How do we set up Wiz Code to connect repos/CI pipelines and drive PR-based fixes for cloud and IaC issues?

Most teams I work with already have scanners for cloud and code, but they still end up in spreadsheet wars when it’s time to fix IaC and configuration issues. Wiz Code is designed to break that pattern: connect your repos and CI pipelines, map findings to owners, and turn cloud and IaC risks into concrete pull requests developers can merge in minutes.

Quick Answer: You set up Wiz Code by connecting your SCM (GitHub, GitLab, Bitbucket, etc.) and CI pipelines, enabling policy-based scans for IaC and containers, and configuring PR-based remediation so Wiz can propose secure code changes directly in the development workflow for any issue that’s actually exploitable in your cloud.

The Quick Overview

• What It Is: Wiz Code is Wiz’s code-to-cloud engine that scans repos, IaC, containers, and pipelines, correlates them with your live cloud environment, and generates in-code fixes (including PRs) for issues that matter.
• Who It Is For: Security, platform, and DevOps teams that want to stop debating spreadsheets and instead have developers self-remediate cloud and IaC issues via their normal Git and CI workflows.
• Core Problem Solved: Traditional code and cloud scanners flood you with unprioritized findings. Wiz Code connects code to runtime, filters by exploitability, and pushes precise fixes to the right repo and team via PRs.

How It Works

At a high level, you:

1. Connect Wiz to your cloud accounts (if you haven’t already) so the Security Graph understands your runtime reality.
2. Connect your source code repos and CI/CD systems so Wiz can scan IaC, containers, and pipelines as code changes.
3. Configure policies and PR-based remediation so exploitable risks in code automatically surface in IDEs, PRs, and CI checks—with ready-to-apply fixes.

Because everything runs through the Wiz Security Graph, the system doesn’t just flag “bad Terraform”; it tells you, “this misconfiguration would expose a production database on the internet,” and then opens a PR that hardens the resource at the source.

1. Foundation: Connect Wiz to Your Cloud

Even though this article is about code and CI, the “secret sauce” is runtime context.

1. Onboard cloud accounts agentlessly

   • Connect AWS, Azure, GCP, and other environments via Wiz’s cloud-native integrations.
   • Within minutes, Wiz discovers resources, identities, networks, data stores, and their effective internet exposure.

2. Let the Security Graph build context

   • Wiz maps:
     • Cloud resources and configurations
     • Identities and permissions
     • Network paths and security groups
     • Data locations and sensitivity
     • Runtime signals and logs
   • This is what lets Wiz say: “This IaC change introduces a publicly reachable VM with a vulnerable package that has a direct path to sensitive data.”

Without this foundation, you’re just doing static IaC scanning. With it, you can prioritize and fix based on real attack paths.

2. Connect Repositories to Wiz Code

Next, you connect the places where code actually lives so Wiz can inspect IaC, containers, and config as developers work.

1. Choose the SCMs to integrate

   • Supported systems include:
     • GitHub
     • GitLab
     • Bitbucket
     • (Plus CI tools like CircleCI and Jenkins, covered in the next section.)

2. Authorize Wiz access

   • Use OAuth or app-based integrations to grant Wiz:
     • Read access to repos (for scanning IaC, Dockerfiles, configs, etc.)
     • Permission to comment on PRs and, where desired, create PRs for fixes.
   • Scope access to the orgs and repos you actually want to protect.

3. Configure repo discovery and ownership

   • Align repos to cloud environments (e.g., prod vs. non-prod) so Wiz can correlate code with the correct accounts.
   • Use ownership metadata (teams, CODEOWNERS, labels) so Wiz can:
     • Map issues to the right engineering team.
     • Route PRs, Jira/ServiceNow tickets, and notifications without central security triaging everything manually.

4. Enable code scanning for IaC and containers

   • Turn on scans for:
     • Infrastructure as Code (Terraform, CloudFormation, Kubernetes manifests, etc.)
     • Container files (Dockerfiles, base images, build configs)
     • Secrets and credentials in code
   • Configure scan schedules (on push, nightly, or on-demand) based on repo criticality.

At this point, Wiz Code understands both your code and your cloud—so findings can be ranked by exploitability instead of raw count.

3. Integrate Wiz Code into CI Pipelines

Now you plug Wiz into the build and release path so risky changes are caught before they ever hit production.

1. Identify critical pipelines

   • Focus first on:
     • Pipelines that deploy to production
     • Pipelines that build base images or shared modules used everywhere
   • Target CI systems like:
     • GitHub Actions
     • GitLab CI
     • Bitbucket Pipelines
     • CircleCI
     • Jenkins

2. Add Wiz Code scanning to CI jobs

   • Add Wiz steps to:
     • Scan IaC templates and manifests.
     • Scan container images and dependencies.
   • Typical flow:

     # Pseudo-example
     steps:
       - run: wiz-code scan --path . --format ci --fail-on-high
     

   • CI/CD guardrails ensure misconfigurations or secrets never reach production by enforcing policies during builds.

3. Define pass/fail policies

   • Set thresholds per environment:
     • Fail builds on exploitable criticals for prod-bound pipelines.
     • Warn only (don’t fail) for dev/test to avoid slowing early-stage work.
   • Use context-aware rules:
     • “Block if this IaC change makes an internet-facing resource with a known exploitable vulnerability.”
     • “Block if secrets are committed to repo or image.”

4. Feed results back to developers where they are

   • Wiz surfaces findings in:
     • CI logs/status checks
     • GitHub/GitLab PR comments
     • IDE plugins (where configured)
   • Developers see:
     • What failed
     • Why it matters in the real cloud
     • How to fix it (with suggested patches or one-click remediation where available)

This is where you move from “post-deploy cloud scanner” to “security built into the pipeline.”

4. Turn Cloud & IaC Issues Into PR-Based Fixes

With repos and CI wired up, you can now use Wiz Code’s in-code remediation to drive PR-based fixes at scale.

1. Enable in-code remediation / PR generation

   • In Wiz settings, enable:
     • In-code remediation for supported IaC patterns
     • PR creation permissions for your SCMs
   • Configure:
     • Naming conventions for branches (e.g., wiz/fix-<finding-id>).
     • Review rules (who must approve Wiz-created PRs).

2. Set rules for what gets a PR

   • Common patterns:
     • Create PRs for exploitable criticals in production-facing repos.
     • Batch lower-severity fixes into periodic PRs (e.g., weekly hygiene).
   • Use graph context to filter:
     • Issues that are actually reachable from the internet.
     • Misconfigurations that expose sensitive data paths or privileged identities.

3. What a Wiz-generated PR looks like

   • Changes directly in IaC / config / Dockerfiles:
     • Tightening security groups
     • Enforcing encryption
     • Removing hardcoded secrets
     • Bumping vulnerable base images
   • Each PR includes:
     • A clear description of the risk and its runtime impact.
     • The specific change Wiz proposes.
     • Links back to the Wiz issue for full context and justification.

4. Keep developers in their native workflow

   • Developers:
     • Review PRs in GitHub/GitLab/Bitbucket as usual.
     • See impact explained in plain language plus technical detail.
     • Merge or adjust as needed.
   • No new dashboard for engineers to live in, no CSVs to interpret.

This is where the “AI speed” story is real: not because a model invented more alerts, but because the security graph gives enough context to auto-generate safe, targeted code changes.

5. Close the Loop with Runtime Validation

Fixing code isn’t the end; you want proof that the exploit path is actually closed.

1. Deploy with Wiz runtime visibility

   • As PRs merge and pipelines deploy:
     • Wiz continuously scans your live environment.
     • Confirms the misconfigurations or vulnerable images are gone.
   • For runtime workloads, Wiz’s eBPF Runtime Sensor and cloud/SaaS logs:
     • Detect exploitation attempts.
     • Block lateral movement and privilege escalation where configured.

2. Measure MTTR and SLA adherence

   • Track:
     • Time from detection to PR creation.
     • Time from PR creation to merge.
     • Percentage of exploitable criticals in “0 open” state.
   • Many Wiz customers use this model to achieve:
     • Material MTTR reductions (e.g., 36% faster with security agents).
     • 0 criticals in key environments, without hammering developer velocity.

3. Feed learnings back into policies

   • When certain patterns keep reappearing (e.g., a risky S3 template):
     • Harden the shared module once via a PR.
     • Update policies and CI rules so it can’t regress.

Features & Benefits Breakdown

Core Feature	What It Does	Primary Benefit
Repo & CI Integration	Connects GitHub, GitLab, Bitbucket, CircleCI, Jenkins, and more to scan IaC, containers, and pipelines.	Catches cloud and IaC issues before they deploy, in existing flows.
Security Graph Prioritization	Correlates code findings with cloud resources, identities, network exposure, and data paths.	Focuses PR fixes on exploitable issues with real blast radius.
In-Code Remediation & PRs	Generates one-click fixes and opens pull requests directly in repos with full context and guidance.	Turns security queues into ready-to-merge changes engineers trust.

Ideal Use Cases

• Best for large multi-cloud environments: Because it correlates IaC and container changes with actual internet exposure, identity paths, and data in AWS, Azure, GCP, and more—so you’re not drowning in theoretical misconfigs.
• Best for platform teams standardizing security: Because it embeds consistent guardrails into CI and PR workflows across orgs, stacks, and acquired teams, creating a common language and operating model for security and engineering.

Limitations & Considerations

• PR automation scope: Not every finding can or should be auto-fixed. For complex architectural changes, Wiz will surface context and guidance but still rely on humans to define the right refactor.
• Governance and change control: Before enabling auto-PRs across your org, align with engineering and change management teams on branch policies, review rules, and what’s safe to automate.

Pricing & Plans

Wiz is sold as an enterprise-grade cloud security platform (CNAPP) with Wiz Code as part of the broader code-to-cloud-to-runtime offering. Pricing is typically tailored based on:

• Number of cloud accounts, workloads, and environments.
• Scope of code and repo coverage.
• Required integrations and support level.

Examples of how customers approach it:

• Core Cloud & Code Plan: Best for organizations needing unified visibility and prioritization across cloud and code, with repo/CI integration and contextual risk modeling.
• Advanced AI-Driven Remediation Plan: Best for teams that want to fully operationalize PR-based fixes, ownership mapping, and runtime detection/response across large, distributed engineering orgs.

(For an exact quote and feature matrix, the Wiz team typically walks through your environment and requirements.)

Frequently Asked Questions

How do we decide which repos and pipelines to onboard to Wiz Code first?

Short Answer: Start with production-facing repos and pipelines that control internet-exposed services or shared infrastructure modules.

Details: In practice, I recommend a phased rollout:

• Phase 1: Onboard repos that deploy public-facing APIs, web apps, and gateways, plus any shared Terraform/Kubernetes modules used across environments.
• Phase 2: Extend to base images and CI templates (so every downstream service inherits secure defaults).
• Phase 3: Expand to broader repos and non-prod pipelines for hygiene and consistency.
  This sequencing lets you demonstrate fast risk reduction on the highest-impact paths while tuning policies and PR workflows with a limited blast radius.

Can Wiz Code integrate with existing SAST/scan tools we already use?

Short Answer: Yes. Wiz Code can ingest findings from tools like Checkmarx and correlate them with cloud context, and you can pull Wiz’s cloud inventory back into those tools.

Details: Many teams already run SAST or container scanners. Wiz doesn’t force you to rip those out; instead, it:

• Pulls SAST findings (e.g., from Checkmarx) into the Wiz Security Graph.
• Enriches them with cloud exposure, identity paths, and data access chains.
• Lets you push context and asset data back into existing tools for targeted remediation.
  This means you can prioritize which SAST findings actually matter in production and still drive fixes via PRs, Jira, or ServiceNow without duplicating effort.

Summary

To set up Wiz Code to connect repos and CI pipelines and drive PR-based fixes for cloud and IaC issues, you:

1. Connect your cloud accounts so the Security Graph understands real attack paths.
2. Integrate your SCM and CI systems so Wiz can scan IaC, containers, and pipelines where developers already work.
3. Configure policies and in-code remediation so exploitable risks become PRs with concrete code changes, not just alerts.
4. Validate fixes in runtime and use metrics to drive remediation SLAs that engineering can actually meet.

The result is an operating model where “exposure → code fix → runtime validation” runs on context and automation, not spreadsheets and manual correlation.

Next Step

Get Started