Skip to main content

Overview

The Wiz exposure integration pulls network exposure and cloud configuration data from Wiz into ZeroPath. This allows you to see which of your applications are internet-exposed and automatically adjust security policies based on exposure status.

How Exposure Detection Works

When Wiz integration is enabled, ZeroPath automatically detects whether your code is deployed to internet-facing infrastructure. Here’s how the process works:
  1. Deployment file detection — ZeroPath searches your repository for deployment configuration files (Kubernetes manifests, Dockerfiles, Helm charts, docker-compose files, etc.) based on common naming conventions and directory patterns (e.g., k8s/, deploy/, helm/, production.yaml).
  2. Resource name extraction — Container names, service names, and deployment names are parsed from those deployment files. For YAML files, it looks at Kubernetes kind: Deployment metadata, container specs, and docker-compose service definitions. For Dockerfiles, it checks LABEL directives and infers names from directory structure.
  3. Wiz resource matching — Those extracted names are matched against your organization’s Wiz inventory to identify deployed resources.
  4. Exposure check — Matched resources are checked for PUBLIC_INTERNET network exposures in Wiz. Only public internet exposures are considered — private network exposures do not affect the result.

What You Get

Exposure Data in ZeroPath

Once configured, ZeroPath displays Wiz exposure information in your Application view. You can see which applications have internet exposure, along with direct links to the Wiz dashboard and a list of exposed URIs.

Severity Score Impact

Internet exposure data is used to help calculate severity scores for findings. Code deployed to internet-facing infrastructure is considered higher risk, which is reflected in the severity scoring.

Dynamic Tagging Based on Exposure

Create tags that automatically apply to repositories when internet exposure is detected.
  1. Go to Settings > Tags
  2. Click Create Tag
  3. Under Dynamic Tag Triggers, select Internet exposure
  4. Click Create Tag
Repositories with internet exposure will automatically receive this tag.

Required Permissions

For exposure information, your Wiz API credentials need: 
read:resources
read:projects
read:network_exposure

Troubleshooting

Exposure Data Not Syncing

  • Check API permissions: Ensure your Wiz API credentials have read:network_exposure, read:resources, and read:projects permissions
  • Review integration status: Check the integration status in ZeroPath settings
  • Verify Wiz data: Confirm that the exposure data exists in your Wiz account

Dynamic Tags Not Applying

  • Confirm exposure data sync: Verify that exposure information is being synced from Wiz
  • Check tag configuration: Ensure the Internet exposure trigger is selected in your tag settings