Endor Labs partners with Wiz.io

Endor Labs said on May 16 it is partnering with Wiz to combine application security findings with cloud context, extending an existing integration that both companies document on their websites. The companies said the setup lets Endor Labs push software composition analysis and static application security testing findings into Wiz, where they can be correlated with cloud inventory and other signals. Endor Labs described the link on X as a way to combine “reachability-enriched” findings with Wiz context for prioritization. Wiz, which became a Google company on March 11, says its platform connects code, cloud and runtime data. ### What exactly are the two companies connecting? Endor Labs’ documentation says the integration exports findings to Wiz “to enable code-to-cloud correlation in the Wiz Security Graph.” The exporter sends SCA and SAST findings identified during repository scans, and Wiz ingests them into its graph for enrichment and correlation, according to the Endor Labs guide. (docs.endorlabs.com) Wiz’s integrations catalog lists Endor Labs as an application security integration and says the connection enriches Wiz with both SCA and SAST findings from the Endor Labs platform. Wiz’s product pages say the company is positioning its platform around unified context across code, cloud and runtime. ### Where does “reachability” fit into the announcement? (docs.endorlabs.com) Endor Labs says its software composition analysis uses reachability analysis to reduce noise by identifying which vulnerable code paths are actually reachable. On its website, the company says that approach cuts 92% of noise in SCA results. Wiz defines reachability analysis as examining whether vulnerable code or misconfigured resources can be accessed and exploited through available attack paths. (wiz.io) Wiz says modern platforms use a security graph to unify network exposure, permissions and data sensitivity so teams can see exploitability and blast radius together. (endorlabs.com) ### How does the integration work in practice? Endor Labs says findings are pushed to Wiz after every scheduled scan on the default branch. The company’s documentation says the export applies only to the default branch and does not currently support pull request scans or non-default branch scans. Wiz requires customers to have a Wiz Code license and to connect their source code manager so repository branch assets exist in Wiz’s inventory, according to Endor Labs’ setup guide. (wiz.io) Without that repository connection, Endor Labs says Wiz will accept findings but skip them during ingestion because the repository cannot be resolved. (docs.endorlabs.com) ### Why are both companies talking about code-to-cloud correlation now? Wiz said on March 11, when it announced the close of its acquisition by Google, that it was focused on bringing together context across code, cloud and runtime. In a separate product post tied to Wizdom 2025, the company said it was extending its graph across SaaS, workloads, AI infrastructure and external exposures. (docs.endorlabs.com) Endor Labs has also been expanding beyond traditional dependency scanning. Its recent release notes describe AI-powered analysis for SAST findings, while its platform pages emphasize application security for AI-generated and human-written code. ### What can customers verify today? Endor Labs has published a step-by-step exporter guide that includes the API scopes, OAuth credentials and GraphQL endpoint details needed to configure the Wiz connection. (wiz.io) The documentation also says customers create the exporter through `endorctl` and specify Wiz API and authentication endpoints for their tenant region. (docs.endorlabs.com) Wiz lists Endor Labs in its live integrations catalog, which showed 276 integrations when accessed on May 16. The next step for customers is in those product pages: add the integration in Wiz, create the exporter in Endor Labs, and verify that scheduled default-branch scans are sending findings into Wiz’s graph. (wiz.io) (docs.endorlabs.com)