Wiz

Connect your Wiz tenant to StackHawk to bring DAST findings into your cloud security workflow.

Overview

The StackHawk Wiz integration allows you to connect your Wiz tenant to StackHawk. Once connected, StackHawk automatically enriches your Wiz security posture with DAST vulnerability findings from your HawkScan results.

How It Works

StackHawk sends your DAST scan findings to Wiz as a daily enrichment upload. Each day, StackHawk collects the latest scan results across all of your applications and environments, then uploads them to Wiz as a single batched payload.

What gets sent to Wiz

For each application and environment in your organization, the enrichment includes:

• Application name and environment — identifies which asset in Wiz the findings belong to
• Target URL — the scan target hostname
• Vulnerability findings — each finding includes:
  • Vulnerability name and severity (Critical, High, Medium, Low, or Informational)
  • HTTP method and path where the vulnerability was detected
  • CWE weakness identifiers (e.g., CWE-79 for Cross-Site Scripting)
  • A link back to the finding in the StackHawk platform for further details
• Scan timestamp — when the most recent scan completed

Only the latest scan per application/environment is included. If an application has not been scanned, it is not included in the upload.

Enrichment schedule

Enrichment runs automatically once per day. You do not need to trigger it manually — as long as the integration is connected and your scans are running, findings flow to Wiz on the daily schedule.

Requirements

StackHawk

• A StackHawk account with the Wiz integration enabled

Wiz

• An active Wiz service account with:
  • The create:external_data_ingestion and read:system_activities scopes
  • Client ID and Client Secret
  • Tenant Data Center code (e.g., us1, eu1)
  • Environment type (Commercial, Gov FedRAMP, or Gov AWS GovCloud)

Creating a Wiz Service Account

To connect StackHawk to Wiz, you need a Wiz service account with the following scopes:

• create:external_data_ingestion — allows StackHawk to upload DAST findings to your Wiz tenant
• read:system_activities — allows StackHawk to verify that uploads were processed successfully

Create a service account in your Wiz tenant with these scopes, then copy the Client ID and Client Secret.

Finding Your Tenant Data Center

Your tenant data center is a short region code (e.g., us1, us18, eu1). You can find it in your Wiz API endpoint URL:

https://api.us18.app.wiz.io/graphql
            ^^^^
        data center

Copy the code between api. and .app.wiz.io from your Wiz API endpoint URL.

Setup

1. Navigate to StackHawk Integrations.
2. Click Connect.
3. Select your Wiz Environment:
   • Commercial (app.wiz.io)
   • Gov - FedRAMP (app.wiz.us)
   • Gov - AWS GovCloud (gov.wiz.io)
4. Enter your Tenant Data Center code.
5. Verify the displayed API Endpoint URL and Auth URL match your Wiz tenant.
6. Enter your Client ID and Client Secret.
7. Click Connect — StackHawk will validate your credentials automatically.

Once connected, the integration page shows your connection status.

Verifying the Integration

After connecting, the integration page displays an Asset Uploads table showing the status of recent enrichment uploads. Each row includes:

• Hostnames — the scan target hostnames included in the upload
• Last Upload — the timestamp of the upload
• Status — the HTTP status code from the upload (a green 200 indicates success)
• Assets — the number of application/environment pairs included

The table shows up to three recent uploads, so you can verify that data is flowing to Wiz on the daily schedule.

Wiz Environments

StackHawk supports all three Wiz deployment environments:

Environment	Portal URL	Description
Commercial	app.wiz.io	Standard Wiz deployment
Gov - FedRAMP	app.wiz.us	US government FedRAMP environment
Gov - AWS GovCloud	gov.wiz.io	AWS GovCloud environment

Select the environment that matches your Wiz tenant during setup. The API and authentication endpoints are derived automatically from your environment and data center selection.

Hostname Overrides

Why hostname overrides matter

StackHawk encourages testing as early in the development process as possible. That often means running HawkScan against localhost, internal hostnames, or private IP addresses — targets that don’t exist as assets in your Wiz inventory.

When StackHawk uploads enrichment data to Wiz, each finding is associated with the scan target URL. If that URL is http://localhost:8080 or http://10.0.0.5:3000, Wiz has no matching asset to attach the findings to, and the enrichment won’t map to the right place.

Hostname overrides solve this by letting you tell StackHawk which public-facing URL — or Wiz asset identifier — to use when uploading findings for a given application and environment. Instead of sending localhost:8080, StackHawk sends the overridden URL (e.g., https://api.example.com:443) so that findings land on the correct asset in Wiz.

When to use hostname overrides

You should configure a hostname override when:

• Your scan targets use localhost, private IPs, or internal hostnames that don’t match a Wiz asset
• Your scan targets use a different URL in CI/CD than what the application is known by in Wiz
• You want findings from multiple environments (e.g., staging, dev) to map to a specific Wiz asset

If your scan target URLs already match the hostnames that Wiz knows about, you don’t need to configure overrides — enrichment will map automatically.

Configuring hostname overrides

1. Navigate to StackHawk Integrations.
2. In the Hostname Overrides section, click Add Override.
3. Enter the Wiz URL — the public-facing protocol://hostname:port that matches the asset in Wiz (e.g., https://api.example.com:443). A live preview shows the parsed protocol, hostname, and port.
4. Select one or more applications to associate with this override.
5. For each application, optionally select specific environments. Leave environments empty to apply the override to all environments for that application.
6. Click Save.

The override takes effect on the next daily enrichment cycle. From that point on, findings for the matched application and environment will be uploaded to Wiz using the overridden URL instead of the original scan target.

Override rules

• Each application/environment pair can only be assigned to one override. If an application already has some environments claimed by another override, you must select specific remaining environments — you cannot choose “all environments” for that application.
• Once all environments for an application are covered by overrides, that application no longer appears in the picker for new overrides.
• You can edit or remove overrides at any time from the Hostname Overrides table.

Disconnect

To disconnect the Wiz integration:

1. Navigate to StackHawk Integrations.
2. Scroll to the Danger Zone section.
3. Click Disconnect and confirm.

Troubleshooting

No uploads appearing

• Verify the integration status shows Connected on the Wiz integration page.
• Confirm you have at least one completed HawkScan for an application in your organization.
• Wait up to 24 hours for the daily enrichment cycle to run.

Upload shows an error status

• A non-200 status code indicates the upload to Wiz failed. Check that your Wiz service account credentials are still valid and that the service account has not been revoked.
• If the error persists, try disconnecting and reconnecting the integration with fresh credentials.

Findings not appearing in Wiz

• After a successful upload, check the Status column on the Wiz integration page. A status of Submitted means Wiz is still processing the data. If the status shows Errored, click on it for details. Once processing completes, the status updates automatically.
• Ensure the target URLs in your HawkScan configuration match assets that exist in your Wiz inventory. If you’re scanning localhost, private IPs, or internal hostnames, configure a hostname override to map those targets to the correct Wiz asset URL.

Feedback

Have suggestions, feature requests, or feedback? Contact StackHawk Support.