Skip to main content

Documentation Index

Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Overview

ZeroPath’s Wiz integration enables you to upload scanner results directly to your Wiz dashboard and view exposure information in the Explorer and Application tabs. This integration is currently in early access.
Wiz UVM Required: To upload scanner results to Wiz, you must have Wiz Universal Vulnerability Management (UVM) enabled. Wiz code is required for UVM functionality.

Prerequisites

Before setting up the Wiz integration, ensure you have:
  • Wiz UVM enabled in your Wiz account
  • The necessary Wiz API permissions (see Required Permissions)
  • Access to your Wiz dashboard settings

Enabling Wiz UVM

If Wiz UVM is not already enabled on your account:
  1. Navigate to your Wiz dashboard
  2. Go to Settings → Preview & Migration Hub
  3. Enable Universal Vulnerability Management (UVM)

Setup Instructions

1. Create the Integration in Wiz

Create the integration credentials using the dedicated ZeroPath tile in Wiz — do not create credentials through a service account.
  1. Navigate to https://app.wiz.io/settings/deployments/integrations/new/zero-path
  2. Follow the prompts to complete the integration setup and generate your credentials

2. Configure the Integration in ZeroPath

  1. Navigate to https://zeropath.com/app/settings/integrations
  2. Click Add Integration
  3. Select Wiz from the list of available integrations
  4. Fill out the configuration fields: Required Fields:
    • Client ID: Your Wiz service account client ID
    • GraphQL URL: Your Wiz GraphQL API endpoint (e.g., https://api.us17.app.wiz.io/graphql)
    • Client Secret: Your Wiz service account client secret
    Optional Fields:
    • Token URL: OAuth token endpoint (defaults to https://auth.app.wiz.io/oauth/token)
    • Wiz Project IDs: Limit the integration to specific Wiz projects by entering project IDs separated by commas or new lines. Leave blank to include all projects.
    • Enable SAST Enrichment: Toggle to enable uploading scanner results to Wiz (enabled by default)
  5. Click Save to complete the integration setup

3. Required Permissions

Your Wiz API credentials must have the following permissions: 
read:resources
read:projects
read:network_exposure
create:external_data_ingestion
read:system_activities
read:sast_findings
These permissions allow ZeroPath to:
  • Upload scanner results to Wiz
  • Read exposure and configuration data
  • Sync findings between platforms

Features

Scanner Results Upload

Once configured, ZeroPath automatically uploads scanner results to your Wiz Unified Vulnerability Management (UVM) dashboard. Both SAST and SCA findings are uploaded — if a scan produces only SCA findings (for example, when all SAST findings are filtered out), those SCA results are still exported to Wiz. The uploaded results from ZeroPath will be visible in your Wiz UVM interface, allowing you to view and manage findings alongside your other Wiz security data.

Exposure Information in ZeroPath

The integration pulls exposure information from Wiz and displays it in ZeroPath’s Application view. You can see which applications have internet exposure based on Wiz’s network analysis, along with direct links to the Wiz dashboard and exposed URIs.

Dynamic Tagging Based on Exposure

Create tags that automatically apply to repositories when internet exposure is detected by Wiz.

Setting Up Dynamic Tags

  1. Go to Settings > Tags
  2. Click Create Tag
  3. Enter a tag name and optional description
  4. Under Dynamic Tag Triggers, select Internet exposure
  5. Optionally select specific repositories or add custom property filters
  6. Click Create Tag
Repositories with internet exposure detected through Wiz will automatically receive this tag.

AI Assistant & MCP Server Access

When the Wiz integration is configured, the ZeroPath AI security assistant (and the ZeroPath MCP server) can query your Wiz tenant in real time using the following read-only tools:
  • Get Wiz Settings — View your organization’s Wiz integration configuration, including which Wiz project IDs are enrolled and whether SAST enrichment is enabled. The Wiz client secret is never exposed.
  • List Wiz Projects — List all Wiz projects visible to your configured credentials. Useful for verifying project access or discovering projects not yet enrolled in ZeroPath.
  • Search Wiz Assets — Search for cloud resources in Wiz by name fragment (e.g., payments-api, redis-prod). Results are scoped to your enrolled Wiz project IDs. Up to 50 results can be returned per query.
  • Search Wiz Exposures — Find live network exposure findings in Wiz by entity name. Defaults to PUBLIC_INTERNET exposures. This search runs across your entire Wiz tenant because the Wiz API does not support project-scoped filters on network exposures.
These tools are read-only — the AI assistant cannot modify your Wiz integration credentials or settings. You can use them to answer questions like “What cloud assets match this service?” or “Is this host exposed to the internet?” directly from the assistant or any MCP-compatible client.
The Wiz API tools require the same permissions as the main integration. Ensure your credentials have read:resources, read:projects, and read:network_exposure permissions.

Verifying the Integration

After setting up the Wiz integration, you can verify it’s working correctly by checking the following:

Check SAST Results in Wiz

If Enable SAST Enrichment is turned on:
  1. Run a full scan on a repository in ZeroPath
  2. After the scan completes, navigate to your Wiz UVM dashboard
  3. Look for the uploaded findings from ZeroPath in your SAST results
  4. Findings will appear alongside your other Wiz security data
SAST results are uploaded automatically after a full scan completes. Allow a few minutes for results to appear in Wiz.

Check Exposure Data in ZeroPath

If the integration is pulling exposure data correctly:
  1. Navigate to any Application in ZeroPath that is deployed and exposed to the internet
  2. In the Application view, look for:
    • Wiz Dashboard Link: A clickable link labeled “Open Wiz Dashboard” that takes you to your Wiz tenant dashboard
    • Exposed URIs: A list of publicly accessible endpoints detected by Wiz
If you see the Wiz Dashboard link and exposed URIs for your internet-facing applications, the exposure data sync is working.

Check Integration Status

  1. Go to https://zeropath.com/app/settings/integrations
  2. Select the Wiz integration from the sidebar to open its detail panel
  3. Verify your configured Project IDs and settings are displayed correctly

View Wiz Sync Progress

To view detailed information about the current Wiz sync progress:
  1. Navigate to https://zeropath.com/app/scans
  2. Click on the scan time to open the scan logs
  3. The logs will show the status of the Wiz integration, including upload progress and any errors

Troubleshooting

Scanner Results Not Appearing in Wiz

  • Verify SAST Enrichment is enabled: In your integration settings, ensure the “Enable SAST Enrichment” toggle is turned on
  • Verify UVM is enabled: Confirm that Wiz UVM is active in your Wiz dashboard under Settings → Preview & Migration Hub
  • Check API permissions: Ensure your Wiz API credentials have all required permissions, especially create:external_data_ingestion and read:system_activities
  • Run a full scan: SAST results are only uploaded after full scans complete, not PR scans
  • Wait for processing: Allow a few minutes for results to appear in Wiz after the scan completes

Exposure Data Not Appearing in ZeroPath

  • Verify deployment files exist: ZeroPath detects exposures by analyzing deployment configuration files (Kubernetes YAML, Docker Compose, Helm charts) in your repository
  • Check API permissions: Ensure your credentials have read:network_exposure, read:resources, and read:projects permissions
  • Verify resources in Wiz: The resources defined in your deployment files must exist in your Wiz inventory
  • Check Project IDs: If you specified Wiz Project IDs, ensure your resources are in those projects

Dynamic Tags Not Applying

  • Confirm exposure data sync: Verify that exposure information is being synced from Wiz (check the Application view for Wiz exposure data)
  • Check tag configuration: Ensure the Internet exposure trigger is selected in your tag settings at Settings > Tags
  • Check permissions: Ensure your Wiz credentials have read:resources and read:projects permissions