From b84c66c09ddfb847b6c367dcd4ae74aad8490fe5 Mon Sep 17 00:00:00 2001
From: Graham Beckley <gbeckley@mozilla.com>
Date: Mon, 1 Dec 2025 14:41:29 -0500
Subject: [PATCH 1/4] chore: Add wiz container scanning to build and push
 workflow

---
 .github/workflows/build-and-push.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
index e62ca48..d001f11 100644
--- a/.github/workflows/build-and-push.yml
+++ b/.github/workflows/build-and-push.yml
@@ -108,6 +108,20 @@ jobs:
           should_tag_ghcr: ${{ inputs.should_tag_ghcr }}
           should_tag_latest: ${{ inputs.should_tag_latest }}
           gar_location: ${{ inputs.gar_location }}
+      - name: Download Wiz CLI
+        env:
+          # Wiz CLI release notes: https://docs.wiz.io/release-notes/wiz-cli
+          WIZ_CLI_VERSION: 1.17.0
+        run: curl -Lo wizcli "https://downloads.wiz.io/v1/wizcli/$WIZ_CLI_VERSION/wizcli-linux-amd64" && chmod +x wizcli
+      - name: Authenticate to Wiz
+        run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
+        env:
+          WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }}
+          WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }}
+      - name: Run wiz-cli docker image scan
+        env:
+          IMAGE_NAME: ${{ inputs.image_name }}
+        run: ./wizcli docker scan --image "${IMAGE_NAME}"
       - name: Run post-build commands
         shell: bash
         if: ${{ inputs.postbuild_script != '' }}

From eb25507c5b16662905de15e030138914255fe153 Mon Sep 17 00:00:00 2001
From: Graham Beckley <gbeckley@mozilla.com>
Date: Mon, 1 Dec 2025 14:49:19 -0500
Subject: [PATCH 2/4] chore: Bump Dependabot cooldown days to 7

---
 .github/dependabot.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 4eaf0cf..3f293ce 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,6 +3,6 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     cooldown:
-      default-days: 5
+      default-days: 7
     schedule:
       interval: weekly

From 3271b04b235cdbd0ea53610cad291da2b9075658 Mon Sep 17 00:00:00 2001
From: Graham Beckley <gbeckley@mozilla.com>
Date: Mon, 1 Dec 2025 15:10:17 -0500
Subject: [PATCH 3/4] Pass auth parameters directly as secrets to scan command

---
 .github/workflows/build-and-push.yml | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
index d001f11..3d30cd5 100644
--- a/.github/workflows/build-and-push.yml
+++ b/.github/workflows/build-and-push.yml
@@ -113,15 +113,14 @@ jobs:
           # Wiz CLI release notes: https://docs.wiz.io/release-notes/wiz-cli
           WIZ_CLI_VERSION: 1.17.0
         run: curl -Lo wizcli "https://downloads.wiz.io/v1/wizcli/$WIZ_CLI_VERSION/wizcli-linux-amd64" && chmod +x wizcli
-      - name: Authenticate to Wiz
-        run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
-        env:
-          WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }}
-          WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }}
       - name: Run wiz-cli docker image scan
         env:
           IMAGE_NAME: ${{ inputs.image_name }}
-        run: ./wizcli docker scan --image "${IMAGE_NAME}"
+        run: |
+          ./wizcli docker scan \
+            --image "${IMAGE_NAME}" \
+            --client-id "${{ secrets.WIZ_CLIENT_ID }}" \
+            --client-secret "${{ secrets.WIZ_CLIENT_SECRET }}"
       - name: Run post-build commands
         shell: bash
         if: ${{ inputs.postbuild_script != '' }}

From 1b14e73d8aa43fcf01b58b0e797782e038e94b4b Mon Sep 17 00:00:00 2001
From: Graham Beckley <gbeckley@mozilla.com>
Date: Tue, 2 Dec 2025 10:23:46 -0500
Subject: [PATCH 4/4] Scan container images to be pushed

---
 .github/workflows/build-and-push.yml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
index 3d30cd5..9eaf271 100644
--- a/.github/workflows/build-and-push.yml
+++ b/.github/workflows/build-and-push.yml
@@ -115,12 +115,15 @@ jobs:
         run: curl -Lo wizcli "https://downloads.wiz.io/v1/wizcli/$WIZ_CLI_VERSION/wizcli-linux-amd64" && chmod +x wizcli
       - name: Run wiz-cli docker image scan
         env:
-          IMAGE_NAME: ${{ inputs.image_name }}
+          IMAGE_TAGS: ${{ steps.build.outputs.image_tags }}
         run: |
-          ./wizcli docker scan \
-            --image "${IMAGE_NAME}" \
-            --client-id "${{ secrets.WIZ_CLIENT_ID }}" \
-            --client-secret "${{ secrets.WIZ_CLIENT_SECRET }}"
+          while IFS= read -r image_tag; do
+            echo "Scanning image: ${image_tag}"
+            ./wizcli docker scan \
+              --image "${image_tag}" \
+              --client-id "${{ secrets.WIZ_CLIENT_ID }}" \
+              --client-secret "${{ secrets.WIZ_CLIENT_SECRET }}"
+          done <<< "${IMAGE_TAGS}"
       - name: Run post-build commands
         shell: bash
         if: ${{ inputs.postbuild_script != '' }}