SUP-4329: Refactor to use WIZ_CLIENT_ID and WIZ_CLIENT_SECRET (#29)

tomowatt · sulewicz-gq · web-flow · commit 75e816285fb0 · 2025-08-15T14:44:50.000+01:00
* feat: produce additional output file for non-human output formats * feat: update parameters and format * docs: update README to reflect parameter changes * feat: reflect paramter changes in hook * test: reflect parameter changes in tests * fix: add set -e to ensure hook doesn't silently fail * chore: remove version, pin images and remove Read Only * feat/fix: add shared lib for handling reading env vars correctly for strings or arrays parameters * Revert "fix: add set -e to ensure hook doesn't silently fail" This reverts commit f0bc975. * fix/test: correct Env Var used to read and add test * fix: make shared.bash executable for shellcheck * fix: update pipeline for shellcheck shared.bash * chore: re-add read-only for volume mounts as read-write not required * feat: add check for duplicate file formats * set a default output that will be used for the Build Annotations so that can be refactored separately * added notes for future changes required for loop to support multiple output files with the same file format per Wiz CLI docs Signed-off-by: Tom Watt <tom@buildkite.com> * tests: add tests for duplicate file output formats Signed-off-by: Tom Watt <tom@buildkite.com> * docs/chore: file-output-format is optional with no default Signed-off-by: Tom Watt <tom@buildkite.com> * refactor: move setupWiz to separate file to run unit-tests * feat: pass env vars to container instead of using flags to remove for job logs * refactor: remove api-secret-env parameter in favour of using WIZ_CLIENT_SECRET Signed-off-by: Tom Watt <tom@buildkite.com> * feat: add check for Wiz Client Credentials Signed-off-by: Tom Watt <tom@buildkite.com> * tests: reflect usage of WIZ_CLIENT_* Credentials * refactor: add teardown to cleanup dirs/files for authentication tests Signed-off-by: Tom Watt <tom@buildkite.com> * docs: Update README to reflect usage of WIZ_CLIENT_* credentials --------- Signed-off-by: Tom Watt <tom@buildkite.com> Co-authored-by: Shimon Ulewicz <sulewicz@groq.com>
diff --git a/README.md b/README.md
@@ -6,6 +6,19 @@ Scans your infrastructure-as-code Cloudformation stacks or docker images for sec
 
 This plugin is forked from [blstrco/wiz-buildkite-plugin](https://github.com/blstrco/wiz-buildkite-plugin).
 
+## Requirements
+
+In order to use this plugin, you will need to have the following installed on your buildkite agent:
+
+- Docker
+
+And the following environment variables exported in the job (e.g. via an Agent hook or Plugin):
+
+- WIZ_CLIENT_ID (Wiz service account's client ID)
+- WIZ_CLIENT_SECRET (Wiz service account's secret)
+
+Check out [Buildkite's documentation](https://buildkite.com/docs/pipelines/security/secrets/managing) for more information on how to manage secrets in Buildkite.
+
 ## Examples
 
 ### Docker Scanning
@@ -15,8 +28,6 @@ Add the following to your `pipeline.yml`, the plugin will pull the image, scan i
 ```yml
 steps:
   - command: ls
-    env:
-    - WIZ_API_ID: "<your-id-goes-here>"
     plugins:
       - wiz#v1.4.0:
           scan-type: 'docker'
@@ -39,8 +50,6 @@ To avoid adding build time overhead, you can add IaC scanning to your `cdk diff`
 ```yml
 steps:
   - command: ls
-    env:
-    - WIZ_API_ID: "<your-id-goes-here>"
     plugins:
       - docker-compose#v4.16.0:
         # to get the output of CDK diff, mount the volume in cdk diff stage
@@ -59,8 +68,6 @@ Add the following to your `pipeline.yml`, the plugin will scan a specific CloudF
 steps:
   - label: "Scan CloudFormation template file"
     command: ls
-    env:
-    - WIZ_API_ID: "<your-id-goes-here>"
     plugins:
       - wiz#v1.4.0:
           scan-type: 'iac'
@@ -79,8 +86,6 @@ Add the following to your `pipeline.yml`, the plugin will scan a specific Terraf
 steps:
   - label: "Scan Terraform File"
     command: ls *.tf
-    env:
-    - WIZ_API_ID: "<your-id-goes-here>"
     plugins:
       - wiz#v1.4.0:
           scan-type: 'iac'
@@ -96,8 +101,6 @@ To change the directory, add the following to your `pipeline.yml`, the plugin wi
 steps:
   - label: "Scan Terraform Files in Directory"
     command: ls my-terraform-dir/*.tf
-    env:
-    - WIZ_API_ID: "<your-id-goes-here>"
     plugins:
       - wiz#v1.4.0:
           scan-type: 'iac'
@@ -113,8 +116,6 @@ Add the following to your `pipeline.yml`, the plugin will scan a Terraform Plan.
 steps:
   - label: "Scan Terraform Plan"
     command: terraform plan -out plan.tfplan && terraform show -json plan.tfplan | jq -er . > plan.tfplanjson
-    env:
-    - WIZ_API_ID: "<your-id-goes-here>"
     plugins:
       - wiz#v1.4.0:
           scan-type: 'iac'
@@ -130,8 +131,6 @@ Add the following to your `pipeline.yml`, the plugin will scan a directory.
 steps:
   - label: "Scan Directory"
     command: ls .
-    env:
-    - WIZ_API_ID: "<your-id-goes-here>"
     plugins:
       - wiz#v1.4.0:
           scan-type: 'dir'
@@ -145,8 +144,6 @@ To change the directory, add the following to your `pipeline.yml`, the plugin wi
 steps:
   - label: "Scan Files in different Directory"
     command: ls my-dir
-    env:
-    - WIZ_API_ID: "<your-id-goes-here>"
     plugins:
       - wiz#v1.4.0:
           scan-type: 'dir'
@@ -155,10 +152,6 @@ steps:
 
 ## Configuration
 
-### `api-secret-env` (Optional, string)
-
-The environment variable that the Wiz API Secret is stored in. Defaults to using `WIZ_API_SECRET`. Refer to the [documentation](https://buildkite.com/docs/pipelines/secrets#using-a-secrets-storage-service) for more information about managing secrets on your Buildkite agents.
-
 ### `scan-type` (Required, string) : `dir | docker | iac'
 
 The type of resource to be scanned.
diff --git a/hooks/post-command b/hooks/post-command
@@ -7,6 +7,9 @@ DIR="$(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd)"
 # shellcheck source=lib/shared.bash
 . "$DIR/../lib/shared.bash"
 
+# shellcheck source=lib/plugin.bash
+. "$DIR/../lib/plugin.bash"
+
 WIZ_DIR="$HOME/.wiz"
 SCAN_TYPE="${BUILDKITE_PLUGIN_WIZ_SCAN_TYPE:-}"
 FILE_PATH="${BUILDKITE_PLUGIN_WIZ_PATH:-}"
@@ -25,13 +28,6 @@ if [[ "${SCAN_TYPE}" == "docker" && -z "${BUILDKITE_PLUGIN_WIZ_IMAGE_ADDRESS:-}"
     exit 1
 fi
 
-api_secret_var="${BUILDKITE_PLUGIN_WIZ_API_SECRET_ENV:-WIZ_API_SECRET}"
-
-if [[ -z "${!api_secret_var:-}" ]]; then
-    echo "+++ 🚨 No Wiz API Secret password found in \$${api_secret_var}"
-    exit 1
-fi
-
 ##
 # Wiz CLI Parameters
 ##
@@ -122,24 +118,6 @@ esac
 wiz_cli_container_repository="wiziocli.azurecr.io/wizcli"
 wiz_cli_container="${wiz_cli_container_repository}:${container_image_tag}"
 
-#TODO move this to agent-startup so all agents have wiz setup to save time, possibly directly as cli
-setupWiz() {
-    echo "Setting up and authenticating wiz"
-    mkdir -p "$WIZ_DIR"
-    docker run \
-        --rm -it \
-        --mount type=bind,src="${WIZ_DIR}",dst=/cli \
-        "${wiz_cli_container}" \
-        auth --id="${WIZ_API_ID}" --secret="${!api_secret_var}"
-    # check that wiz-auth work expected, and a file in WIZ_DIR is created
-    if [ -z "$(ls -A "${WIZ_DIR}")" ]; then
-        echo "Wiz authentication failed, please confirm that credentials are set for WIZ_API_ID and WIZ_API_SECRET"
-        exit 1
-    else
-        echo "Authenticated successfully"
-    fi
-}
-
 #$1 type, $2 name, $3 pass/fail, $4 result file
 buildAnnotation() {
     annotation_file=${RANDOM:0:2}-annotation.md
@@ -247,15 +225,15 @@ dirScan() {
 
 case "${SCAN_TYPE}" in
 iac)
-    setupWiz
+    setupWiz "$wiz_cli_container" "$WIZ_DIR"
     iacScan
     ;;
 docker)
-    setupWiz
+    setupWiz "$wiz_cli_container" "$WIZ_DIR"
     dockerImageScan
     ;;
 dir)
-    setupWiz
+    setupWiz "$wiz_cli_container" "$WIZ_DIR"
     dirScan
     ;;
 esac
diff --git a/lib/plugin.bash b/lib/plugin.bash
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+function validateWizClientCredentials() {
+    local missing_vars=()
+    
+    [ -z "${WIZ_CLIENT_ID}" ] && missing_vars+=("WIZ_CLIENT_ID")
+    [ -z "${WIZ_CLIENT_SECRET}" ] && missing_vars+=("WIZ_CLIENT_SECRET")
+    
+    if [ ${#missing_vars[@]} -gt 0 ]; then
+        echo "+++ 🚨 The following required environment variables are not set: ${missing_vars[*]}"
+        exit 1
+    fi
+}
+
+# Use WIZ_CLIENT_ID and WIZ_CLIENT_SECRET environment variables to authenticate to Wiz and get auth file
+# $1 - Wiz CLI Container Image 
+# $2 - Directory to store auth file
+function setupWiz() {
+    local wiz_container_image="${1}"
+    local wiz_dir="${2}"
+
+    echo "Setting up and authenticating wiz"
+    validateWizClientCredentials
+    mkdir -p "$wiz_dir"
+
+    docker run \
+        --rm -it \
+        --mount type=bind,src="${wiz_dir}",dst=/cli \
+        -e WIZ_CLIENT_ID \
+        -e WIZ_CLIENT_SECRET \
+        "${wiz_container_image}" \
+        auth
+
+    # check that wiz-auth work expected, and a file in WIZ_DIR is created
+    if [ -z "$(ls -A "${wiz_dir}")" ]; then
+        echo "Wiz authentication failed, please confirm the credentials are set for WIZ_CLIENT_ID and WIZ_CLIENT_SECRET"
+        exit 1
+    else
+        echo "Authenticated successfully"
+    fi
+}
diff --git a/plugin.yml b/plugin.yml
@@ -6,8 +6,6 @@ requirements:
   - docker
 configuration:
   properties:
-    api-secret-env:
-      type: string
     image-address:
       type: string
     scan-format:
diff --git a/tests/post-command.bats b/tests/post-command.bats
