View Semgrep findings in Wiz's Security Graph
Semgrep integrates with Wiz by calling Wiz’s GraphQL API endpoints and uploading your static analysis (SAST) vulnerability findings to a dedicated Amazon S3 bucket. Your Semgrep SAST vulnerability findings are mapped to the same correlated repository scanned by Wiz and enriched by any available inventory and runtime-related data, such as clusters, pods, containers, cloud configurations, and more. Semgrep's goal is to give you a holistic view of your code and infrastructure security so that you can focus on what matters most.
Prerequisites and requirements
This integration is available for users with both a Semgrep Code license and a Wiz Code Security license.
To send Semgrep Code findings to Wiz:
- You must have a Wiz service account with sufficient permissions to create a service account, if needed, and integrations. The service account must be able to provide Semgrep with the following scopes:
create:external_data_ingestion,read:system_activities, andread:resources. If you don't have a service account:- Create a Wiz service account. When prompted to select the Type of the service account, select Custom Integration (GraphQL API).
- Copy the Wiz Client ID and Client Secret provided. You must provide this information to Semgrep at a later stage.
- You must add the Semgrep integration from the Wiz Integration Network. During this process, save the following values shown to you:
- API Endpoint URL
- Authentication URL
Limitations
Semgrep sends data to Wiz after every successful full scan; Semgrep does not send data from diff-aware scans. Wiz batches and syncs your data once every 24 hours.
By default, the Code findings that Semgrep sends are:
- High severity
- From full scans
- From the default branch of each repository
Semgrep sends findings from all repositories in your organization. Findings previously sent but not included in submissions are marked as fixed in Wiz.
Add the Semgrep integration from the Wiz Integration Network
To add the Semgrep integration from the Wiz Integration Network:
- Sign in to Wiz.
- Ensure that the account you're using has been assigned the
create:integrationsaccess scope. - Using the navigation bar, go to Settings > Integrations.
- lick Add Integration.
- Find the Semgrep integration card and click Add.
- Follow the on-screen steps provided by Wiz to complete the setup of the Semgrep integration. Ensure that you save the following information when provided by Wiz:
- API Endpoint URL
- Authentication URL
Configure the integration in Semgrep
Once you've added the Semgrep integration from the Wiz Integration Network, you must continue the setup process in Semgrep:
- Sign in to Semgrep.
- In the navigation bar, click Settings.
- Navigate to Integrations, and click + Add > Wiz.
- In the dialog that appears, provide the following information:
- API Endpoint URL
- Authentication URL
- Client ID
- Client Secret You can obtain the API Endpoint URL and the Authentication URL from Wiz in Tenant Info, while Wiz provides the Client ID and Client Secret when you set up a service account.
- Click Connect.
- If Semgrep successfully creates the connection, a dialog pops up that says, "Wiz credential created successfully." Semgrep also lists Wiz as an integration; you can verify the connection again by clicking Test connection.
Figure. Semgrep displays a success message if you configure the integration correctly.
Edit the integration
To edit the integration:
- Sign in to Semgrep.
- In the navigation bar, click Settings.
- Navigate to Integrations, and find the Wiz integration.
- Click Edit, and update the information required by Wiz as needed.
- Click Save changes.
Delete the integration
To delete the integration:
- Sign in to Semgrep.
- In the navigation bar, click Settings.
- Navigate to Integrations, and find the Wiz integration.
- Click the trash can icon.
- Click Delete to confirm.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.