How do we set up Wiz Code to connect repos/CI pipelines and drive PR-based fixes for cloud and IaC issues?
Cloud Security Platforms

How do we set up Wiz Code to connect repos/CI pipelines and drive PR-based fixes for cloud and IaC issues?

9 min read

Most teams I work with don’t struggle to “find issues” in cloud and IaC—they struggle to connect those issues back to the right repo, automate checks in CI, and turn findings into clean, reviewable pull requests. Wiz Code is built to close exactly that loop: connect your repos and pipelines, scan before anything hits the cloud, and then drive PR-based fixes with full context from your live environment.

Quick Answer: Wiz Code connects directly to your Git repos and CI/CD pipelines, scans IaC and cloud-facing code with live cloud context, and then uses that same context to open or assist PRs so dev teams can fix cloud and IaC risks where they start—without leaving their normal workflow.

The Quick Overview

  • What It Is: Wiz Code is the code and pipeline security layer of Wiz’s CNAPP. It scans IaC, containers, and application code, then correlates those findings with real cloud exposure using the Wiz Security Graph. From there, it can enforce CI/CD guardrails and drive PR-based fixes directly in your Git workflows.
  • Who It Is For: Cloud security, platform, and DevOps teams that need to move from “cloud misconfigurations and tickets” to “code-level fixes and policy-as-code” across multi-cloud environments and multiple engineering orgs.
  • Core Problem Solved: Traditional tools stop at cloud findings or static code scanning. Wiz Code connects code → pipelines → cloud runtime, so you can see which repos actually create exploitable risk, and then fix them at the source through PRs instead of spreadsheet-driven remediation campaigns.

How It Works

At a high level, you set up Wiz Code in three steps:

  1. Connect repos and pipelines: Integrate GitHub, GitLab, Bitbucket, CircleCI, Jenkins, and other CI tools so Wiz can scan IaC, Dockerfiles, and application code as part of your normal workflows.
  2. Correlate with cloud context: Wiz’s security graph ties code findings to real cloud resources, internet exposure, identity paths, and data. That means you’re not just seeing “a bad security group in Terraform,” you’re seeing “a bad security group on an internet-exposed VM with access to a sensitive database.”
  3. Drive PR-based fixes: Wiz surfaces issues directly in IDEs and pull requests, and supports in-code remediation so developers can apply one-click or guided fixes without leaving their tools. Security defines the guardrails; dev teams merge the PRs.

More concretely, here’s the lifecycle:

  1. Attack surface scanning in code and pipelines:

    • Wiz connects to your Git providers and CI/CD systems.
    • It scans IaC (Terraform, CloudFormation, Kubernetes manifests, etc.), containers, and code for misconfigurations, secrets, and vulnerable packages.
    • It enforces CI/CD guardrails so critical violations can fail builds before misconfigurations or secrets ever reach production.

  2. Deep internal analysis with cloud context:

    • Wiz correlates scan results with your live cloud environment (AWS, Azure, GCP, Kubernetes, SaaS) via the Wiz Security Graph.
    • It models exploitability based on internet exposure, identity and network paths, and blast radius, suppressing issues that are not actually exploitable in the live environment.
    • Findings are mapped back to repo/service ownership so you know exactly who should fix what.

  3. Fix at scale in code with PR workflows:

    • Wiz pushes real-time feedback into IDEs and pull requests, including remediation guidance and, for many issues, one-click in-code remediation.
    • It can open or assist PRs with configuration changes, policy updates, or dependency bumps that neutralize the attack path.
    • Issues flow into developer tools (GitHub, GitLab, Bitbucket, CI pipelines) and ticketing systems so engineering can self-remediate within existing SLAs.

Features & Benefits Breakdown

Core FeatureWhat It DoesPrimary Benefit
Repo & CI/CD integrationConnects to GitHub, GitLab, Bitbucket, CircleCI, Jenkins, and more to scan IaC, containers, and code.Brings Wiz Code into existing dev workflows without new portals or manual exports.
Cloud-contextual code scanningCorrelates code findings with live cloud exposure using the Wiz Security Graph.Prioritizes the issues that are actually exploitable and suppresses noise.
PR-based and in-code remediationSurfaces findings in IDEs/PRs with one-click or guided fixes directly in the dev workflow.Turns findings into concrete code changes; accelerates remediation without slowing engineering.

Ideal Use Cases

  • Best for preventing cloud misconfigurations at source: Because Wiz Code enforces CI/CD guardrails and scans IaC before deployment, misconfigured security groups, public buckets, and risky Kubernetes settings can be caught and fixed in PRs—long before they show up as “critical misconfigurations” in the cloud.
  • Best for closing the loop from cloud findings to code fixes: Because Wiz ties cloud resources back to the repos and pipelines that created them, you can go from “this S3 bucket is exposed” to “this Terraform module in repo X needs this exact change,” and then drive that change via PR.

Limitations & Considerations

  • Needs Git and CI/CD access: You’ll need sufficient permissions to connect Wiz Code to your Git providers and CI platforms. In highly regulated environments, plan for a short onboarding process with your platform/DevOps leads to grant read (and in some cases write) access for PR-based remediation.
  • Policy design still matters: Wiz Code provides powerful guardrails and fix workflows, but you still need to define which policies should fail builds, which issues are advisory, and what your remediation SLAs look like per severity/category.

Pricing & Plans

Wiz is sold as a unified cloud security platform (CNAPP), with Wiz Code as a core capability rather than a standalone toy add-on. Pricing is typically based on cloud footprint and usage, with packaging that scales from teams modernizing a single cloud to enterprises running multi-cloud at Fortune 100 scale.

  • Core Wiz Platform: Best for teams that want unified visibility and risk reduction across code, cloud, identities, and runtime, and need Wiz Code tightly integrated with attack surface management and runtime threat detection.
  • Enterprise Wiz Deployment: Best for large, multi-cloud organizations needing advanced ownership mapping, agentless coverage at scale, and deep integration into existing Git/CI/CD, ITSM, and SIEM ecosystems across many business units.

For detailed pricing, custom volumes, and deployment models, you’ll want to walk through your architecture with Wiz directly.

Frequently Asked Questions

How do we actually connect our repos and CI pipelines to Wiz Code?

Short Answer: You connect Wiz Code to your Git provider (GitHub, GitLab, Bitbucket, etc.) and CI/CD tools (CircleCI, Jenkins, and others) using native integrations, then configure which repos and pipelines to scan and what policies should apply.

Details:
In practice, the setup typically follows this pattern:

  1. Connect Git provider:

    • From the Wiz console, add an integration for GitHub, GitLab, Bitbucket, or your chosen provider.
    • Grant Wiz read access to the repos you want to onboard. If you want PR-based remediation, grant the minimal write permissions required to open or update pull requests.
    • Select which repos or orgs to include initially—most teams start with core infrastructure/IaC repos, high-risk apps, and shared modules.

  2. Connect CI/CD pipelines:

    • Integrate Wiz Code with CI tools such as CircleCI or Jenkins using the documented plugins or API.
    • Add Wiz Code scanning steps to your pipelines—typically as a stage that runs after build but before deployment.
    • Configure CI rules: which findings fail the build, which are logged as warnings, and what severity thresholds apply to different environments (e.g., stricter for production branches).

  3. Tune scanning scope and rules:

    • Enable scanning for IaC templates, containers, and vulnerable packages.
    • Turn on CI/CD guardrails to prevent secrets, critical misconfigurations, or high/critical CVEs from reaching production.
    • Use Wiz’s suppression and context features so non-exploitable issues are de-prioritized, reducing friction with developers.

Once configured, Wiz Code continuously scans code in repos and during pipeline runs, feeding findings into the Security Graph and back into your dev workflows.

How do PR-based fixes work for cloud and IaC issues with Wiz Code?

Short Answer: Wiz Code identifies issues in IaC and cloud-related code, correlates them with real cloud exposure, and then surfaces remediation directly in PRs or IDEs—including one-click in-code fixes for many patterns—so developers can merge the secure version.

Details:
The PR-based remediation flow looks like this:

  1. Issue detected:

    • A developer opens a PR that changes Terraform, Kubernetes manifests, or application configuration.
    • Wiz Code scans the diff (via Git integration or CI) and detects misconfigurations, exposed secrets, or vulnerable packages.

  2. Contextual evaluation:

    • Wiz checks the issue against your live environment via the Security Graph:
      • Is this resource internet-exposed?
      • Does it sit on a path to sensitive data?
      • Are there identity/network routes that make it exploitable?
    • If the issue isn’t exploitable given the real environment, Wiz can suppress or downgrade it, preventing noise.

  3. Remediation surfaced in PR/IDE:

    • Wiz posts inline comments or checks in the PR with:
      • The issue description and risk in plain language.
      • The affected resource or configuration block.
      • Concrete remediation guidance.
    • For many issue types, Wiz offers in-code remediation—one-click fixes directly in the developer’s workflow that adjust the configuration or dependency to a safe pattern.

  4. PR workflow and merge:

    • Developers review the suggested fix, adjust if needed, and commit.
    • The updated PR re-runs the Wiz Code check; once clean, it can be merged.
    • That change propagates through CI/CD and ultimately remediates the cloud risk at its source, instead of patching it ad hoc in the console.

This model gives you a single, consistent path: from cloud exposure to the repo that caused it, to a PR that removes the attack path—and it does it in the tools engineers already live in.

Summary

Connecting Wiz Code to your repos and CI pipelines is how you move from “we found another misconfigured security group in production” to “we fixed the Terraform module that keeps creating them.” You integrate Git and CI, let Wiz Code scan IaC and cloud-related code with full cloud context, and then use PR-based and in-code remediation to fix issues at the source. That combination—security graph context plus developer-native workflows—is what lets teams reduce MTTR, hit remediation SLAs, and consistently keep critical cloud and IaC issues at zero without slowing delivery.

Next Step

Get Started

Back to Cloud Security Platforms

Keep Reading

More from Cloud Security Platforms

Do we qualify for Wiz Go for Startups, and how do we apply if we’re scaling fast on AWS with multiple accounts?

Read more

We’re integrating an acquisition—how do we roll out Wiz across the acquired company’s cloud accounts and unify reporting?

Read more

Wiz PoC plan: what success criteria should we set for exploitable risk prioritization, attack paths, and remediation workflow adoption?

Read more