Five years after Log4Shell, the industry faced another critical RCE, this time in the React and Next.js ecosystems. Nearly 40% of cloud environments were affected by React2Shell, and exploitation was observed in the wild within hours.

Despite years of investment in scanners and “shifting left,” many teams were still unprepared, finding themselves flooded with SCA findings. Knowing a vulnerability exists is no longer enough. Teams need to know whether it is exposed, reachable, and how to fix it at the source. Yet tracing a critical runtime vulnerability back to code still relies on spreadsheets, tribal knowledge, or fragile CMDB mappings.

Wiz closes that loop. We’ve extended the Wiz Security Graph to connect validated runtime vulnerabilities from the Wiz Attack Surface Scanner (ASM) directly back to their source code. This allows teams to fix the most critical risks first, at their root cause.

It’s not about shifting left or shielding right; it’s about connecting the two into a single, unified workflow.

From Theoretical CVE to Validated Attack Path: Exposing Exploitable Risk

Not every vulnerable dependency results in real exposure. The real question is whether that vulnerability made it to production and is reachable from the outside world.

When the Attack Surface Scanner detects an internet-exposed application, it safely probes the endpoint with a crafted payload. When exploitation is confirmed, the Wiz Security Graph immediately correlates the signal with the corresponding finding in the code, raised by Wiz Code’s SCA scanner.

What was once a theoretical CVE becomes a validated attack path, clearly marked as "Validated External Risk" and "Has Code Remediation". Teams now have a risk they can act on immediately.

End the Guesswork: Full Traceability with the Code-to-Cloud Pipeline

Once a risk is validated, Wiz doesn’t just generate another alert. It provides full traceability through the Code-to-Cloud Pipeline, showing the complete lineage of the issue across four stages:

• Source: The repository and exact manifest file

• Build: The CI job and commit hash

• Artifact: The container image and registry

• Runtime: The running workload and external exposure

This lineage is built automatically by the Wiz Security Graph. No manual tagging, no custom CI configuration, and no agents required.

One-Click Remediation: From Validated Finding to Pull Request

Detection only matters if remediation is easy. From a validated runtime finding, users can click Remediate, review the recommended fix, such as upgrading a dependency in package.json, and open a pull request directly against the source repository.

The fix lands exactly where developers already work, with clear context on why the issue matters and where it is running in production.

Teams can also interact with Mika AI, which pulls in the Issues Expert agent to provide deeper guidance. Beyond a simple upgrade, the agent may recommend additional mitigations, such as middleware protections or compensating controls, to further reduce risk. In addition to mitigating the risk, developers learn code security best practices by doing.

Tame the Long Tail of Vulnerabilities: How Wiz Solves Security Debt

Not every risk needs the same response or the same timeline. After addressing an urgent RCE, teams are left with the long tail: hundreds, if not thousands, of lower-severity findings that accumulate over time. While not immediately exploitable, they create important security debt and compliance drag.

Wiz addresses this with Posture Issues. These are equivalent to fix campaigns, designed for medium- and long-term remediation.

Because a single vulnerable package or library can propagate across dozens of services, traditional tools surface this as hundreds of separate findings. Wiz flips that model. By grouping vulnerabilities by their source-mapped code finding, Wiz consolidates every runtime issue that traces back to the same component (unique dependency in a code repository) into a single, actionable problem.

This enables teams to:

• Define clear, achievable remediation goals (for example, “remove this vulnerable dependency everywhere”).

• Align AppSec and development teams around shared objectives.

• Drive lasting posture improvements, not just point-in-time fixes.

Instead of patching workloads one by one, teams fix the root cause in code and collapse an entire class of weaknesses across the environment. The blast radius becomes an advantage; a single fix that delivers broad risk reduction.

Short-term, Wiz helps you respond to critical issues. Long-term, it helps you systematically keep risk down.

Adopt an AppSec Model Aligned with Modern Applications

This capability is available now. If you’re a Wiz customer, start by filtering your risk issues by "Validated External Risk" and "Has Code Remediation". Fix what’s exploitable and stop chasing noise.

Learn more about Wiz Attack Surface Management and Wiz Code SCA in the documentation (login required).