WIZ

Export Vulnerability to WIZ on Vuln Created

The purpose of this example is to export a vulnerability to WIZ when a vulnerability is created.

This example Flow can be downloaded from our Flows GitHub Repository and imported into your AttackForge.

Initial Set Up

Event: Vuln Created
Secrets:
- af_hostname - for example "demo.attackforge.com"
- af_key - your AttackForge user API key
- logging_level - set to "debug" if additional logging is required
- wiz_api_host - for example "api.us17.app.wiz.io"
- wiz_client_id - your WIZ Client Id
- wiz_client_secret - your WIZ Client Secret
- wiz_integration_id - your WIZ Intgration Id

Action 1 - Validate Readiness for Export

Script:

const vuln = data;

if (!vuln?.vulnerability_id) {
  return {
    decision: {
      status: 'abort',
      message: 'No vulnerability found in event data.'
    }
  };
};

// Check 1: Vuln is not deleted
const isDeleted = vuln?.vulnerability_is_deleted === true;
if (isDeleted) {
  return {
    decision: {
      status: 'finish',
      message: 'Vulnerability is deleted. Skipping WIZ export.'
    }
  };
};

// Check 2: Vuln is not pending
const isPending = vuln?.vulnerability_is_visible === false;
if (isPending) {
  return {
    decision: {
      status: 'finish',
      message: 'Vulnerability is pending. Skipping WIZ export.'
    }
  };
};

// Check 3: Vuln is not already exported to WIZ
const customFields = vuln?.vulnerability_custom_fields || [];
let exportedToWiz = false;
for (let i = 0; i < Array.length(customFields); i++) {
  const customField = customFields[i];
  if (customField.key === 'exported_to_wiz' && customField.value === 'Yes') {
    exportedToWiz = true;
  }
}
if (exportedToWiz) {
  return {
    decision: {
      status: 'finish',
      message: 'Vulnerability already exported to WIZ. Skipping.'
    }
  };
};

// Check 4  - Ensure all necessary asset fields exist
let asset_hostname;
let asset_port;
let asset_protocol;
let asset_name;
let asset_id;
let asset;
if (vuln?.vulnerability_affected_assets?[0]?.asset) {
  asset = vuln.vulnerability_affected_assets[0].asset;
}
if (!asset) {
  return {
    decision: {
      status: 'abort',
      message: 'Asset not found on vulnerability.'
    }
  };
}
if (asset.name) {
  asset_name = asset.name;
}
if (asset.id) {
  asset_id = asset.id;
}
if (asset.custom_fields && Array.isArray(asset.custom_fields)) {
  const custom_fields = asset.custom_fields;
  for (let i = 0; i < Array.length(custom_fields); i++) {
    const customField = custom_fields[i];
    if (customField.key === 'af_sys_hostnames' && customField.value?[0]) {
      asset_hostname = customField.value[0];
    }
    else if (customField.key === 'af_sys_ports' && customField.value?[0]) {
      asset_port = Number.parseInt(customField.value[0], 10);
    }
    else if (customField.key === 'protocols' && customField.value?[0]) {
      asset_protocol = customField.value[0];
    }
  }
}
if (!asset_id || !asset_name || !asset_hostname || !asset_port || !asset_protocol) {
  if (secrets.logging_level === 'debug'){
    Logger.debug('asset_id: ', asset_id);
    Logger.debug('asset_name: ', asset_name);
    Logger.debug('asset_hostname: ', asset_hostname);
    Logger.debug('asset_port: ', asset_port);
    Logger.debug('asset_protocol: ', asset_protocol);
  }
  return {
    deicision:{
      status: 'abort',
      message: 'Error: asset_id, asset_name, asset_hostname, asset_port, asset_protocol must all exist.'
    }
  };
}

if (secrets.logging_level === 'debug') {
  Logger.debug('Vulnerability ready for WIZ export: ', vuln.vulnerability_id);
}

return {
  decision: {
    status: 'continue',
    message: 'Vulnerability is ready for export to WIZ.'
  },
  data: {
    vuln: data,
    asset_id: asset_id,
    asset_name: asset_name,
    asset_hostname: asset_hostname,
    asset_port: asset_port,
    asset_protocol: asset_protocol
  }
};

Action 2 - Build WIZ Payload

Script:

const vuln = data?.vuln;
const vulnId = vuln?.vulnerability_id;
const payload = payloadGenerator(vuln);

if (secrets.logging_level === 'debug'){
  Logger.debug('payload built: ', JSON.stringify(payload));
}
return {
  decision:{
    status: 'continue',
    message: 'Successfully built JSON payload'
  },
  data: {
    vuln: vuln,
    wiz_payload: payload
  }
};

// Users can customise this to be multiple payload generation if needed.
function payloadGenerator(vuln){
  
  // Affected asset
  const endpoint = {
    assetId: data?.asset_id,
    assetName: data?.asset_name,
    host: data?.asset_hostname,
    port: data?.asset_port,
    protocol: data?.asset_protocol
  };

  // Severity mapping: AF → WIZ
  const severityMap = {
    'Critical': 'Critical',
    'High': 'High',
    'Medium': 'Medium',
    'Low': 'Low',
    'Info': 'None'
  };
  const afPriority = vuln?.vulnerability_priority || 'Low';
  const wizSeverity = severityMap[afPriority] || 'None';

  // description
  const description = (vuln?.vulnerability_description || '') + '\n\n' + (vuln?.vulnerability_attack_scenario || '');

  // assessmentDetails
  const affectedAssetsStr = '- ' + data?.asset_name + '\n';
  const notes = vuln?.vulnerability_notes || [];
  let notesStr = '';
  for (let i = 0; i < Array.length(notes); i++) {
    const noteText = notes[i]?.note || '';
    if (noteText) {
      notesStr = notesStr + noteText + '\n';
    }
  }
  const assessmentDetails = 'Affected Asset:\n\n' + (affectedAssetsStr || 'N/A')
    + '\nSteps to Reproduce:\n\n' + (vuln?.vulnerability_steps_to_reproduce || 'N/A')
    + '\n\nNotes:\n\n' + (notesStr || 'N/A');

  // Link to AttackForge vuln
  const projects = vuln?.vulnerability_projects || [];
  const projectId = (Array.length(projects) > 0) ? projects[0].id : '';
  const externalLink = 'https://' + secrets.af_hostname + '/projects/' + projectId + '/vulnerabilities/' + vulnId;

  // Stable datasource ID
  const datasourceId = secrets.wiz_datasource_id || ('attackforge-project-' + projectId);

  // Vulnerability type mapping
  const typeMap = {
    'Misconfiguration': 'Misconfiguration',
    'DAST': 'DAST',
    'SCA': 'SCA',
    'SAST': 'SAST',
    'IaC': 'IaC',
    'SecretDetection': 'SecretDetection',
    'ContainerScan': 'ContainerScan',
    'HostScan': 'HostScan'
  };
  const vulnType = 'DAST';
  const wizType = typeMap[vulnType] || 'DAST';

  const finding = {
    id: vulnId,
    name: vuln?.vulnerability_title || '',
    description: description,
    assessmentDetails: assessmentDetails,
    remediation: vuln?.vulnerability_remediation_recommendation || '',
    severity: wizSeverity,
    type: wizType,
    externalFindingLink: externalLink
  };  

  return {
    integrationId: secrets.wiz_integration_id,
    dataSources: [
      {
        id: datasourceId,
        analysisDate: vuln?.vulnerability_created || Date.datetime('now'),
        assets: [
          {
            details: {
              endpoint: endpoint
            },
            attackSurfaceFindings: [finding]
          }
        ]
      }
    ]
  };
}

Action 3 - Get WIZ Access Token

Method: POST
URL: https://auth.app.wiz.io/oauth/token
Headers:
- Key = Content-Type; Type = Value; Value = application/x-www-form-urlencoded
Request Script:

const req_body = 'grant_type=client_credentials&audience=wiz-api&client_id=' + secrets.wiz_client_id + '&client_secret=' + secrets.wiz_client_secret;

return {
  decision: {
    status: 'continue',
    message: 'Fetching WIZ access token.'
  },
  request: {
    body: 'grant_type=client_credentials&audience=wiz-api&client_id=' + secrets.wiz_client_id + '&client_secret=' + secrets.wiz_client_secret
  },
  data: {
    vuln: data?.vuln,
    wiz_payload: data?.wiz_payload
  }
};

Response Script:

if (response?.statusCode !== 200) {
  if (secrets.logging_level === 'debug') {
    Logger.debug('Error fetching WIZ token: ', JSON.stringify(response));
  }
  return {
    decision: {
      status: 'abort',
      message: 'Failed to get WIZ access token. HTTP status: ' + (response?.statusCode || 'unknown')
    }
  };
}

const token = response?.jsonBody?.access_token;
if (!token) {
  return {
    decision: {
      status: 'abort',
      message: 'WIZ access_token not found in token response.'
    }
  };
}

if (secrets.logging_level === 'debug') {
  Logger.debug('WIZ access token obtained successfully.');
}

return {
  decision: {
    status: 'continue',
    message: 'WIZ access token obtained.'
  },
  data: {
    vuln: data?.vuln,
    wiz_payload: data?.wiz_payload,
    wiz_token: token
  }
};

Action 4 - Request WIZ Upload URL

Method: POST
URL: https://{{wiz_api_host}}/graphql
Headers:
- Key = Content-Type; Type = Value; Value = application/json
Request Script:

const vuln = data?.vuln;
const currTime = Date.datetime("now", "epoch");
const wiz_upload_filename = 'attackforge-vuln-' + currTime + '.json';

if (secrets.logging_level === 'debug') {
  Logger.debug('WIZ enrichment payload: ', JSON.stringify(payload));
}

return {
  decision: {
    status: 'continue',
    message: 'Requesting WIZ upload URL for vulnerability ' + vuln.vulnerability_id + '.'
  },
  request: {
    url: 'https://' + secrets.wiz_api_host + '/graphql',
    headers: {
      'Authorization': 'Bearer ' + data.wiz_token,
      'Content-Type': 'application/json',
      'Accept': 'application/json'
    },
    body: {
      query: 'query RequestSecurityScanUpload($filename: String!) { requestSecurityScanUpload(filename: $filename) { upload { id url systemActivityId } } }',
      variables: {
        filename: wiz_upload_filename
      }
    }
  },
  data: {
    vuln: data?.vuln,
    wiz_payload: data?.wiz_payload,
    wiz_token: data?.wiz_token
  }
};

Response Script:

if (response?.statusCode !== 200) {
  if (secrets.logging_level === 'debug') {
    Logger.debug('WIZ upload URL request error: ', JSON.stringify(response));
  }
  return {
    decision: {
      status: 'abort',
      message: 'Failed to request WIZ upload URL. HTTP status: ' + (response?.statusCode || 'unknown')
    }
  };
}

const upload = response?.jsonBody?.data?.requestSecurityScanUpload?.upload;
if (!upload?.url) {
  return {
    decision: {
      status: 'abort',
      message: 'WIZ upload URL not found in response.'
    }
  };
}

if (secrets.logging_level === 'debug') {
  Logger.debug('WIZ upload URL obtained. Upload ID: ' + upload.id + ', Activity ID: ' + upload.systemActivityId);
}

return {
  decision: {
    status: 'continue',
    message: 'WIZ upload URL obtained successfully.'
  },
  data: {
    vuln: data?.vuln,
    wiz_payload: data?.wiz_payload,
    wiz_token: data?.wiz_token,
    wiz_upload_id: upload.id,
    wiz_upload_url: upload.url,
    wiz_system_activity_id: upload.systemActivityId
  }
};

Action 5 - Upload Scan to WIZ S3 Bucket

Method: PUT
URL: https://{{preSignedUrl}}
Headers:
- Key = Content-Type; Type = Value; Value = application/json
Request Script:

const uploadUrl = data?.wiz_upload_url;
if (!uploadUrl) {
  return {
    decision: {
      status: 'abort',
      message: 'WIZ upload URL not found in data. Cannot upload enrichment payload.'
    }
  };
}

if (secrets.logging_level === 'debug') {
  Logger.debug('Uploading enrichment JSON to S3. Upload ID: ' + data.wiz_upload_id);
}

return {
  decision: {
    status: 'continue',
    message: 'Uploading enrichment JSON to WIZ S3 bucket.'
  },
  request: {
    url: uploadUrl,
    body: data?.wiz_payload
  },
  data: {
    vuln: data?.vuln,
    wiz_token: data?.wiz_token,
    wiz_upload_id: data?.wiz_upload_id,
    wiz_system_activity_id: data?.wiz_system_activity_id
  }
};

Response Script:

// S3 presigned PUT returns 200 on success
if (response?.statusCode !== 200) {
  if (secrets.logging_level === 'debug') {
    Logger.debug('S3 upload error: ', JSON.stringify(response));
  }
  return {
    decision: {
      status: 'abort',
      message: 'Failed to upload enrichment JSON to S3. HTTP status: ' + (response?.statusCode || 'unknown')
    }
  };
}

if (secrets.logging_level === 'debug') {
  Logger.debug('Enrichment JSON uploaded to S3 successfully. Upload ID: ' + data.wiz_upload_id);
  Logger.debug('response: ', JSON.stringify(response));
}

return {
  decision: {
    status: 'continue',
    message: 'Enrichment JSON uploaded to WIZ S3 bucket successfully.',
    delay: 3000
  },
  data: {
    vuln: data?.vuln,
    wiz_token: data?.wiz_token,
    wiz_system_activity_id: data?.wiz_system_activity_id
  }
};

Action 6 - Check WIZ Upload Status

Method: POST
URL: https://{{wiz_api_host}}/graphql
Headers:
- Key = Content-Type; Type = Value; Value = application/json
- Key = Accept; Type = Value; Value = application/json
Request Script:

const activityId = data?.wiz_system_activity_id;
if (!activityId) {
  return {
    decision: {
      status: 'abort',
      message: 'systemActivityId not found. Cannot check WIZ upload status.'
    }
  };
}

if (secrets.logging_level === 'debug') {
  Logger.debug('Checking WIZ upload status for systemActivityId: ' + activityId);
}

const query = 'query SystemActivity($id: ID!) { systemActivity(id: $id) { id status statusInfo result { ... on SystemActivityEnrichmentIntegrationResult { dataSources { ... IngestionStatsDetails } findings { ... IngestionStatsDetails } events { ... IngestionStatsDetails } tags { ... IngestionStatsDetails } } } context { ... on SystemActivityEnrichmentIntegrationContext { fileUploadId } } } } fragment IngestionStatsDetails on EnrichmentIntegrationStats { incoming handled }';

return {
  decision: {
    status: 'continue',
    message: 'Checking WIZ upload status for activity ' + activityId + '.'
  },
  request: {
    url: 'https://' + secrets.wiz_api_host + '/graphql',
    headers: {
      'Authorization': 'Bearer ' + data.wiz_token,
      'Content-Type': 'application/json',
      'Accept': 'application/json'
    },
    body: {
      query: query,
      variables: {
        id: activityId
      }
    }
  },
  data: {
    vuln: data?.vuln,
    wiz_token: data?.wiz_token,
    wiz_system_activity_id: data?.wiz_system_activity_id
  }
};

Response Script:

if (response?.statusCode !== 200) {
  if (secrets.logging_level === 'debug') {
    Logger.debug('WIZ status check error: ', JSON.stringify(response));
  }
  return {
    decision: {
      status: 'abort',
      message: 'Failed to check WIZ upload status. HTTP status: ' + (response?.statusCode || 'unknown')
    }
  };
}

const activity = response?.jsonBody?.data?.systemActivity;
if (!activity) {
  return {
    decision: {
      status: 'abort',
      message: 'systemActivity not found in WIZ status response.'
    }
  };
}

const activityStatus = activity?.status || '';
const statusInfo = activity?.statusInfo || '';

if (secrets.logging_level === 'debug') {
  Logger.debug('WIZ activity status: ' + activityStatus + ' — ' + statusInfo);
  Logger.debug('WIZ activity result: ', JSON.stringify(activity?.result));
}

if (activityStatus === 'FAILURE') {
  return {
    decision: {
      status: 'abort',
      message: 'WIZ enrichment ingestion failed. Status: ' + activityStatus + ' — ' + statusInfo
    }
  };
}

// Success
if (activityStatus === 'SKIPPED' || activityStatus === 'SUCCESS'){
  // 
  return {
    decision: {
      status: 'continue',
      message: 'WIZ enrichment upload status: ' + activityStatus + '. Proceeding to mark vulnerability.'
    },
    data: {
      vuln: data?.vuln,
    }
  };
} 
else {
  return {
    decision:{
      status: 'repeat',
      message: 'Current Status: ' + activityStatus + '. Polling Check Upload Status again in 5 seconds...',
      delay: 5000
    },
    data: {
      vuln: data?.vuln,
      wiz_token: data?.wiz_token,
      wiz_system_activity_id: data?.wiz_system_activity_id
    }
  };
}

Action 7 - Update Vuln - Mark Vuln as Exported to WIZ

Method: PUT
URL: https://{{af-tenant}}/api/ss/vulnerability/{id}
Headers:
- Key = Content-Type; Type = Value; Value = application/json
- Key = X-SSAPI-KEY; Type = Secret; Value = af_auth
Request Script:

const vuln = data?.vuln;
const vulnId = vuln?.vulnerability_id;
const projects = vuln?.vulnerability_projects;
// Assume first project as project
const projectId = projects?[0]?.id ;

if (!vulnId || !projectId) {
  if (secrets.logging_level === 'debug'){
    Logger.debug('vuln: ', vuln);
    Logger.debug('project: ', vuln?.vulnerability_projects);
  }
  return {
    decision: {
      status: 'abort',
      message: 'Vulnerability ID or Project ID not found. Cannot mark as exported to WIZ. Please check the log.'
    }
  };
}

return {
  decision: {
    status: 'continue',
    message: 'Updating vulnerability as exported to WIZ.'
  },
  request: {
    url: 'https://' + secrets.af_hostname + '/api/ss/vulnerability/' + vulnId,
    body: {
      project_id: projectId,
      custom_fields: [
        { 
          key: 'exported_to_wiz',
          value: 'Yes' 
        }
      ]
    }
  }
};

Response Script:

if (response?.statusCode !== 200) {
  if (secrets.logging_level === 'debug') {
    Logger.debug('Error marking vulnerability as exported: ', JSON.stringify(response));
  }
  return {
    decision: {
      status: 'abort',
      message: 'Failed to update vulnerability as exported to WIZ. HTTP status: ' + (response?.statusCode || 'unknown')
    }
  };
}

if (secrets.logging_level === 'debug') {
  Logger.debug('Vulnerability marked as exported to WIZ successfully.');
}

return {
  decision: {
    status: 'finish',
    message: 'Vulnerability exported to WIZ and marked as "exported_to_wiz" = "Yes".'
  }
};

Export Vulnerability to WIZ on Vuln Updated

The purpose of this example is to export a vulnerability to WIZ when a vulnerability is updated, if it has not yet been exported to WIZ.