`.
`<client-id>`	The Client ID from your Wiz service account.
`<client-secret>`	The Client Secret from your Wiz service account.

Run the following command to create a Wiz exporter.

endorctl api create \
  --namespace=<namespace> \
  --resource=Exporter \
  --data '{
    "meta": {
      "name": "<exporter-name>"
    },
    "propagate": true,
    "spec": {
      "exporter_type": "EXPORTER_TYPE_WIZ",
      "wiz_config": {
        "api_endpoint_url": "<api-endpoint-url>",
        "oauth_client_credentials": {
          "auth_endpoint_url": "<auth-endpoint-url>",
          "client_id": "<client-id>",
          "client_secret": "<client-secret>"
        }
      },
      "message_type_configs": [
        {
          "message_type": "MESSAGE_TYPE_FINDING",
          "message_export_format": "MESSAGE_EXPORT_FORMAT_JSON"
        }
      ]
    }
  }'

For example, to create a Wiz exporter named wiz-findings-export in the namespace doe.deer that exports findings to Wiz:

endorctl api create \
  --namespace=doe.deer \
  --resource=Exporter \
  --data '{
    "meta": {
      "name": "wiz-findings-export"
    },
    "propagate": true,
    "spec": {
      "exporter_type": "EXPORTER_TYPE_WIZ",
      "wiz_config": {
        "api_endpoint_url": "https://api.us18.app.wiz.io/graphql",
        "oauth_client_credentials": {
          "auth_endpoint_url": "https://auth.app.wiz.io/oauth/token",
          "client_id": "your-wiz-client-id",
          "client_secret": "your-wiz-client-secret"
        }
      },
      "message_type_configs": [
        {
          "message_type": "MESSAGE_TYPE_FINDING",
          "message_export_format": "MESSAGE_EXPORT_FORMAT_JSON"
        }
      ]
    }
  }'

Configure the scan profile to use the Wiz exporter

After creating the exporter, associate it with your scan profile. You can also set the scan profile as the default for your namespace so all projects use it automatically. See Scan profiles for more information.

Configure the scan profile

Select Settings from the left sidebar.
Select Scan Profiles.
Select the scan profile you want to configure and click Edit Scan Profile.
Select your exporter under Exporters and click Save Scan Profile.

Configure the project to use the scan profile

Associate your project with a scan profile to enable automatic export of scan data.

Select Projects from the left sidebar and select the project you want to configure.
Select Settings and select the scan profile you want to use under Scan Profile.

View findings in Wiz

Once findings are successfully ingested by Wiz, you can view them directly in the Wiz Findings dashboard. These findings are correlated with your cloud assets and repositories in the Wiz Security Graph. You can filter by origin to easily locate findings from Endor Labs.

Finding lifecycle in Wiz

Findings are exported to Wiz after every scheduled scan on the default branch. Wiz manages finding state based on data sources:

Full state snapshot: Each upload represents the complete current state of findings for a project and branch. Wiz treats it as a full replacement.
Upload limit: Wiz allows up to three uploads per branch per day. Additional uploads for the same branch within 24 hours may not be processed.
Automatic resolution: If a finding was present in a previous upload but is absent in the current upload for the same scope, Wiz automatically marks it as resolved and closes any associated Wiz Issues.
Staleness: Findings not refreshed within 7 days are automatically removed by Wiz. Wiz recommends uploading at least every 24 hours to align with their scanning cycle.

Ingestion status

When an upload completes, Wiz processes the results asynchronously.

The following table lists the ingestion outcomes.

Status	Meaning
`PENDING`	Upload is queued; processing has not started.
`IN_PROGRESS`	Wiz is still processing the file.
`SUCCESS`	All findings were ingested and linked to assets.
`SKIPPED`	Findings were parsed but assets could not be resolved (repository not connected to Wiz).
`FAILURE`	Schema validation failed or an error occurred.

Note

Even when the system activity status is SUCCESS, Wiz ingests the payload at its own pace. We recommend waiting up to 24 hours for findings to appear in Wiz.

FAQs

Why are findings SKIPPED in Wiz?

Findings are linked only to existing REPOSITORY_BRANCH assets in Wiz. The SCM must be connected to Wiz so that repositories exist in Wiz’s inventory. If the repository is not connected to Wiz, the upload succeeds but Wiz skips the ingestion of the upload.

Can Wiz data be pulled back into Endor Labs?

No, this is a one-way integration that only supports pushing findings from Endor Labs to Wiz.

How long do findings stay in Wiz?

Wiz automatically removes findings that are not refreshed within 7 days. To keep your findings current, schedule scans to run regularly. Note that Wiz limits uploads to a maximum of 3 per branch per day.

When do findings appear in Wiz after an upload?

Even when the system activity status is SUCCESS, Wiz ingests the payload at its own pace. It is recommended to wait up to 24 hours for findings to reflect in Wiz.

What happens if a repository has multiple branches?

Findings are exported to Wiz only from the repository’s default branch. Scans on other branches do not export findings to Wiz.

Feedback

Was this page helpful?

Thanks for the feedback. Write to us at support@endor.ai to tell us more.