regscale-cli 6.25.1.0__py3-none-any.whl → 6.26.0.0__py3-none-any.whl

tests/regscale/integrations/commercial/wizv2/test_compliance_report_normalization.py

@@ -0,0 +1,138 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""Unit tests for Wiz compliance report control ID normalization."""
+
+import pytest
+from unittest.mock import MagicMock
+
+from regscale.integrations.commercial.wizv2.compliance_report import WizComplianceReportItem
+
+
+class TestWizControlNormalization:
+    """Test control ID normalization in WizComplianceReportItem."""
+
+    def test_normalize_base_control(self):
+        """Test normalization of base control IDs with leading zeros."""
+        # Create a mock CSV row
+        csv_row = {"Compliance Check Name (Wiz Subcategory)": "Test", "Result": "Pass"}
+        item = WizComplianceReportItem(csv_row)
+
+        # Test cases
+        assert item._normalize_base_control("AC-01") == "AC-1"
+        assert item._normalize_base_control("AC-1") == "AC-1"
+        assert item._normalize_base_control("AU-003") == "AU-3"
+        assert item._normalize_base_control("SI-004") == "SI-4"
+        assert item._normalize_base_control("sc-7") == "SC-7"  # lowercase
+        assert item._normalize_base_control("PM-10") == "PM-10"  # no leading zero
+
+    def test_format_control_id_with_enhancement_normalization(self):
+        """Test that enhancement numbers are normalized to remove leading zeros."""
+        csv_row = {"Compliance Check Name (Wiz Subcategory)": "Test", "Result": "Pass"}
+        item = WizComplianceReportItem(csv_row)
+
+        # Enhancement with leading zeros should be normalized
+        assert item._format_control_id("AC-1", "04") == "AC-1(4)"
+        assert item._format_control_id("AC-2", "001") == "AC-2(1)"
+        assert item._format_control_id("SI-4", "020") == "SI-4(20)"
+
+        # Enhancement without leading zeros should remain unchanged
+        assert item._format_control_id("AC-1", "4") == "AC-1(4)"
+        assert item._format_control_id("AC-2", "12") == "AC-2(12)"
+
+        # No enhancement
+        assert item._format_control_id("AC-1", "") == "AC-1"
+        assert item._format_control_id("AC-1", None) == "AC-1"
+
+    def test_get_all_control_ids_single_control(self):
+        """Test extraction of single control ID."""
+        csv_row = {"Compliance Check Name (Wiz Subcategory)": "AC-3 Access Enforcement", "Result": "Pass"}
+        item = WizComplianceReportItem(csv_row)
+
+        control_ids = item.get_all_control_ids()
+        assert control_ids == ["AC-3"]
+
+    def test_get_all_control_ids_with_enhancement(self):
+        """Test extraction of control ID with enhancement."""
+        csv_row = {
+            "Compliance Check Name (Wiz Subcategory)": "AC-2(4) Account Management | Automated Audit Actions",
+            "Result": "Pass",
+        }
+        item = WizComplianceReportItem(csv_row)
+
+        control_ids = item.get_all_control_ids()
+        assert control_ids == ["AC-2(4)"]
+
+    def test_get_all_control_ids_multiple_controls(self):
+        """Test extraction of multiple control IDs from comma-separated list."""
+        csv_row = {
+            "Compliance Check Name (Wiz Subcategory)": "AC-2(4) Account Management | Automated Audit Actions, "
+            "AC-6(9) Least Privilege | Log Use of Privileged Functions, "
+            "AU-12 Audit Record Generation",
+            "Result": "Fail",
+        }
+        item = WizComplianceReportItem(csv_row)
+
+        control_ids = item.get_all_control_ids()
+        assert control_ids == ["AC-2(4)", "AC-6(9)", "AU-12"]
+
+    def test_get_all_control_ids_with_leading_zeros(self):
+        """Test that control IDs with leading zeros are properly normalized."""
+        # Test with leading zeros in base control
+        csv_row = {"Compliance Check Name (Wiz Subcategory)": "AC-01 Access Control", "Result": "Pass"}
+        item = WizComplianceReportItem(csv_row)
+        assert item.get_all_control_ids() == ["AC-1"]
+
+        # Test with leading zeros in enhancement
+        csv_row = {"Compliance Check Name (Wiz Subcategory)": "AC-01(04) Access Control Enhancement", "Result": "Pass"}
+        item = WizComplianceReportItem(csv_row)
+        assert item.get_all_control_ids() == ["AC-1(4)"]
+
+        # Test multiple controls with various leading zero patterns
+        csv_row = {
+            "Compliance Check Name (Wiz Subcategory)": "AC-01(04) Access Control, AU-3(1) Audit Content, SI-04(020) Monitoring",
+            "Result": "Pass",
+        }
+        item = WizComplianceReportItem(csv_row)
+        assert item.get_all_control_ids() == ["AC-1(4)", "AU-3(1)", "SI-4(20)"]
+
+    def test_get_control_id_returns_first(self):
+        """Test that get_control_id returns only the first control ID."""
+        csv_row = {
+            "Compliance Check Name (Wiz Subcategory)": "AC-2(4) Account Management, AC-6(9) Least Privilege, AU-12 Audit",
+            "Result": "Pass",
+        }
+        item = WizComplianceReportItem(csv_row)
+
+        # get_control_id should return only the first
+        assert item.get_control_id() == "AC-2(4)"
+
+        # get_all_control_ids should return all
+        assert item.get_all_control_ids() == ["AC-2(4)", "AC-6(9)", "AU-12"]
+
+    def test_affected_controls_property(self):
+        """Test that affected_controls property returns comma-separated list."""
+        csv_row = {
+            "Compliance Check Name (Wiz Subcategory)": "AC-2(4) Account Management, AC-6(9) Least Privilege",
+            "Result": "Fail",
+        }
+        item = WizComplianceReportItem(csv_row)
+
+        # affected_controls should return all control IDs as comma-separated string
+        assert item.affected_controls == "AC-2(4),AC-6(9)"
+
+    def test_empty_compliance_check_name(self):
+        """Test handling of empty compliance check name."""
+        csv_row = {"Compliance Check Name (Wiz Subcategory)": "", "Result": "Pass"}
+        item = WizComplianceReportItem(csv_row)
+
+        assert item.get_control_id() == ""
+        assert item.get_all_control_ids() == []
+        assert item.affected_controls == ""
+
+    def test_control_id_property(self):
+        """Test the control_id property returns normalized first control."""
+        csv_row = {"Compliance Check Name (Wiz Subcategory)": "AC-01(04) Access Control, AU-3 Audit", "Result": "Pass"}
+        item = WizComplianceReportItem(csv_row)
+
+        # control_id property should return the first normalized control
+        assert item.control_id == "AC-1(4)"

tests/regscale/integrations/commercial/wizv2/test_issue.py

@@ -0,0 +1,343 @@
+import pytest
+from unittest.mock import patch
+from regscale.integrations.commercial.wizv2.issue import WizIssue
+from regscale.integrations.commercial.wizv2.constants import WizVulnerabilityType
+from regscale.models import IssueSeverity, IssueStatus
+
+
+@patch("regscale.integrations.scanner_integration.ScannerIntegration.get_assessor_id")
+def test_parse_finding_control_labels(mock_get_assessor):
+    """Test that WizIssue correctly parses control labels from a Wiz issue."""
+    # Mock the assessor ID
+    mock_get_assessor.return_value = "test-assessor"
+
+    # Create test instance with a test plan ID
+    wiz_issue = WizIssue(plan_id=1)
+
+    # Sample Wiz issue data with security subcategories
+    test_issue = {
+        "id": "66013c7a-de84-4b46-a3c7-934521cb9e3b",
+        "sourceRule": {
+            "__typename": "Control",
+            "id": "wc-id-15",
+            "name": "Publicly exposed PaaS database server",
+            "controlDescription": "This database is exposed to the public internet.",
+            "resolutionRecommendation": "Limit external exposure",
+            "securitySubCategories": [
+                {
+                    "title": "AC-4(21) Information Flow Enforcement | Physical or Logical Separation of Information Flows",
+                    "externalId": "AC-4(21)",
+                    "category": {"name": "AC Access Control", "framework": {"name": "NIST SP 800-53 Revision 5"}},
+                },
+                {
+                    "title": "SC-7 Boundary Protection",
+                    "externalId": "SC-7",
+                    "category": {
+                        "name": "SC System And Communications Protection",
+                        "framework": {"name": "NIST SP 800-53 Revision 5"},
+                    },
+                },
+                {
+                    "title": "AC-3 Access Enforcement",
+                    "externalId": "AC-3",
+                    "category": {"name": "AC Access Control", "framework": {"name": "NIST SP 800-53 Revision 5"}},
+                },
+            ],
+        },
+        "severity": "HIGH",
+        "status": "OPEN",
+        "createdAt": "2024-02-21T08:22:22.696689Z",
+        "entitySnapshot": {
+            "id": "474c2882-b98a-5b2b-b2f5-40f6cbdbf04f",
+            "type": "DB_SERVER",
+            "name": "releasetest-sqlserver",
+        },
+    }
+
+    # Parse the finding
+    finding = wiz_issue.parse_finding(test_issue, WizVulnerabilityType.ISSUE)
+
+    # Expected control labels based on NIST SP 800-53 controls
+    expected_control_labels = ["ac-4.21", "sc-7", "ac-3"]
+
+    # Verify the finding attributes
+    assert finding is not None
+    assert finding.control_labels == expected_control_labels
+    assert finding.severity == IssueSeverity.High
+    assert finding.title == "Publicly exposed PaaS database server"
+    assert finding.asset_identifier == "474c2882-b98a-5b2b-b2f5-40f6cbdbf04f"
+    assert finding.external_id == "66013c7a-de84-4b46-a3c7-934521cb9e3b"
+    assert finding.plugin_name == "Wiz-Control-AC"
+    assert finding.source_rule_id == "Control-wc-id-15"
+    assert finding.vulnerability_type == WizVulnerabilityType.ISSUE.value
+
+
+@patch("regscale.integrations.scanner_integration.ScannerIntegration.get_assessor_id")
+def test_parse_finding_no_security_subcategories(mock_get_assessor):
+    """Test that WizIssue handles issues without security subcategories."""
+    # Mock the assessor ID
+    mock_get_assessor.return_value = "test-assessor"
+
+    wiz_issue = WizIssue(plan_id=1)
+
+    test_issue = {
+        "id": "test-id",
+        "sourceRule": {
+            "__typename": "Control",
+            "id": "wc-id-1",
+            "name": "Test security configuration",
+            "controlDescription": "Test description",
+            "resolutionRecommendation": "Test recommendation",
+            "securitySubCategories": [],
+        },
+        "severity": "MEDIUM",
+        "status": "OPEN",
+        "createdAt": "2024-02-21T08:22:22Z",
+        "entitySnapshot": {"id": "test-entity-id", "type": "DB_SERVER", "name": "test-server"},
+    }
+
+    finding = wiz_issue.parse_finding(test_issue, WizVulnerabilityType.VULNERABILITY)
+
+    assert finding is not None
+    assert finding.control_labels == []
+    assert finding.severity == IssueSeverity.Moderate
+    assert finding.title == "Test security configuration"
+    assert finding.plugin_name == "Wiz-Control-Test"
+    assert finding.source_rule_id == "Control-wc-id-1"
+    assert finding.vulnerability_type == WizVulnerabilityType.VULNERABILITY.value
+
+
+@patch("regscale.integrations.scanner_integration.ScannerIntegration.get_assessor_id")
+def test_parse_finding_non_nist_controls(mock_get_assessor):
+    """Test that WizIssue correctly handles non-NIST controls."""
+    # Mock the assessor ID
+    mock_get_assessor.return_value = "test-assessor"
+
+    wiz_issue = WizIssue(plan_id=1)
+
+    test_issue = {
+        "id": "test-id",
+        "sourceRule": {
+            "__typename": "Control",
+            "id": "wc-id-1",
+            "name": "Database exposed to internet",
+            "controlDescription": "Test description",
+            "resolutionRecommendation": "Test recommendation",
+            "securitySubCategories": [
+                {
+                    "title": "8.12 Data leakage prevention",
+                    "externalId": "8.12",
+                    "category": {"name": "Technological controls", "framework": {"name": "ISO/IEC 27001-2022"}},
+                }
+            ],
+        },
+        "severity": "LOW",
+        "status": "OPEN",
+        "createdAt": "2024-02-21T08:22:22Z",
+        "entitySnapshot": {"id": "test-entity-id", "type": "DB_SERVER", "name": "test-server"},
+    }
+
+    finding = wiz_issue.parse_finding(test_issue, WizVulnerabilityType.HOST_FINDING)
+
+    assert finding is not None
+    assert finding.control_labels == []
+    assert finding.severity == IssueSeverity.Low
+    assert finding.title == "Database exposed to internet"
+    assert finding.plugin_name == "Wiz-Control-Database"
+    assert finding.source_rule_id == "Control-wc-id-1"
+    assert finding.vulnerability_type == WizVulnerabilityType.HOST_FINDING.value
+
+
+@patch("regscale.integrations.scanner_integration.ScannerIntegration.get_assessor_id")
+def test_parse_finding_cloud_config_rule(mock_get_assessor):
+    """Test that WizIssue correctly parses a cloud configuration rule."""
+    # Mock the assessor ID
+    mock_get_assessor.return_value = "test-assessor"
+
+    wiz_issue = WizIssue(plan_id=1)
+
+    test_issue = {
+        "id": "test-id",
+        "sourceRule": {
+            "__typename": "CloudConfigurationRule",
+            "id": "ffcade8d-7961-4b71-93d3-0098d7e4b3e1",
+            "name": "App Configuration public network access should be disabled",
+            "cloudConfigurationRuleDescription": "Test description",
+            "remediationInstructions": "Test remediation",
+            "serviceType": "Azure",
+        },
+        "severity": "HIGH",
+        "status": "OPEN",
+        "createdAt": "2024-02-21T08:22:22Z",
+        "entitySnapshot": {"id": "test-entity-id", "type": "SERVICE_CONFIGURATION", "name": "test-config"},
+    }
+
+    finding = wiz_issue.parse_finding(test_issue, WizVulnerabilityType.CONFIGURATION)
+
+    assert finding is not None
+    assert finding.plugin_name == "Wiz-Azure-AppConfiguration"
+    assert finding.severity == IssueSeverity.High
+    assert finding.title == "App Configuration public network access should be disabled"
+    assert finding.source_rule_id == "CloudConfigurationRule-Azure-ffcade8d-7961-4b71-93d3-0098d7e4b3e1"
+    assert finding.vulnerability_type == WizVulnerabilityType.CONFIGURATION.value
+
+
+@patch("regscale.integrations.scanner_integration.ScannerIntegration.get_assessor_id")
+def test_parse_finding_cloud_event(mock_get_assessor):
+    """Test that WizIssue correctly parses a cloud event rule."""
+    # Mock the assessor ID
+    mock_get_assessor.return_value = "test-assessor"
+
+    wiz_issue = WizIssue(plan_id=1)
+
+    test_issue = {
+        "id": "test-id",
+        "sourceRule": {
+            "__typename": "CloudEventRule",
+            "id": "event-1",
+            "name": "Suspicious activity detection in cloud resources",
+            "cloudEventRuleDescription": "Test description",
+            "sourceType": "test",
+            "type": "test",
+            "serviceType": "AWS",
+        },
+        "severity": "LOW",
+        "status": "OPEN",
+        "createdAt": "2024-02-21T08:22:22Z",
+        "entitySnapshot": {"id": "test-entity-id", "type": "CLOUD_ORGANIZATION", "name": "test-org"},
+    }
+
+    finding = wiz_issue.parse_finding(test_issue, WizVulnerabilityType.DATA_FINDING)
+
+    assert finding is not None
+    assert finding.plugin_name == "Wiz-AWS-SuspiciousActivity"
+    assert finding.severity == IssueSeverity.Low
+    assert finding.title == "Suspicious activity detection in cloud resources"
+    assert finding.source_rule_id == "CloudEventRule-AWS-event-1"
+    assert finding.vulnerability_type == WizVulnerabilityType.DATA_FINDING.value
+
+
+@patch("regscale.integrations.scanner_integration.ScannerIntegration.get_assessor_id")
+def test_title_based_consolidation(mock_get_assessor):
+    """Test that issues with same title are consolidated regardless of asset."""
+    # Mock the assessor ID
+    mock_get_assessor.return_value = "test-assessor"
+
+    wiz_issue = WizIssue(plan_id=1)
+
+    # Create two issues with same title but different assets
+    issue1 = {
+        "id": "issue-576",
+        "sourceRule": {
+            "__typename": "CloudConfigurationRule",
+            "id": "rule-app-config",
+            "name": "App Configuration public network access should be disabled",
+            "serviceType": "Azure",
+            "resolutionRecommendation": "Disable public network access",
+        },
+        "severity": "HIGH",
+        "status": "OPEN",
+        "createdAt": "2024-01-15T10:00:00Z",
+        "entitySnapshot": {
+            "id": "asset-001",
+            "providerId": "/subscriptions/sub1/resourceGroups/rg1/providers/Microsoft.AppConfiguration/configurationStores/store1",
+            "type": "SERVICE_CONFIGURATION",
+            "name": "store1",
+        },
+    }
+
+    issue2 = {
+        "id": "issue-663",
+        "sourceRule": {
+            "__typename": "CloudConfigurationRule",
+            "id": "rule-app-config",
+            "name": "App Configuration public network access should be disabled",
+            "serviceType": "Azure",
+            "resolutionRecommendation": "Disable public network access",
+        },
+        "severity": "MEDIUM",
+        "status": "RESOLVED",
+        "createdAt": "2024-01-20T10:00:00Z",
+        "entitySnapshot": {
+            "id": "asset-002",
+            "providerId": "/subscriptions/sub1/resourceGroups/rg2/providers/Microsoft.AppConfiguration/configurationStores/store2",
+            "type": "SERVICE_CONFIGURATION",
+            "name": "store2",
+        },
+    }
+
+    # Test grouping - should group by title only
+    groups = wiz_issue._group_issues_for_consolidation([issue1, issue2])
+
+    # Should have only 1 group with the same title
+    assert len(groups) == 1, f"Expected 1 group, got {len(groups)}"
+
+    group_key = "App Configuration public network access should be disabled"
+    assert group_key in groups, f"Expected to find '{group_key}' in groups"
+    assert len(groups[group_key]) == 2, f"Expected 2 issues in group, got {len(groups[group_key])}"
+
+    # Test consolidation
+    consolidated = wiz_issue._create_consolidated_finding(groups[group_key], WizVulnerabilityType.CONFIGURATION)
+
+    # Verify consolidation properties
+    assert consolidated.title == "App Configuration public network access should be disabled"
+    assert consolidated.severity == IssueSeverity.High  # Should use highest severity
+    assert consolidated.status == IssueStatus.Open  # Should use most urgent status
+    assert consolidated.asset_identifier == "asset-001"  # Primary asset
+
+    # Should have both provider IDs
+    provider_ids = consolidated.issue_asset_identifier_value.split("\n")
+    assert len(provider_ids) == 2, f"Expected 2 provider IDs, got {len(provider_ids)}"
+    assert "/configurationStores/store1" in provider_ids[0]
+    assert "/configurationStores/store2" in provider_ids[1]
+
+
+@patch("regscale.integrations.scanner_integration.ScannerIntegration.get_assessor_id")
+def test_consolidation_priority_rules(mock_get_assessor):
+    """Test that consolidation correctly applies priority rules for severity and status."""
+    mock_get_assessor.return_value = "test-assessor"
+
+    wiz_issue = WizIssue(plan_id=1)
+
+    # Create issues with different severities and statuses
+    issues = [
+        {
+            "id": "issue-1",
+            "sourceRule": {"name": "Test Rule", "__typename": "Control"},
+            "severity": "LOW",
+            "status": "RESOLVED",
+            "createdAt": "2024-01-20T10:00:00Z",
+            "entitySnapshot": {"id": "asset-1", "providerId": "provider-1"},
+        },
+        {
+            "id": "issue-2",
+            "sourceRule": {"name": "Test Rule", "__typename": "Control"},
+            "severity": "CRITICAL",  # Highest severity
+            "status": "RESOLVED",
+            "createdAt": "2024-01-15T10:00:00Z",  # Earlier date
+            "entitySnapshot": {"id": "asset-2", "providerId": "provider-2"},
+        },
+        {
+            "id": "issue-3",
+            "sourceRule": {"name": "Test Rule", "__typename": "Control"},
+            "severity": "MEDIUM",
+            "status": "OPEN",  # Most urgent status
+            "createdAt": "2024-01-18T10:00:00Z",
+            "entitySnapshot": {"id": "asset-3", "providerId": "provider-3"},
+        },
+    ]
+
+    consolidated = wiz_issue._create_consolidated_finding(issues, WizVulnerabilityType.ISSUE)
+
+    # Should use CRITICAL severity (highest)
+    assert consolidated.severity == IssueSeverity.Critical
+
+    # Should use OPEN status (most urgent)
+    assert consolidated.status == IssueStatus.Open
+
+    # Should use earliest date
+    assert "2024-01-15" in consolidated.date_created
+
+    # Should have all 3 provider IDs
+    provider_ids = consolidated.issue_asset_identifier_value.split("\n")
+    assert len(provider_ids) == 3

tests/regscale/integrations/commercial/wizv2/test_wiz_click_client_id.py

@@ -0,0 +1,165 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""Tests for Wiz Click command client_id parameter handling."""
+
+import pytest
+from click.testing import CliRunner
+from unittest.mock import patch, MagicMock
+from regscale.integrations.commercial.wizv2.click import wiz
+
+
+class TestWizClientIdHandling:
+    """Test that client_id parameters are properly recognized when passed via CLI."""
+
+    @pytest.fixture
+    def runner(self):
+        """Create a Click test runner."""
+        return CliRunner()
+
+    @pytest.fixture
+    def mock_wiz_variables(self):
+        """Mock WizVariables to avoid environment dependencies."""
+        with patch("regscale.integrations.commercial.wizv2.click.WizVariables") as mock:
+            mock.wizClientId = "env_client_id"
+            mock.wizClientSecret = "env_client_secret"
+            mock.wizInventoryFilterBy = "{}"
+            mock.wizIssueFilterBy = "{}"
+            yield mock
+
+    @pytest.fixture
+    def mock_scanner(self):
+        """Mock the WizVulnerabilityIntegration scanner."""
+        with patch("regscale.integrations.commercial.wizv2.scanner.WizVulnerabilityIntegration") as mock:
+            instance = MagicMock()
+            mock.return_value = instance
+            yield instance
+
+    def test_inventory_cli_client_id_overrides_env(self, runner, mock_wiz_variables, mock_scanner):
+        """Test that CLI-provided client_id overrides environment variable."""
+        result = runner.invoke(
+            wiz,
+            [
+                "inventory",
+                "--wiz_project_id",
+                "test-project",
+                "--regscale_ssp_id",
+                "2288",
+                "--client_id",
+                "cli_provided_client_id",
+                "--client_secret",
+                "cli_provided_secret",
+            ],
+        )
+
+        # Check that the command ran
+        assert result.exit_code == 0 or "successfully" in result.output.lower()
+
+        # Verify that sync_assets was called with CLI-provided credentials
+        mock_scanner.sync_assets.assert_called_once()
+        call_kwargs = mock_scanner.sync_assets.call_args[1]
+        assert call_kwargs["client_id"] == "cli_provided_client_id"
+        assert call_kwargs["client_secret"] == "cli_provided_secret"
+
+    def test_inventory_uses_env_when_no_cli_args(self, runner, mock_wiz_variables, mock_scanner):
+        """Test that environment variables are used when CLI args not provided."""
+        result = runner.invoke(
+            wiz,
+            [
+                "inventory",
+                "--wiz_project_id",
+                "test-project",
+                "--regscale_ssp_id",
+                "2288",
+            ],
+        )
+
+        # Check that the command ran
+        assert result.exit_code == 0 or "successfully" in result.output.lower()
+
+        # Verify that sync_assets was called with environment credentials
+        mock_scanner.sync_assets.assert_called_once()
+        call_kwargs = mock_scanner.sync_assets.call_args[1]
+        assert call_kwargs["client_id"] == "env_client_id"
+        assert call_kwargs["client_secret"] == "env_client_secret"
+
+    @pytest.fixture
+    def mock_wiz_issue(self):
+        """Mock the WizIssue scanner."""
+        with patch("regscale.integrations.commercial.wizv2.issue.WizIssue") as mock:
+            instance = MagicMock()
+            mock.return_value = instance
+            yield instance
+
+    @pytest.fixture
+    def mock_wiz_auth(self):
+        """Mock wiz_authenticate."""
+        with patch("regscale.integrations.commercial.wizv2.wiz_auth.wiz_authenticate") as mock:
+            yield mock
+
+    @pytest.fixture
+    def mock_check_license(self):
+        """Mock check_license."""
+        with patch("regscale.core.app.utils.app_utils.check_license") as mock:
+            yield mock
+
+    def test_issues_cli_client_id_overrides_env(
+        self,
+        runner,
+        mock_wiz_variables,
+        mock_wiz_issue,
+        mock_wiz_auth,
+        mock_check_license,
+    ):
+        """Test that CLI-provided client_id overrides environment variable for issues command."""
+        result = runner.invoke(
+            wiz,
+            [
+                "issues",
+                "--wiz_project_id",
+                "test-project",
+                "--regscale_ssp_id",
+                "2288",
+                "--client_id",
+                "cli_client_id",
+                "--client_secret",
+                "cli_secret",
+            ],
+        )
+
+        # Check that the command ran
+        assert result.exit_code == 0 or "successfully" in result.output.lower()
+
+        # Verify that wiz_authenticate was called with CLI credentials
+        mock_wiz_auth.assert_called_once_with("cli_client_id", "cli_secret")
+
+        # Verify that sync_findings was called with CLI credentials
+        mock_wiz_issue.sync_findings.assert_called_once()
+        call_kwargs = mock_wiz_issue.sync_findings.call_args[1]
+        assert call_kwargs["client_id"] == "cli_client_id"
+        assert call_kwargs["client_secret"] == "cli_secret"
+
+    def test_vulnerabilities_cli_client_id_overrides_env(self, runner, mock_wiz_variables, mock_scanner):
+        """Test that CLI-provided client_id overrides environment variable for vulnerabilities command."""
+        result = runner.invoke(
+            wiz,
+            [
+                "vulnerabilities",
+                "--wiz_project_id",
+                "test-project",
+                "--regscale_ssp_id",
+                "2288",
+                "--client_id",
+                "cli_vuln_client_id",
+                "--client_secret",
+                "cli_vuln_secret",
+            ],
+        )
+
+        # Check that the command ran
+        assert result.exit_code == 0 or "successfully" in result.output.lower()
+
+        # Verify that sync_findings was called with CLI-provided credentials
+        mock_scanner.sync_findings.assert_called_once()
+        call_kwargs = mock_scanner.sync_findings.call_args[1]
+        assert call_kwargs["client_id"] == "cli_vuln_client_id"
+        assert call_kwargs["client_secret"] == "cli_vuln_secret"