Wiz — ARX Docs

Overview¶

The Wiz connector integrates ARX with the Wiz Cloud-Native Application Protection Platform (CNAPP) via its GraphQL API. It provides programmatic access to cloud security posture management, vulnerability findings, and security graph queries. It supports 20 operations across nine API families.

Authentication: OAuth2 client credentials flow against https://auth.app.wiz.io/oauth/token. Tokens are automatically cached and refreshed before expiry.
API model: All operations are GraphQL queries or mutations sent via POST to the /graphql endpoint.
Key capabilities:
Query, update, resolve, and reopen security issues
Retrieve vulnerability findings with severity and status filters
Search and inspect cloud resource inventory and configuration
Execute custom security graph queries and explore entity relationships
Query security frameworks, controls, and compliance findings
Manage projects, reports, users, and connectors

All operations are policy-evaluated and audit-logged through the ARX BaseConnector framework.

Prerequisites¶

Requirement	Details
Wiz Tenant	An active Wiz tenant with API access
Service Account	Create a service account under Settings > Service Accounts in the Wiz portal
Client ID	The OAuth2 `client_id` from the service account
Client Secret	The OAuth2 `client_secret` from the service account
API URL	Your Wiz API endpoint (defaults to `https://api.us1.app.wiz.io/graphql`; varies by datacenter: `us1`, `us2`, `eu1`, `eu2`)
Permissions	Assign the service account a role with appropriate GraphQL scopes: `read:issues`, `update:issues`, `read:vulnerabilities`, `read:resources`, etc.

Store credentials in the ARX vault under the key wiz with fields client_id, client_secret, and api_url.

SDK Usage¶

from arxsec import ARXClient

arx = ARXClient()

# Query open critical issues
issues = await arx.execute(
    connector="wiz",
    operation="issues:read",
    params={
        "query": """query GetIssues($first: Int, $filterBy: IssueFilters) {
          issues(first: $first, filterBy: $filterBy) {
            nodes { id title severity status createdAt }
            pageInfo { hasNextPage endCursor }
            totalCount
          }
        }""",
        "variables": {
            "first": 50,
            "filterBy": {"status": ["OPEN"], "severity": ["CRITICAL"]},
        },
    },
)

# Resolve an issue
await arx.execute(
    connector="wiz",
    operation="issues:resolve",
    params={
        "query": """mutation ResolveIssue($input: ResolveIssueInput!) {
          resolveIssue(input: $input) {
            issue { id title status resolutionReason }
          }
        }""",
        "variables": {
            "input": {
                "id": "issue-uuid-here",
                "resolutionReason": "RESOLVED",
                "note": "Remediated via automated patching",
            },
        },
    },
)

# Search cloud resources by type
resources = await arx.execute(
    connector="wiz",
    operation="resources:read_inventory",
    params={
        "query": """query GetCloudResources($first: Int, $filterBy: CloudResourceFilters) {
          cloudResources(first: $first, filterBy: $filterBy) {
            nodes { id name type cloudPlatform region status }
            totalCount
          }
        }""",
        "variables": {
            "first": 100,
            "filterBy": {"type": ["virtualMachine"], "cloudPlatform": ["AWS"]},
        },
    },
)

Operations¶

Issues (5 operations)¶

Operation ID	Description	Risk	Method
`issues:read`	Query Wiz issues with filters and pagination	LOW	POST
`issues:read_details`	Get full issue details by ID	LOW	POST
`issues:update`	Update issue properties (severity, assignee, note, due date)	MEDIUM	POST
`issues:resolve`	Resolve an issue with resolution reason	MEDIUM	POST
`issues:reopen`	Reopen a previously resolved issue	MEDIUM	POST

Vulnerabilities (2 operations)¶

Operation ID	Description	Risk	Method
`vulnerabilities:read`	Query vulnerability findings with filters	LOW	POST
`vulnerabilities:read_details`	Get full vulnerability finding details by ID	LOW	POST

Cloud Resources (3 operations)¶

Operation ID	Description	Risk	Method
`resources:read`	Graph search for cloud resources	LOW	POST
`resources:read_inventory`	Query cloud resource inventory	LOW	POST
`resources:read_config`	Get resource configuration details	LOW	POST

Security Graph (2 operations)¶

Operation ID	Description	Risk	Method
`graph:query`	Execute custom graph search query	LOW	POST
`graph:relationships`	Query related entities for a resource	LOW	POST

Controls and Policies (2 operations)¶

Operation ID	Description	Risk	Method
`controls:read`	Query security frameworks and controls	LOW	POST
`controls:read_findings`	Query findings for security controls	LOW	POST

Projects (1 operation)¶

Operation ID	Description	Risk	Method
`projects:read`	Query Wiz projects	LOW	POST

Reports (2 operations)¶

Operation ID	Description	Risk	Method
`reports:read`	Query available reports	LOW	POST
`reports:generate`	Generate a new report	MEDIUM	POST

Users (1 operation)¶

Operation ID	Description	Risk	Method
`users:read`	Query Wiz users	LOW	POST

Connectors (2 operations)¶

Operation ID	Description	Risk	Method
`connectors:read`	Query Wiz connectors and their status	LOW	POST
`connectors:test`	Test connector connectivity	MEDIUM	POST

Risk Classifications¶

Level	Criteria	Examples
LOW	All read/query operations including issues, vulnerabilities, resources, graph searches, controls, projects, reports, users, and connectors	`issues:read`, `vulnerabilities:read`, `resources:read_inventory`, `graph:query`, `controls:read_findings`, `projects:read`, `reports:read`, `users:read`, `connectors:read`
MEDIUM	Mutation operations that modify issue state, generate reports, or test connectors	`issues:update`, `issues:resolve`, `issues:reopen`, `reports:generate`, `connectors:test`

Wiz does not have HIGH or CRITICAL risk operations in this connector because the API is read-heavy and does not support destructive infrastructure actions. All mutations are limited to issue management, report generation, and connector testing.

Policy Examples¶

Allow full read access, restrict issue mutations¶

rules:
  - name: "Allow all Wiz read operations"
    connector: wiz
    operations:
      - "issues:read"
      - "issues:read_details"
      - "vulnerabilities:*"
      - "resources:*"
      - "graph:*"
      - "controls:*"
      - "projects:read"
      - "reports:read"
      - "users:read"
      - "connectors:read"
    action: allow

  - name: "Require approval to resolve or reopen issues"
    connector: wiz
    operations:
      - "issues:resolve"
      - "issues:reopen"
    action: require_approval
    approvers:
      - role: security_lead

Restrict report generation to scheduled automations¶

rules:
  - name: "Allow report generation for automation agents"
    connector: wiz
    operations:
      - "reports:generate"
    action: allow
    conditions:
      agent_role: scheduled_automation

  - name: "Deny report generation for all others"
    connector: wiz
    operations:
      - "reports:generate"
    action: deny
    reason: "Report generation is restricted to scheduled automation agents"

Allow cloud resource visibility across all teams¶

rules:
  - name: "Allow resource and graph queries for all agents"
    connector: wiz
    operations:
      - "resources:*"
      - "graph:*"
      - "controls:*"
    action: allow
    audit: verbose