Code to cloud noise reduction - Prioritizing code security with Semgrep & Wiz

Protect applications at every stage—Semgrep secures code before deployment, while Wiz ensures cloud infrastructure remains protected post-deployment

Vivek Khimani
Andy Huang
Jaweed Metz
March 3rd, 2025
Your privacy matters to us. By submitting this form, you agree to our Privacy Policy
Share

Introduction

Traditional security operates in silos—Static Application Security Testing (SAST) tools identify issues in code, while Cloud-Native Application Protection Platforms (CNAPP) detect risks across the entire cloud environment, including infrastructure, runtime, and code-to-cloud correlation. However, as modern development accelerates, security teams face a growing challenge: cutting through noise and getting to what matters. How do security teams effectively prioritize vulnerabilities based on real-world exposure rather than just isolated findings?

Without a unified view across code and cloud, teams struggle to determine which vulnerabilities pose the greatest risk in real-world deployments. With the new Semgrep + Wiz integration, teams can prioritize vulnerabilities more effectively by correlating SAST findings with cloud infrastructure, runtime data, and exposure analysis in Wiz’s Security Graph. Connecting source code vulnerabilities to their real-world exposure is now a reality. The Semgrep + Wiz integration enables security teams to correlate SAST findings with cloud and runtime security insights in Wiz’s Security Graph, helping prioritize and remediate the highest-risk vulnerabilities

Figure 1: Detailed Semgrep finding on Wiz

Semgrep & Wiz: A unified approach to application & cloud security

Over the past year, we’ve come across one recurring piece of customer feedback that kept us up at night: security vendors need to better contextualize user findings. At Semgrep, we’ve seen recent success with using LLMs to make your rule context-aware, but we were still curious how we could help bridge the gap between code and the cloud environments users actually deploy on.

Enter the Semgrep & Wiz integration — a partnership to help users effectively prioritize vulnerabilities by correlating SAST findings with real-time cloud infrastructure and runtime data. By combining Wiz’s best-in-class cloud security with Semgrep’s best-in-class code security, users can

  • Correlate vulnerabilities across application code and cloud infrastructure

  • Identify toxic combinations, such as critical code findings exposed in vulnerable cloud environments

  • Prioritize findings based on the contexts you care about most


How the Semgrep & Wiz integration works

The Semgrep & Wiz integration establishes a connection between your Semgrep and Wiz instances, ensuring security teams have complete visibility when assessing vulnerabilities across code and cloud environments. At a high-level:

  1. A connection is established between your Semgrep and Wiz instances

  2. Your codebase is scanned for security vulnerabilities, misconfigurations, and policy violations using powerful, customizable rules.

  3. Findings are pushed to Wiz by calling Wiz’s GraphQL API endpoints and uploading SAST vulnerability findings.

  4. Findings are mapped and enriched within Wiz’s Security Graph, correlating them with cloud inventory and runtime-related data, including clusters, pods, containers, and cloud configurations.

  5. Customized alerts can be set for enriched findings on Wiz, allowing them to focus on what matters most.

Developers get clear remediation guidance provided by Semgrep, linking security issues back to the affected repository, file, and line number for efficient resolution.

Figure 2: Top SAST vulnerabilities via Semgrep shown on Wiz

What’s in it for you?

For security teams:

  • Build better understanding of vulnerability hot spots across the stack

  • Retain trust by only alerting developers on the highest-risk findings

For developers:

  • Reduce unnecessary workload by filtering out less risky findings 

  • A better “why” for the urgency behind remediation

Looking ahead: the future of unified security

As organizations continue to scale their applications in cloud environments, security must evolve to keep pace. The Semgrep & Wiz integration marks a significant step toward unified, contextual security—where code security and cloud security work together seamlessly.

With Semgrep’s deep SAST capabilities and Wiz’s powerful cloud security insights, teams can finally prioritize vulnerabilities based on real-world risk, reduce alert fatigue, and enable developers to fix security issues faster. 

Schedule a demo to see the Semgrep and Wiz integration live in action, and check out Semgrep’s integration guide and Wiz’s brief on the joint integration for more information.

About

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.

Featured posts from the Semgrep blog, written by our engineering team

March 6, 2025
Take control of sensitive code without developer frustration
Jaweed Metz Katie Kent
January 22, 2025
Announcing an AI AppSec engineer that security researchers agree with 96% of the time
Chushi Li
January 22, 2025
How we built an AppSec AI that security researchers agree with 96% of the time
Jack Moxon Seth Jaksik

Find and fix the issues that matter before build time

Semgrep helps organizations shift left without the developer productivity tax.
Get started in minutes Book a demo