regscale-cli 6.23.0.0__py3-none-any.whl → 6.24.0.0__py3-none-any.whl

regscale/integrations/commercial/wizv2/policy_compliance.py

@@ -37,7 +37,6 @@ from regscale.integrations.scanner_integration import (
     ScannerIntegrationType,
     IntegrationAsset,
     IntegrationFinding,
-    issue_due_date,
 )
 from regscale.integrations.variables import ScannerVariables
 from regscale.models import regscale_models
@@ -66,12 +65,18 @@ SAFE_CONTROL_ID_RE = re.compile(  # NOSONAR
 class WizComplianceItem(ComplianceItem):
     """Wiz implementation of ComplianceItem."""
 
-    def __init__(self, raw_data: Dict[str, Any], integration: Optional["WizPolicyComplianceIntegration"] = None):
+    def __init__(
+        self,
+        raw_data: Dict[str, Any],
+        integration: Optional["WizPolicyComplianceIntegration"] = None,
+        specific_control_id: Optional[str] = None,
+    ):
         """
         Initialize WizComplianceItem from raw GraphQL response.
 
         :param Dict[str, Any] raw_data: Raw policy assessment data from Wiz
         :param Optional['WizPolicyComplianceIntegration'] integration: Integration instance for framework mapping
+        :param Optional[str] specific_control_id: Specific control ID to use (for multi-control policies)
         """
         self.id = raw_data.get("id", "")
         self.result = raw_data.get("result", "")
@@ -79,6 +84,7 @@ class WizComplianceItem(ComplianceItem):
         self.resource = raw_data.get("resource", {})
         self.output = raw_data.get("output", {})
         self._integration = integration
+        self._specific_control_id = specific_control_id
 
     def _get_filtered_subcategories(self) -> List[Dict[str, Any]]:
         """
@@ -110,15 +116,24 @@ class WizComplianceItem(ComplianceItem):
         """Human-readable name of the resource."""
         return self.resource.get("name", "")
 
+    @property
+    def provider_unique_id(self) -> str:
+        """Provider unique ID (e.g., ARN for AWS resources) for meaningful asset identification."""
+        return self.resource.get("providerUniqueId", "")
+
     @property
     def control_id(self) -> str:
         """Control identifier (e.g., AC-3, SI-2)."""
+        # If a specific control ID was provided (for multi-control policies), use it
+        if self._specific_control_id:
+            return self._specific_control_id
+
         if not self.policy:
             return ""
 
         subcategories = self._get_filtered_subcategories()
         if subcategories:
-            return subcategories[0].get("externalId", "")
+            return subcategories[0].get("externalId", "").strip()
         return ""
 
     @property
@@ -285,6 +300,10 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             self._map_framework_id_to_name(framework_id),
         )
 
+        # Configure strict control failure threshold for Wiz project-scoped assessments
+        # Since Wiz filters to project resources, use 0% failure tolerance
+        self.control_failure_threshold = 0.0
+
     def fetch_compliance_data(self) -> List[Any]:
         """
         Fetch compliance data from Wiz GraphQL API and filter to framework-specific
@@ -324,7 +343,10 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
 
     def _filter_assessments_to_existing_assets(self, assessments: List[Dict[str, Any]]) -> List[Dict[str, Any]]:
         """
-        Filter assessments to only include items with existing assets and control IDs.
+        Filter assessments to include items with control IDs and existing assets.
+
+        For compliance reporting, PASS controls are always included even without assets
+        to ensure complete compliance documentation.
 
         :param assessments: List of raw assessments from Wiz
         :return: Filtered list of assessments
@@ -343,26 +365,187 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
                 skipped_no_control += 1
                 continue
 
-            # Skip if asset doesn't exist in RegScale (use cached lookup)
+            # For PASS controls, allow through even without existing assets for compliance documentation
+            is_pass = temp_item.compliance_result in self.PASS_STATUSES
+
+            # Skip if asset doesn't exist in RegScale UNLESS it's a PASS control
             if temp_item.resource_id not in assets_exist:
-                skipped_no_asset += 1
-                continue
+                if not is_pass:
+                    skipped_no_asset += 1
+                    continue
+                # PASS control without asset - allow through for compliance documentation
 
             filtered_assessments.append(assessment)
         logger.debug(f"Skipped {skipped_no_control} assessments with no control ID for framework.")
-        logger.debug(f"Skipped {skipped_no_asset} assessments with no existing asset in RegScale.")
+        logger.debug(
+            f"Skipped {skipped_no_asset} assessments with no existing asset in RegScale (PASS controls allowed)."
+        )
         return filtered_assessments
 
     def create_compliance_item(self, raw_data: Any) -> ComplianceItem:
         """
         Create a ComplianceItem from raw compliance data.
 
+        Note: This creates a single item for the first control ID only.
+        Use create_all_compliance_items() to get all control mappings.
+
         :param Any raw_data: Raw compliance data from Wiz
         :return: ComplianceItem instance
         :rtype: ComplianceItem
         """
         return WizComplianceItem(raw_data, self)
 
+    def create_all_compliance_items(self, raw_data: Any) -> List[ComplianceItem]:
+        """
+        Create all ComplianceItems from raw compliance data.
+
+        This handles Wiz policies that map to multiple controls by creating
+        a separate ComplianceItem for each control ID.
+
+        :param Any raw_data: Raw compliance data from Wiz
+        :return: List of ComplianceItem instances (one per control)
+        :rtype: List[ComplianceItem]
+        """
+        # First get all control IDs this policy maps to
+        temp_item = WizComplianceItem(raw_data, self)
+        all_control_ids = self._get_all_control_ids_for_compliance_item(temp_item)
+
+        if not all_control_ids:
+            # No control IDs found, return single item with default behavior
+            return [temp_item]
+
+        # Create one compliance item per control ID
+        compliance_items = []
+        for control_id in all_control_ids:
+            compliance_items.append(WizComplianceItem(raw_data, self, specific_control_id=control_id))
+
+        return compliance_items
+
+    def process_compliance_data(self) -> None:
+        """
+        Override base class to handle multi-control Wiz policies.
+
+        Creates separate compliance items for each control ID that a policy maps to.
+        """
+        logger.info("Processing compliance data with multi-control support...")
+
+        # Reset state to avoid double counting on repeated calls
+        self._reset_compliance_state()
+
+        # Build allowed control IDs from plan/catalog controls to restrict scope
+        allowed_controls_normalized = self._build_allowed_controls_set()
+
+        # Fetch and process raw compliance data
+        raw_compliance_data = self.fetch_compliance_data()
+        total_policies_processed, total_compliance_items_created = self._process_raw_compliance_data(
+            raw_compliance_data, allowed_controls_normalized
+        )
+
+        # Perform control-level categorization based on aggregated results
+        self._categorize_controls_by_aggregation()
+
+        self._log_processing_summary(total_policies_processed, total_compliance_items_created)
+
+    def _reset_compliance_state(self) -> None:
+        """Reset state to avoid double counting on repeated calls."""
+        self.all_compliance_items = []
+        self.failed_compliance_items = []
+        self.passing_controls = {}
+        self.failing_controls = {}
+        self.asset_compliance_map.clear()
+
+    def _build_allowed_controls_set(self) -> set[str]:
+        """Build allowed control IDs from plan/catalog controls to restrict scope."""
+        allowed_controls_normalized: set[str] = set()
+        try:
+            controls = self._get_controls()
+            for ctl in controls:
+                cid = (ctl.get("controlId") or "").strip()
+                if not cid:
+                    continue
+                base, sub = self._normalize_control_id(cid)
+                normalized = f"{base}({sub})" if sub else base
+                allowed_controls_normalized.add(normalized)
+        except Exception:
+            # If controls cannot be loaded, proceed without additional filtering
+            allowed_controls_normalized = set()
+        return allowed_controls_normalized
+
+    def _process_raw_compliance_data(
+        self, raw_compliance_data: List[Any], allowed_controls_normalized: set[str]
+    ) -> tuple[int, int]:
+        """Process raw compliance data and return counts."""
+        total_policies_processed = 0
+        total_compliance_items_created = 0
+
+        for raw_item in raw_compliance_data:
+            try:
+                total_policies_processed += 1
+                compliance_items_for_policy = self.create_all_compliance_items(raw_item)
+
+                items_created_for_policy = self._process_compliance_items_for_policy(
+                    compliance_items_for_policy, allowed_controls_normalized
+                )
+                total_compliance_items_created += items_created_for_policy
+
+            except Exception as e:
+                logger.error(f"Error processing compliance item: {e}")
+                continue
+
+        return total_policies_processed, total_compliance_items_created
+
+    def _process_compliance_items_for_policy(
+        self, compliance_items_for_policy: List[Any], allowed_controls_normalized: set[str]
+    ) -> int:
+        """Process compliance items for a single policy and return count of items created."""
+        items_created = 0
+
+        for compliance_item in compliance_items_for_policy:
+            if not self._is_valid_compliance_item(compliance_item):
+                continue
+
+            if not self._is_control_in_allowed_set(compliance_item, allowed_controls_normalized):
+                continue
+
+            self._add_compliance_item_to_collections(compliance_item)
+            items_created += 1
+
+        return items_created
+
+    def _is_valid_compliance_item(self, compliance_item: Any) -> bool:
+        """Check if compliance item has required control_id and resource_id."""
+        return getattr(compliance_item, "control_id", "") and getattr(compliance_item, "resource_id", "")
+
+    def _is_control_in_allowed_set(self, compliance_item: Any, allowed_controls_normalized: set[str]) -> bool:
+        """Check if compliance item's control is in allowed set."""
+        if not allowed_controls_normalized:
+            return True
+
+        base, sub = self._normalize_control_id(getattr(compliance_item, "control_id", ""))
+        norm_item = f"{base}({sub})" if sub else base
+        return norm_item in allowed_controls_normalized
+
+    def _add_compliance_item_to_collections(self, compliance_item: Any) -> None:
+        """Add compliance item to appropriate collections."""
+        self.all_compliance_items.append(compliance_item)
+        self.asset_compliance_map[compliance_item.resource_id].append(compliance_item)
+
+        if compliance_item.compliance_result in self.FAIL_STATUSES:
+            self.failed_compliance_items.append(compliance_item)
+
+    def _log_processing_summary(self, total_policies_processed: int, total_compliance_items_created: int) -> None:
+        """Log processing summary information."""
+        logger.info(
+            f"Processed {total_policies_processed} Wiz policies into {total_compliance_items_created} compliance items"
+        )
+        logger.debug(
+            f"Compliance breakdown: {len(self.all_compliance_items) - len(self.failed_compliance_items)} passing items, "
+            f"{len(self.failed_compliance_items)} failing items"
+        )
+        logger.info(
+            f"Control categorization: {len(self.passing_controls)} passing controls, {len(self.failing_controls)} failing controls"
+        )
+
     def _map_resource_type_to_asset_type(self, compliance_item: ComplianceItem) -> str:
         """
         Map Wiz resource type to RegScale asset type.
@@ -442,7 +625,7 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         seen = set()
 
         for subcat in subcategories:
-            external_id = subcat.get("externalId", "")
+            external_id = subcat.get("externalId", "").strip()
             if external_id and external_id not in seen:
                 seen.add(external_id)
                 unique_control_ids.append(external_id)
@@ -496,7 +679,6 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         :rtype: Iterator[IntegrationFinding]
         """
         for control_id, resources in control_to_resources.items():
-
             # Use the first compliance item as the base for this control's finding
             base_compliance_item = next(iter(resources.values()))
 
@@ -826,6 +1008,7 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             last_seen=self.scan_date,
             scan_date=self.scan_date,
             asset_identifier=self._get_regscale_asset_identifier(compliance_item),
+            issue_asset_identifier_value=self._get_provider_unique_id_for_asset_identifier(compliance_item),
             vulnerability_type="Policy Compliance Violation",
             rule_id=compliance_item.control_id,
             baseline=compliance_item.framework,
@@ -1024,36 +1207,33 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         """
         logger.info("Fetching policy assessments from Wiz...")
 
-        # Authenticate if not already done
         if not self.access_token:
             self.authenticate_wiz()
 
-        headers = self._build_wiz_headers()
-        session = self._prepare_wiz_requests_session()
-
-        # Try cache first unless forced refresh
         cached_nodes = self._load_assessments_from_cache()
         if cached_nodes is not None:
             logger.info("Using cached Wiz policy assessments")
             return cached_nodes
 
-        # Only include variables supported by the query (avoid validation errors)
-        page_size = 100
-        base_variables = {"first": page_size}
+        # Try async approach first
+        async_results = self._try_async_assessment_fetch()
+        if async_results is not None:
+            self._write_assessments_cache(async_results)
+            return async_results
 
-        # Try multiple filter key variants to avoid schema differences across tenants
-        filter_variants = [
-            {"project": [self.wiz_project_id]},
-            {"projectId": [self.wiz_project_id]},
-            {"projects": [self.wiz_project_id]},
-            {},  # Empty filterBy
-            None,  # Omit filterBy entirely
-        ]
+        # Fall back to requests-based method
+        filtered_nodes = self._fetch_assessments_with_requests()
+        self._write_assessments_cache(filtered_nodes)
+        return filtered_nodes
 
-        # First, try async client (unit tests patch this path)
+    def _try_async_assessment_fetch(self) -> Optional[List[Dict[str, Any]]]:
+        """Try to fetch assessments using async client."""
         try:
             from regscale.integrations.commercial.wizv2.utils import compliance_job_progress
 
+            page_size = 100
+            headers = self._build_wiz_headers()
+
             with compliance_job_progress:
                 task = compliance_job_progress.add_task(
                     f"[#f68d1f]Fetching Wiz policy assessments (async, page size: {page_size})...",
@@ -1074,24 +1254,36 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
                     max_concurrent=1,
                 )
                 compliance_job_progress.update(task, completed=1, advance=1)
+
             if results and len(results) == 1 and not results[0][2]:
                 nodes = results[0][1] or []
-                filtered = self._filter_nodes_to_framework(nodes)
-                self._write_assessments_cache(filtered)
-                return filtered
+                return self._filter_nodes_to_framework(nodes)
         except Exception:
-            # Fall back to requests-based method below
             pass
+        return None
 
-        filtered_nodes = self._fetch_assessments_with_variants(
+    def _fetch_assessments_with_requests(self) -> List[Dict[str, Any]]:
+        """Fetch assessments using requests-based method with filter variants."""
+        headers = self._build_wiz_headers()
+        session = self._prepare_wiz_requests_session()
+        page_size = 100
+        base_variables = {"first": page_size}
+
+        filter_variants = [
+            {"project": [self.wiz_project_id]},
+            {"projectId": [self.wiz_project_id]},
+            {"projects": [self.wiz_project_id]},
+            {},  # Empty filterBy
+            None,  # Omit filterBy entirely
+        ]
+
+        return self._fetch_assessments_with_variants(
             session=session,
             headers=headers,
             base_variables=base_variables,
             page_size=page_size,
             filter_variants=filter_variants,
         )
-        self._write_assessments_cache(filtered_nodes)
-        return filtered_nodes
 
     def _build_wiz_headers(self) -> Dict[str, str]:
         """
@@ -1127,7 +1319,7 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         )
         adapter = HTTPAdapter(max_retries=retry)
         session.mount("https://", adapter)
-        session.mount("http://", adapter)
+        session.mount("http://", adapter)  # NO SONAR #NOSONAR
         return session
 
     def _fetch_assessments_with_variants(
@@ -1377,19 +1569,70 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         :return: Path to the written JSON file
         :rtype: str
         """
-        # Create artifacts/wiz directory if it doesn't exist
+        # Setup file paths
+        artifacts_dir, timestamp, file_path, file_path_jsonl = self._setup_output_files()
+
+        # Build compliance summary data
+        catalog_controls = self._get_catalog_controls()
+        control_sets = self._build_control_sets(catalog_controls)
+
+        # Prepare export data structure
+        export_data = self._build_export_data(timestamp, catalog_controls, control_sets)
+
+        # Convert compliance items to serializable format
+        self._add_policy_assessments_to_export(export_data)
+
+        # Write files and cleanup
+        return self._write_output_files(file_path, file_path_jsonl, export_data, artifacts_dir)
+
+    def _setup_output_files(self) -> tuple[str, str, str, str]:
+        """Setup output directory and file paths."""
         artifacts_dir = os.path.join("artifacts", "wiz")
         os.makedirs(artifacts_dir, exist_ok=True)
 
-        # Generate timestamped filename
         timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
         filename_json = f"policy_compliance_report_{timestamp}.json"
         filename_jsonl = f"policy_compliance_report_{timestamp}.jsonl"
         file_path = os.path.join(artifacts_dir, filename_json)
         file_path_jsonl = os.path.join(artifacts_dir, filename_jsonl)
 
-        # Prepare data for JSON export
-        export_data = {
+        return artifacts_dir, timestamp, file_path, file_path_jsonl
+
+    def _get_catalog_controls(self) -> set[str]:
+        """Get catalog controls from the plan/catalog."""
+        catalog_controls = set()
+        try:
+            controls = self._get_controls()
+            for ctl in controls:
+                cid = (ctl.get("controlId") or "").strip()
+                if cid:
+                    catalog_controls.add(cid)
+        except Exception:
+            catalog_controls = set()
+        return catalog_controls
+
+    def _build_control_sets(self, catalog_controls: set[str]) -> Dict[str, set]:
+        """Build control sets for summary calculations."""
+        assessed_controls = {item.control_id for item in self.all_compliance_items if item.control_id}
+        passing_control_ids = {key.upper() for key in self.passing_controls.keys()}
+        failing_control_ids = {key.upper() for key in self.failing_controls.keys()}
+
+        return {
+            "assessed": assessed_controls,
+            "passing": passing_control_ids,
+            "failing": failing_control_ids,
+            "catalog": catalog_controls,
+        }
+
+    def _build_export_data(
+        self, timestamp: str, catalog_controls: set[str], control_sets: Dict[str, set]
+    ) -> Dict[str, Any]:
+        """Build the main export data structure."""
+        assessed_controls = control_sets["assessed"]
+        passing_control_ids = control_sets["passing"]
+        failing_control_ids = control_sets["failing"]
+
+        return {
             "metadata": {
                 "timestamp": timestamp,
                 "wiz_project_id": self.wiz_project_id,
@@ -1398,62 +1641,107 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
                 "total_assessments": len(self.all_compliance_items),
                 "pass_count": len(self.all_compliance_items) - len(self.failed_compliance_items),
                 "fail_count": len(self.failed_compliance_items),
-                "unique_controls": len({item.control_id for item in self.all_compliance_items if item.control_id}),
+                "unique_controls": len(assessed_controls),
+                "catalog_summary": self._build_catalog_summary(
+                    catalog_controls, assessed_controls, passing_control_ids, failing_control_ids
+                ),
             },
             "framework_mapping": self.framework_mapping,
+            "control_summary": {
+                "passing_controls": list(passing_control_ids),
+                "failing_controls": list(failing_control_ids),
+                "catalog_controls_no_wiz_data": list(catalog_controls - assessed_controls - passing_control_ids),
+                "wiz_controls_outside_catalog": list(assessed_controls - catalog_controls),
+            },
             "policy_assessments": [],
         }
 
-        # Convert compliance items to serializable format
+    def _build_catalog_summary(
+        self,
+        catalog_controls: set[str],
+        assessed_controls: set[str],
+        passing_control_ids: set[str],
+        failing_control_ids: set[str],
+    ) -> Dict[str, int]:
+        """Build catalog summary statistics."""
+        return {
+            "total_catalog_controls": len(catalog_controls),
+            "catalog_controls_with_wiz_data": len(catalog_controls.intersection(assessed_controls)),
+            "catalog_controls_passing": len(catalog_controls.intersection(passing_control_ids)),
+            "catalog_controls_failing": len(catalog_controls.intersection(failing_control_ids)),
+            "catalog_controls_no_data": len(catalog_controls - assessed_controls - passing_control_ids),
+            "wiz_controls_outside_catalog": len(assessed_controls - catalog_controls),
+        }
+
+    def _add_policy_assessments_to_export(self, export_data: Dict[str, Any]) -> None:
+        """Add policy assessments to export data."""
         for compliance_item in self.all_compliance_items:
             if isinstance(compliance_item, WizComplianceItem):
-                # Filter policy subcategories to only the selected framework to avoid noise
-                filtered_policy = dict(compliance_item.policy) if compliance_item.policy else {}
-                if filtered_policy:
-                    subcats = filtered_policy.get("securitySubCategories", [])
-                    if subcats:
-                        target_framework_id = self.framework_id
-                        filtered_subcats = [
-                            sc
-                            for sc in subcats
-                            if sc.get("category", {}).get("framework", {}).get("id") == target_framework_id
-                        ]
-                        if filtered_subcats:
-                            filtered_policy["securitySubCategories"] = filtered_subcats
-                        else:
-                            # If filter removes all, keep original to retain context
-                            pass
-                assessment_data = {
-                    "id": compliance_item.id,
-                    "result": compliance_item.result,
-                    "control_id": compliance_item.control_id,
-                    "framework_name": compliance_item.framework,
-                    "framework_id": compliance_item.framework_id,
-                    "policy": filtered_policy or compliance_item.policy,
-                    "resource": compliance_item.resource,
-                    "output": compliance_item.output,
-                }
+                assessment_data = self._build_assessment_data(compliance_item)
                 export_data["policy_assessments"].append(assessment_data)
 
-        # Write to JSON and JSONL files
+    def _build_assessment_data(self, compliance_item: WizComplianceItem) -> Dict[str, Any]:
+        """Build assessment data for a single compliance item."""
+        filtered_policy = self._filter_policy_subcategories(compliance_item)
+
+        return {
+            "id": compliance_item.id,
+            "result": compliance_item.result,
+            "control_id": compliance_item.control_id,
+            "framework_name": compliance_item.framework,
+            "framework_id": compliance_item.framework_id,
+            "policy": filtered_policy or compliance_item.policy,
+            "resource": compliance_item.resource,
+            "output": compliance_item.output,
+        }
+
+    def _filter_policy_subcategories(self, compliance_item: WizComplianceItem) -> Dict[str, Any]:
+        """Filter policy subcategories to only the selected framework."""
+        filtered_policy = dict(compliance_item.policy) if compliance_item.policy else {}
+        if not filtered_policy:
+            return filtered_policy
+
+        subcats = filtered_policy.get("securitySubCategories", [])
+        if not subcats:
+            return filtered_policy
+
+        target_framework_id = self.framework_id
+        filtered_subcats = [
+            sc for sc in subcats if sc.get("category", {}).get("framework", {}).get("id") == target_framework_id
+        ]
+
+        if filtered_subcats:
+            filtered_policy["securitySubCategories"] = filtered_subcats
+
+        return filtered_policy
+
+    def _write_output_files(
+        self, file_path: str, file_path_jsonl: str, export_data: Dict[str, Any], artifacts_dir: str
+    ) -> str:
+        """Write output files and perform cleanup."""
         try:
-            with open(file_path, "w", encoding="utf-8") as f:
-                json.dump(export_data, f, indent=2, ensure_ascii=False)
-
-            logger.info(f"Policy compliance data written to: {file_path}")
-            # JSONL: aggregated by control_id (optional)
-            if getattr(self, "write_jsonl_output", False):
-                control_agg = self._build_control_aggregation()
-                with open(file_path_jsonl, "w", encoding="utf-8") as jf:
-                    for control_id, ctrl in control_agg.items():
-                        jf.write(json.dumps(ctrl, ensure_ascii=False) + "\n")
-                logger.info(f"Policy compliance JSONL written to: {file_path_jsonl}")
+            self._write_json_file(file_path, export_data)
+            self._write_jsonl_file_if_enabled(file_path_jsonl)
             self._cleanup_artifacts(artifacts_dir, keep=CACHE_CLEANUP_KEEP_COUNT)
             return file_path
-
         except Exception as e:
             error_and_exit(f"Failed to write policy data to JSON: {str(e)}")
 
+    def _write_json_file(self, file_path: str, export_data: Dict[str, Any]) -> None:
+        """Write JSON export data to file."""
+        with open(file_path, "w", encoding="utf-8") as f:
+            json.dump(export_data, f, indent=2, ensure_ascii=False)
+        logger.info(f"Policy compliance data written to: {file_path}")
+
+    def _write_jsonl_file_if_enabled(self, file_path_jsonl: str) -> None:
+        """Write JSONL file if output is enabled."""
+        if getattr(self, "write_jsonl_output", False):
+            control_agg = self._build_control_aggregation()
+            with open(file_path_jsonl, "w", encoding="utf-8") as jf:
+                for control_id, ctrl in control_agg.items():
+                    jf.write(json.dumps(ctrl, ensure_ascii=False) + "\n")
+            logger.info(f"Policy compliance JSONL written to: {file_path_jsonl}")
+
     def _build_control_aggregation(self) -> Dict[str, Dict[str, Any]]:
         """
         Build an aggregated view per control_id for JSONL export.
@@ -1975,7 +2263,7 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         # Update basic fields (similar to parent class logic)
         existing_issue.title = title
         existing_issue.description = finding.description
-        existing_issue.severity = finding.severity
+        existing_issue.severityLevel = finding.severity
         existing_issue.status = finding.status
         existing_issue.dateLastUpdated = self.scan_date
 
@@ -2013,24 +2301,44 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
 
         CRITICAL FIX: Check if the finding has assessment parent overrides and apply them.
         """
-        # Get consolidated asset identifier
         asset_identifier = self.get_consolidated_asset_identifier(finding, existing_issue)
-
-        # Prepare issue data
-        issue_title = self.get_issue_title(finding) or title
-        description = finding.description or ""
-        remediation_description = finding.recommendation_for_mitigation or finding.remediation or ""
-        is_poam = self.is_poam(finding)
+        issue_data = self._prepare_issue_data(finding, title)
 
         if existing_issue:
             logger.debug(
                 "Updating existing issue %s with assetIdentifier %s", existing_issue.id, finding.asset_identifier
             )
 
-        # If we have an existing issue, update its fields instead of creating a new one
         issue = existing_issue or regscale_models.Issue()
+        parent_info = self._get_parent_info(finding)
 
-        # CRITICAL FIX: Check for parent overrides from the finding
+        self._set_basic_issue_properties(issue, finding, issue_status, issue_data, parent_info, asset_identifier)
+        self._set_compliance_properties(issue, finding)
+        self._set_additional_properties(issue, finding, issue_data)
+
+        if finding.cve:
+            issue = self.lookup_kev_and_update_issue(cve=finding.cve, issue=issue, cisa_kevs=self._kev_data)
+
+        issue = self._save_or_create_issue_record(issue, finding, existing_issue, issue_data["is_poam"])
+
+        if issue and issue.id:
+            self._handle_post_creation_tasks(issue, finding, existing_issue)
+        else:
+            logger.debug("Skipping milestone creation - issue has no ID")
+
+        return issue
+
+    def _prepare_issue_data(self, finding: IntegrationFinding, title: str) -> Dict[str, Any]:
+        """Prepare basic issue data from finding."""
+        return {
+            "issue_title": self.get_issue_title(finding) or title,
+            "description": finding.description or "",
+            "remediation_description": finding.recommendation_for_mitigation or finding.remediation or "",
+            "is_poam": self.is_poam(finding),
+        }
+
+    def _get_parent_info(self, finding: IntegrationFinding) -> Dict[str, Any]:
+        """Get parent information for the issue."""
         if hasattr(finding, "_override_parent_id") and hasattr(finding, "_override_parent_module"):
             parent_id = finding._override_parent_id
             parent_module = finding._override_parent_module
@@ -2039,11 +2347,22 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             parent_id = self.plan_id
             parent_module = self.parent_module
 
-        # Update all fields (copying from ScannerIntegration but with override parent)
-        issue.parentId = parent_id
-        issue.parentModule = parent_module
+        return {"parent_id": parent_id, "parent_module": parent_module}
+
+    def _set_basic_issue_properties(
+        self,
+        issue: regscale_models.Issue,
+        finding: IntegrationFinding,
+        issue_status,
+        issue_data: Dict[str, Any],
+        parent_info: Dict[str, Any],
+        asset_identifier: str,
+    ) -> None:
+        """Set basic properties on the issue."""
+        issue.parentId = parent_info["parent_id"]
+        issue.parentModule = parent_info["parent_module"]
         issue.vulnerabilityId = finding.vulnerability_id
-        issue.title = issue_title
+        issue.title = issue_data["issue_title"]
         issue.dateCreated = finding.date_created
         issue.status = issue_status
         issue.dateCompleted = (
@@ -2056,51 +2375,40 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         issue.securityPlanId = self.plan_id if not self.is_component else None
         issue.identification = finding.identification
         issue.dateFirstDetected = finding.first_seen
-
-        # Ensure a due date is always set using configured policy defaults (e.g., FedRAMP)
-        if not finding.due_date:
-            try:
-                base_created = finding.date_created or issue.dateCreated
-                finding.due_date = issue_due_date(
-                    severity=finding.severity,
-                    created_date=base_created,
-                    title=self.title,
-                )
-            except Exception:
-                # Final fallback to a Low severity default if anything goes wrong
-                base_created = finding.date_created or issue.dateCreated
-                finding.due_date = issue_due_date(
-                    severity=regscale_models.IssueSeverity.Low,
-                    created_date=base_created,
-                    title=self.title,
-                )
-        issue.dueDate = finding.due_date
-        issue.description = description
-        issue.sourceReport = finding.source_report or self.title
-        issue.recommendedActions = finding.recommendation_for_mitigation
         issue.assetIdentifier = asset_identifier
-        issue.securityChecks = finding.security_check or finding.external_id
-        issue.remediationDescription = remediation_description
-        issue.integrationFindingId = self.get_finding_identifier(finding)
-        issue.poamComments = finding.poam_comments
-        issue.cve = finding.cve
 
-        # CRITICAL: Set assessmentId (this is the key fix)
+        # Ensure due date is set
+        self._set_issue_due_date(issue, finding)
+
+    def _set_compliance_properties(self, issue: regscale_models.Issue, finding: IntegrationFinding) -> None:
+        """Set compliance-specific properties."""
         issue.assessmentId = finding.assessment_id
-        logger.debug(f"SETTING assessmentId = {finding.assessment_id} with parent = {parent_module} #{parent_id}")
+        logger.debug(f"SETTING assessmentId = {finding.assessment_id}")
 
         control_id = self.get_control_implementation_id_for_cci(finding.cci_ref) if finding.cci_ref else None
         issue.controlId = control_id
 
-        # Add the control implementation ids and the cci ref if it exists
         cci_control_ids = [control_id] if control_id is not None else []
         if finding.affected_controls:
             issue.affectedControls = finding.affected_controls
         elif finding.control_labels:
             issue.affectedControls = ", ".join(sorted({cl for cl in finding.control_labels if cl}))
 
-        issue.controlImplementationIds = list(set(finding._control_implementation_ids + cci_control_ids))  # noqa
-        issue.isPoam = is_poam
+        issue.controlImplementationIds = list(set(finding._control_implementation_ids + cci_control_ids))
+
+    def _set_additional_properties(
+        self, issue: regscale_models.Issue, finding: IntegrationFinding, issue_data: Dict[str, Any]
+    ) -> None:
+        """Set additional issue properties."""
+        issue.description = issue_data["description"]
+        issue.sourceReport = finding.source_report or self.title
+        issue.recommendedActions = finding.recommendation_for_mitigation
+        issue.securityChecks = finding.security_check or finding.external_id
+        issue.remediationDescription = issue_data["remediation_description"]
+        issue.integrationFindingId = self.get_finding_identifier(finding)
+        issue.poamComments = finding.poam_comments
+        issue.cve = finding.cve
+        issue.isPoam = issue_data["is_poam"]
         issue.basisForAdjustment = (
             finding.basis_for_adjustment if finding.basis_for_adjustment else f"{self.title} import"
         )
@@ -2116,9 +2424,10 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         issue.dateLastUpdated = get_current_datetime()
         issue.affectedControls = finding.affected_controls
 
-        if finding.cve:
-            issue = self.lookup_kev_and_update_issue(cve=finding.cve, issue=issue, cisa_kevs=self._kev_data)
-
+    def _save_or_create_issue_record(
+        self, issue: regscale_models.Issue, finding: IntegrationFinding, existing_issue, is_poam: bool
+    ) -> regscale_models.Issue:
+        """Save or create the issue record."""
         if existing_issue:
             logger.debug(f"Saving existing issue {issue.id} with assessmentId={issue.assessmentId}")
             issue.save(bulk=True)
@@ -2131,20 +2440,18 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
                 logger.debug(f"Issue created with ID: {issue.id}")
                 self.extra_data_to_properties(finding, issue.id)
             else:
-                logger.error(f" Issue creation failed - no ID returned for finding {finding.external_id}")
+                logger.error(f"Issue creation failed - no ID returned for finding {finding.external_id}")
                 return None
+        return issue
 
-        # Only create milestones if issue has an ID
-        if issue and issue.id:
-            # Check if existing issue needs initial milestone creation
-            if existing_issue and ScannerVariables.useMilestones:
-                self._ensure_issue_has_milestone(issue, finding)
-
-            self._handle_property_and_milestone_creation(issue, finding, existing_issue)
-        else:
-            logger.debug("Skipping milestone creation - issue has no ID")
+    def _handle_post_creation_tasks(
+        self, issue: regscale_models.Issue, finding: IntegrationFinding, existing_issue
+    ) -> None:
+        """Handle tasks after issue creation/update."""
+        if existing_issue and ScannerVariables.useMilestones:
+            self._ensure_issue_has_milestone(issue, finding)
 
-        return issue
+        self._handle_property_and_milestone_creation(issue, finding, existing_issue)
 
     def _populate_compliance_fields_on_finding(self, finding: IntegrationFinding) -> None:
         """
@@ -2164,7 +2471,6 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             if hasattr(finding, "rule_id") and finding.rule_id:
                 control_id = self._normalize_control_id_string(finding.rule_id)
                 if control_id:
-
                     # Get control implementation ID
                     impl_id = self._issue_field_setter._get_or_find_implementation_id(control_id)
                     if impl_id:
@@ -2628,7 +2934,6 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         """
         logger.info("Starting control assessment processing for Wiz compliance integration")
 
-        # Ensure existing records cache is loaded
         self._load_existing_records_cache()
 
         implementations = self._get_control_implementations()
@@ -2636,61 +2941,96 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             logger.warning("No control implementations found for assessment processing")
             return
 
-        # Get all potential control IDs from compliance data
+        validated_controls = self._validate_controls_with_assets()
+        if not validated_controls["controls_with_assets"]:
+            logger.warning("No controls have assets in RegScale boundary - no control assessments will be created")
+            logger.info("SUMMARY: 0 control assessments created (no assets exist in RegScale)")
+            return
+
+        assessments_created = self._create_assessments_for_validated_controls(
+            validated_controls["controls_with_assets"], implementations
+        )
+        self._log_assessment_summary(assessments_created, validated_controls)
+
+    def _validate_controls_with_assets(self) -> Dict[str, Any]:
+        """Validate controls and identify those with existing assets."""
         all_potential_controls = set(self.passing_controls.keys()) | set(self.failing_controls.keys())
         logger.debug(
             f"Found {len(all_potential_controls)} potential controls from compliance data: {sorted(all_potential_controls)}"
         )
 
-        # Validate each control has actual assets in our boundary before processing
         validated_controls_with_assets = {}
         validated_passing_controls = {}
         validated_failing_controls = {}
 
         for control_id in all_potential_controls:
-            # Get all compliance items for this control
+            validation_result = self._validate_single_control(control_id)
+
+            if validation_result["should_process"]:
+                validated_controls_with_assets[control_id] = validation_result["asset_identifiers"]
+
+                if control_id in self.failing_controls:
+                    validated_failing_controls[control_id] = self.failing_controls[control_id]
+                elif control_id in self.passing_controls:
+                    validated_passing_controls[control_id] = self.passing_controls[control_id]
+
+        return {
+            "controls_with_assets": validated_controls_with_assets,
+            "passing_controls": validated_passing_controls,
+            "failing_controls": validated_failing_controls,
+        }
+
+    def _validate_single_control(self, control_id: str) -> Dict[str, Any]:
+        """Validate a single control for asset existence."""
+        is_passing_control = control_id in self.passing_controls
+
+        if is_passing_control:
+            control_items = self._get_control_compliance_items(control_id)
+        else:
             control_items = self._get_validated_control_compliance_items(control_id)
 
-            if not control_items:
-                continue
+        if not control_items and is_passing_control:
+            logger.debug(f"Control {control_id} is passing - will process for compliance documentation")
+            return {"should_process": True, "asset_identifiers": []}
 
-            # Check if we have any assets for the compliance items
-            asset_identifiers = set()
-            assets_found = 0
-
-            for item in control_items:
-                if hasattr(item, "resource_name") and item.resource_name:
-                    resource_id = getattr(item, "resource_id", "")
-                    # Verify the asset actually exists in RegScale
-                    if self._asset_exists_in_regscale(resource_id):
-                        asset_identifiers.add(item.resource_name)
-                        assets_found += 1
-                    else:
-                        logger.debug(
-                            f"Control {control_id}: Asset {resource_id} ({item.resource_name}) not found in RegScale"
-                        )
-            logger.debug(f"Found {assets_found} valid assets for control {control_id}")
-            if not asset_identifiers:
-                continue
+        if not control_items:
+            return {"should_process": False, "asset_identifiers": []}
 
-            # This control has valid assets, include it in processing
-            validated_controls_with_assets[control_id] = list(asset_identifiers)
+        asset_identifiers = self._collect_asset_identifiers(control_items, control_id, is_passing_control)
 
-            # Preserve the pass/fail status for validated controls
-            if control_id in self.failing_controls:
-                validated_failing_controls[control_id] = self.failing_controls[control_id]
-            elif control_id in self.passing_controls:
-                validated_passing_controls[control_id] = self.passing_controls[control_id]
+        # For passing controls, allow through even without assets
+        # For failing controls, require at least one asset
+        should_process = bool(asset_identifiers) or is_passing_control
 
-        if not validated_controls_with_assets:
-            logger.warning(" No controls have assets in RegScale boundary - no control assessments will be created")
-            logger.info("SUMMARY: 0 control assessments created (no assets exist in RegScale)")
-            return
+        return {"should_process": should_process, "asset_identifiers": list(asset_identifiers)}
+
+    def _collect_asset_identifiers(self, control_items: List[Any], control_id: str, is_passing_control: bool) -> set:
+        """Collect asset identifiers for control items."""
+        asset_identifiers = set()
+        assets_found = 0
+
+        for item in control_items:
+            if hasattr(item, "resource_name") and item.resource_name:
+                resource_id = getattr(item, "resource_id", "")
+                # Verify the asset actually exists in RegScale (if not a passing control)
+                if is_passing_control or self._asset_exists_in_regscale(resource_id):
+                    asset_identifiers.add(item.resource_name)
+                    assets_found += 1
+                else:
+                    logger.debug(
+                        f"Control {control_id}: Asset {resource_id} ({item.resource_name}) not found in RegScale"
+                    )
 
+        logger.debug(f"Found {assets_found} valid assets for control {control_id}")
+        return asset_identifiers
+
+    def _create_assessments_for_validated_controls(
+        self, validated_controls_with_assets: Dict[str, List[str]], implementations: List[Any]
+    ) -> int:
+        """Create assessments for validated controls."""
         assessments_created = 0
         processed_impl_today: set[int] = set()
 
-        # Only process validated controls that have assets in our boundary
         for control_id in validated_controls_with_assets.keys():
             created = self._process_single_control_assessment(
                 control_id=control_id,
@@ -2699,8 +3039,13 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             )
             assessments_created += created
 
-        # Calculate stats only for validated controls
-        validated_control_ids = set(validated_controls_with_assets.keys())
+        return assessments_created
+
+    def _log_assessment_summary(self, assessments_created: int, validated_controls: Dict[str, Any]) -> None:
+        """Log summary of assessment creation."""
+        validated_control_ids = set(validated_controls["controls_with_assets"].keys())
+        validated_failing_controls = validated_controls["failing_controls"]
+
         passing_assessments = len([cid for cid in validated_control_ids if cid not in validated_failing_controls])
         failing_assessments = len([cid for cid in validated_control_ids if cid in validated_failing_controls])
 
@@ -2710,11 +3055,11 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
             )
         else:
             logger.warning(
-                f"No control assessments were actually created (0 assessments) despite finding {len(validated_controls_with_assets)} controls with assets"
+                f"No control assessments were actually created (0 assessments) despite finding {len(validated_controls['controls_with_assets'])} controls with assets"
             )
 
         logger.info(
-            f"CONTROL ASSESSMENT SUMMARY: {assessments_created} assessments created for {len(validated_controls_with_assets)} validated controls"
+            f"CONTROL ASSESSMENT SUMMARY: {assessments_created} assessments created for {len(validated_controls['controls_with_assets'])} validated controls"
         )
 
     def _sync_assessment_cache_from_base_class(self) -> None:
@@ -2989,6 +3334,29 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         # Fallback (should not normally happen since resource_id is required)
         return resource_name or "Unknown Resource"
 
+    def _get_provider_unique_id_for_asset_identifier(self, compliance_item: "WizComplianceItem") -> str:
+        """
+        Get the provider unique ID for meaningful asset identification in eMASS exports.
+
+        This provides cloud provider-specific identifiers like ARNs, Azure resource IDs, etc.
+        instead of internal Wiz IDs for better readability in POAMs and eMASS exports.
+
+        :param WizComplianceItem compliance_item: Compliance item with resource information
+        :return: Provider unique ID or fallback to resource name/ID
+        :rtype: str
+        """
+        provider_unique_id = getattr(compliance_item, "provider_unique_id", "")
+        resource_name = getattr(compliance_item, "resource_name", "")
+        resource_id = getattr(compliance_item, "resource_id", "")
+
+        # Priority: providerUniqueId -> resource_name -> resource_id
+        if provider_unique_id:
+            return provider_unique_id
+        elif resource_name:
+            return resource_name
+        else:
+            return resource_id
+
     def _create_consolidated_asset_identifier(self, asset_mappings: Dict[str, Dict[str, str]]) -> str:
         """
         Create a consolidated asset identifier with only asset names (one per line).
@@ -3029,6 +3397,56 @@ class WizPolicyComplianceIntegration(ComplianceIntegration):
         )
         return consolidated_identifier
 
+    def _categorize_controls_by_aggregation(self) -> None:
+        """
+        Override the base method to handle multiple control IDs per compliance item.
+        Wiz policies can map to multiple NIST controls (e.g., AC-2(4), AC-6(9)) in securitySubCategories.
+        This method ensures all controls from a policy assessment are properly categorized.
+        """
+        from collections import defaultdict, Counter
+
+        # Group all compliance items by control ID - handle multiple controls per item
+        control_items = defaultdict(list)
+
+        for item in self.all_compliance_items:
+            # Get all control IDs that this compliance item maps to
+            all_control_ids = self._get_all_control_ids_for_compliance_item(item)
+
+            # Add this item to each control it maps to
+            for control_id in all_control_ids:
+                control_key = control_id.lower()
+                control_items[control_key].append(item)
+
+        # Analyze each control's results
+        for control_key, items in control_items.items():
+            results = [item.compliance_result for item in items]
+            result_counts = Counter(results)
+
+            fail_count = sum(result_counts.get(status, 0) for status in self.FAIL_STATUSES)
+            pass_count = sum(result_counts.get(status, 0) for status in self.PASS_STATUSES)
+
+            # Determine control status - strict compliance: ALL assessments must pass
+            if fail_count == 0 and pass_count > 0:
+                # All results are passing - control passes
+                self.passing_controls[control_key] = items[0]  # Use first item as representative
+                logger.debug(f"Control {control_key} marked as PASSING: {pass_count}P/{fail_count}F")
+
+            elif fail_count > 0:
+                # Any failures present - control fails (strict compliance)
+                self.failing_controls[control_key] = next(
+                    item for item in items if item.compliance_result in self.FAIL_STATUSES
+                )
+                logger.debug(
+                    f"Control {control_key} marked as FAILING: {pass_count}P/{fail_count}F (any failure = control fails)"
+                )
+            else:
+                # No pass or fail results - skip this control
+                logger.debug(f"Control {control_key} skipped: no valid pass/fail results")
+
+        logger.info(
+            f"Control categorization complete: {len(self.passing_controls)} passing, {len(self.failing_controls)} failing"
+        )
+
 
 def resolve_framework_id(framework_input: str) -> str:
     """