Add wiz container scanning to build and push workflow

grahamalama · grahamalama · commit f1d08c6d61f2 · 2025-12-01T14:41:29.000-05:00
diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
@@ -108,6 +108,20 @@ jobs:
           should_tag_ghcr: ${{ inputs.should_tag_ghcr }}
           should_tag_latest: ${{ inputs.should_tag_latest }}
           gar_location: ${{ inputs.gar_location }}
+      - name: Download Wiz CLI
+        env:
+          # Wiz CLI release notes: https://docs.wiz.io/release-notes/wiz-cli
+          WIZ_CLI_VERSION: 1.17.0
+        run: curl -Lo wizcli "https://downloads.wiz.io/v1/wizcli/$WIZ_CLI_VERSION/wizcli-linux-amd64" && chmod +x wizcli
+      - name: Authenticate to Wiz
+        run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
+        env:
+          WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }}
+          WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }}
+      - name: Run wiz-cli docker image scan
+        env:
+          IMAGE_NAME: ${{ inputs.image_name }}
+        run: ./wizcli docker scan --image "${IMAGE_NAME}"
       - name: Run post-build commands
         shell: bash
         if: ${{ inputs.postbuild_script != '' }}
