From 36b5f3f54a7f8375a9ec059a7009f2fba95740b8 Mon Sep 17 00:00:00 2001
From: Bob Roebling <bobbyroebling@gmail.com>
Date: Fri, 24 Apr 2026 06:20:29 -0500
Subject: [PATCH] feature: update Wiz scan workflow (latest)

---
 .github/workflows/wizscan.yml | 80 ++++++++++++++++++++++++++---------
 1 file changed, 60 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/wizscan.yml b/.github/workflows/wizscan.yml
index 4e69cc7..149e2f0 100644
--- a/.github/workflows/wizscan.yml
+++ b/.github/workflows/wizscan.yml
@@ -8,50 +8,90 @@ jobs:
     permissions:
       id-token: write
       contents: read
+
     env:
-      SCAN_PATH: '.' # Set the relative path in the repo to scan
-      POLICY: '1_High_Misconfiguration' # Set the desired Wiz-cli policy to use
+      SCAN_PATH: '.'
+      POLICY: '1_High_Misconfiguration'
       DOCKER_POLICY: 'custom-policy-high-critical-CVE-vulnerabilities'
 
-    # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
     defaults:
       run:
         shell: bash
 
     steps:
-      # Checkout the repository to the GitHub Actions runner
       - name: Checkout
-        uses: actions/checkout@v3
-      - name: Configure AWS credentials from Test account
+        uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
           role-to-assume: arn:aws:iam::014524682603:role/oidc-for-github
           aws-region: us-east-1
 
-      - name: Get secrets by name and by ARN
+      - name: Get secrets from AWS Secrets Manager
         uses: aws-actions/aws-secretsmanager-get-secrets@v1
         with:
           secret-ids: |
-            WIZ_CLIENT_ID,WIZ_CLIENT_ID
-            WIZ_CLIENT_SECRET,WIZ_CLIENT_SECRET
+            WIZ_CLIENT_ID_V1,WIZ_CLIENT_ID_V1
+            WIZ_CLIENT_SECRET_V1,WIZ_CLIENT_SECRET_V1
             JFROG_CREDENTIALS,jfrog
             JFROG_NPMRC_FILE,jfrog_npmrc_node18
 
-      - name: Download Wiz-cli
-        run: curl -o wizcli https://wizcli.app.wiz.io/latest/wizcli && chmod +x wizcli
+      - name: Debug secrets (safe check)
+        run: |
+          echo "Client ID length: ${#WIZ_CLIENT_ID_V1}"
+          echo "Client Secret length: ${#WIZ_CLIENT_SECRET_V1}"
+
+      - name: Download Wiz CLI
+        run: |
+          curl -Lo wizcli.gz https://downloads.wiz.io/v1/wizcli/latest/wizcli-linux-amd64.gz
+          gunzip wizcli.gz
+          chmod +x wizcli
 
-      - name: Authenticate to Wiz
-        run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
-        
       - name: Login to Docker registry
-        run:  echo "$JFROG_CREDENTIALS" | docker login --username "techops.jfa.prod@omf.com" --password-stdin "jfafn.jfrog.io"
-      
+        run: echo "$JFROG_CREDENTIALS" | docker login --username "techops.jfa.prod@omf.com" --password-stdin "jfafn.jfrog.io"
+
       - name: Download .npmrc file
-        run:  echo "$JFROG_NPMRC_FILE" > .npmrc
+        run: echo "$JFROG_NPMRC_FILE" > .npmrc
 
       - name: Docker Build & Scan
-        run: if test -f "Dockerfile"; then docker build -t $GITHUB_REPOSITORY:$GITHUB_SHA . ; docker images; ./wizcli docker scan --image $GITHUB_REPOSITORY:$GITHUB_SHA --tag repo=$GITHUB_REPOSITORY --tag branch=$GITHUB_REF_NAME --tag commit=$GITHUB_SHA  -p "$DOCKER_POLICY" --policy-hits-only; fi
+        run: |
+          if test -f "Dockerfile"; then
+            docker build -t $GITHUB_REPOSITORY:$GITHUB_SHA .
+            docker images
+            ./wizcli docker scan \
+              --image $GITHUB_REPOSITORY:$GITHUB_SHA \
+              --tag repo=$GITHUB_REPOSITORY \
+              --tag branch=$GITHUB_REF_NAME \
+              --tag commit=$GITHUB_SHA \
+              -p "$DOCKER_POLICY" \
+              --policy-hits-only \
+              --client-id "$WIZ_CLIENT_ID_V1" \
+              --client-secret "$WIZ_CLIENT_SECRET_V1"
+          fi
+
       - name: Run wiz-cli IaC scan
-        run: ./wizcli iac scan --path $SCAN_PATH --policy "$POLICY"  --tag repo=$GITHUB_REPOSITORY --tag branch=$GITHUB_REF_NAME --tag commit=$GITHUB_SHA  --policy-hits-only --timeout 30m
+        run: |
+          ./wizcli iac scan \
+            --path $SCAN_PATH \
+            --policy "$POLICY" \
+            --tag repo=$GITHUB_REPOSITORY \
+            --tag branch=$GITHUB_REF_NAME \
+            --tag commit=$GITHUB_SHA \
+            --policy-hits-only \
+            --timeout 30m \
+            --client-id "$WIZ_CLIENT_ID_V1" \
+            --client-secret "$WIZ_CLIENT_SECRET_V1"
+
       - name: Run wiz-cli custom-policy-secrets scan
-        run: ./wizcli iac scan --path $SCAN_PATH --policy "custom-policy-secrets" --tag repo=$GITHUB_REPOSITORY --tag branch=$GITHUB_REF_NAME --tag commit=$GITHUB_SHA  --policy-hits-only --timeout 30m
+        run: |
+          ./wizcli iac scan \
+            --path $SCAN_PATH \
+            --policy "custom-policy-secrets" \
+            --tag repo=$GITHUB_REPOSITORY \
+            --tag branch=$GITHUB_REF_NAME \
+            --tag commit=$GITHUB_SHA \
+            --policy-hits-only \
+            --timeout 30m \
+            --client-id "$WIZ_CLIENT_ID_V1" \
+            --client-secret "$WIZ_CLIENT_SECRET_V1"
\ No newline at end of file