@@ -207,26 +207,41 @@ jobs:
207207 timeout-minutes : ${{ inputs.scan-timeout-minutes }}
208208 run : |
209209 set +e
210- wiz docker scan \
210+
211+ # Capture both stdout and stderr to detect policy name errors
212+ SCAN_OUTPUT=$(wiz docker scan \
211213 -i scan-target:${{ github.sha }} \
212- -p "Code Blocking - Vulnerabilities" \
213- -p "Code Blocking - Secrets" \
214- -p "Code Blocking - Malware" \
214+ -p "Test - Bala: Code Blocking - Vulnerabilities" \
215+ -p "Test - Bala: Code Blocking - Secrets" \
216+ -p "Test - Bala: Code Blocking - Malware" \
215217 --format json \
216218 --file-hashes-scan \
217- --output wiz-results-raw.json,json
219+ --output wiz-results-raw.json,json 2>&1)
218220
219221 SCAN_EXIT_CODE=$?
220222 echo "scan_exit_code=${SCAN_EXIT_CODE}" >> $GITHUB_OUTPUT
221223
222- # Wiz CLI may append warning messages after the JSON output in the file
223- # Extract only the first line which contains the valid JSON object
224- if [ -f "wiz-results-raw.json" ]; then
224+ # Check for policy not found errors
225+ if echo "$SCAN_OUTPUT" | grep -q "Policies not found"; then
226+ echo "::error::Wiz policies not found. The policy names in the workflow may have changed in Wiz Console."
227+ echo "::error::Expected policies: 'Test - Bala: Code Blocking - Vulnerabilities', 'Test - Bala: Code Blocking - Secrets', 'Test - Bala: Code Blocking - Malware'"
228+ echo "::error::Please verify the exact policy names in Wiz Console and update the workflow accordingly."
229+ echo "::error::Full error: $SCAN_OUTPUT"
230+
231+ # Create empty results file for graceful degradation
232+ echo '{"result":{"analytics":{"vulnerabilities":{},"secrets":{},"malware":{}}}}' > wiz-results.json
233+ echo "policy_error=true" >> $GITHUB_OUTPUT
234+ elif [ -f "wiz-results-raw.json" ]; then
235+ # Wiz CLI may append warning messages after the JSON output in the file
236+ # Extract only the first line which contains the valid JSON object
225237 head -1 wiz-results-raw.json > wiz-results.json
226238 rm wiz-results-raw.json
239+ echo "policy_error=false" >> $GITHUB_OUTPUT
227240 else
228241 echo "::error::Wiz scan did not produce results file"
242+ echo "::error::Scan output: $SCAN_OUTPUT"
229243 echo '{"result":{"analytics":{"vulnerabilities":{},"secrets":{},"malware":{}}}}' > wiz-results.json
244+ echo "policy_error=false" >> $GITHUB_OUTPUT
230245 fi
231246
232247 # Validate JSON
@@ -413,7 +428,29 @@ jobs:
413428 echo "### Build BLOCKED: Security Policy Violations" >> $GITHUB_STEP_SUMMARY
414429 echo "" >> $GITHUB_STEP_SUMMARY
415430 echo "**Failed Policies:** ${FAILED_POLICIES}" >> $GITHUB_STEP_SUMMARY
431+
432+
433+ # Add configuration warning if policies not found
434+ POLICY_ERROR="${{ steps.scan.outputs.policy_error }}"
435+ if [ "${POLICY_ERROR}" = "true" ]; then
436+ echo "" >> $GITHUB_STEP_SUMMARY
437+ echo "---" >> $GITHUB_STEP_SUMMARY
438+ echo "" >> $GITHUB_STEP_SUMMARY
439+ echo "### ⚠️ Configuration Error: Wiz Policies Not Found" >> $GITHUB_STEP_SUMMARY
440+ echo "" >> $GITHUB_STEP_SUMMARY
441+ echo "The Wiz security scan failed because the configured policy names do not exist in Wiz Console." >> $GITHUB_STEP_SUMMARY
442+ echo "" >> $GITHUB_STEP_SUMMARY
443+ echo "**Expected Policies:**" >> $GITHUB_STEP_SUMMARY
444+ echo "- \`Test - Bala: Code Blocking - Vulnerabilities\`" >> $GITHUB_STEP_SUMMARY
445+ echo "- \`Test - Bala: Code Blocking - Secrets\`" >> $GITHUB_STEP_SUMMARY
446+ echo "- \`Test - Bala: Code Blocking - Malware\`" >> $GITHUB_STEP_SUMMARY
416447 echo "" >> $GITHUB_STEP_SUMMARY
448+ echo "**Action Required:**" >> $GITHUB_STEP_SUMMARY
449+ echo "1. Verify the exact policy names in Wiz Console" >> $GITHUB_STEP_SUMMARY
450+ echo "2. Update the policy names in the workflow file: \`.github/workflows/wiz-security-scan-reusable.yaml\`" >> $GITHUB_STEP_SUMMARY
451+ echo "3. Re-run the workflow" >> $GITHUB_STEP_SUMMARY
452+ echo "" >> $GITHUB_STEP_SUMMARY
453+ fiecho "" >> $GITHUB_STEP_SUMMARY
417454 echo "**This PR cannot be merged until these issues are resolved.**" >> $GITHUB_STEP_SUMMARY
418455 echo "" >> $GITHUB_STEP_SUMMARY
419456 echo "**Required Actions:**" >> $GITHUB_STEP_SUMMARY
@@ -503,14 +540,25 @@ jobs:
503540 await github.rest.issues.createComment({
504541 owner: context.repo.owner,
505542 repo: context.repo.repo,
506- issue_number: context.issue.number,
507- body: summary
508- });
509- }
510-
511- - name : Upload scan results
512- if : always()
513- uses : actions/upload-artifact@v4
543+ # Check if this is a policy configuration error vs actual security violations
544+ if [ "${{ steps.scan.outputs.policy_error }}" = "true" ]; then
545+ echo "::error::Wiz scan failed due to policy configuration error"
546+ echo "::error::The configured policy names do not exist in Wiz Console"
547+ echo "::error::Please update the policy names in the workflow and re-run"
548+ echo ""
549+ echo "Expected policies : ' Test - Bala: Code Blocking - Vulnerabilities' , 'Test - Bala: Code Blocking - Secrets', 'Test - Bala: Code Blocking - Malware'"
550+ echo ""
551+ echo "This build is BLOCKED due to configuration error."
552+ else
553+ echo "::error::Security scan failed - Policy violations detected"
554+ echo "::error::Failed policies : ${{ steps.scan.outputs.failed_policies }}"
555+ echo ""
556+ echo "Critical/High vulnerabilities : ${{ steps.scan.outputs.vuln_critical }}/${{ steps.scan.outputs.vuln_high }}"
557+ echo "Secrets detected : ${{ steps.scan.outputs.secrets_total }}"
558+ echo "Malware detected : ${{ steps.scan.outputs.malware_total }}"
559+ echo ""
560+ echo "This build is BLOCKED until security issues are resolved."
561+ fi
514562 with :
515563 name : wiz-scan-results-${{ github.sha }}
516564 path : wiz-results.json
0 commit comments