blumeops/containers/prowler/Dockerfile

# Prowler CIS scanner — slim build for Kubernetes, image, and IaC providers
# Strips PowerShell (M365) and dashboard dependencies from upstream
# Includes Trivy for image vulnerability and IaC scanning
ARG CONTAINER_APP_VERSION=5.23.0

FROM python:3.12-slim-bookworm AS build

ARG CONTAINER_APP_VERSION

RUN apt-get update && apt-get install -y --no-install-recommends \
        git ca-certificates \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /build

RUN git clone --depth 1 --branch ${CONTAINER_APP_VERSION} \
        https://forge.ops.eblu.me/mirrors/prowler.git .

# Install prowler into a virtualenv so we can copy it cleanly
RUN python -m venv /opt/prowler \
    && /opt/prowler/bin/pip install --no-cache-dir --upgrade pip \
    && /opt/prowler/bin/pip install --no-cache-dir .

# ---

FROM python:3.12-slim-bookworm

ARG CONTAINER_APP_VERSION

LABEL org.opencontainers.image.title="prowler"
LABEL org.opencontainers.image.version="${CONTAINER_APP_VERSION}"
LABEL org.opencontainers.image.source="https://forge.eblu.me/eblume/blumeops"
LABEL org.opencontainers.image.vendor="blumeops"
LABEL org.opencontainers.image.description="Prowler scanner (Kubernetes, image, IaC providers)"

ARG TRIVY_VERSION=0.69.2

RUN ARCH=$(dpkg --print-architecture) \
    && case "$ARCH" in \
        amd64) TRIVY_ARCH="Linux-64bit" ;; \
        arm64) TRIVY_ARCH="Linux-ARM64" ;; \
        *) echo "Unsupported architecture: $ARCH" && exit 1 ;; \
    esac \
    && apt-get update && apt-get install -y --no-install-recommends wget ca-certificates \
    && wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz" -O /tmp/trivy.tar.gz \
    && tar xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy \
    && mv /usr/local/bin/trivy /usr/local/bin/trivy.real \
    && chmod +x /usr/local/bin/trivy.real \
    && rm /tmp/trivy.tar.gz \
    && apt-get purge -y wget && apt-get autoremove -y && rm -rf /var/lib/apt/lists/*

# Shim: Prowler's IaC provider invokes `trivy fs` directly with no
# --ignorefile flag, so any TRIVY_IGNOREFILE the user sets is ignored.
# This wrapper injects --ignorefile when the env var points at a real
# file and the invocation is `trivy fs ...`. Other subcommands and
# global-only invocations (--version, --help) pass through unchanged.
# TODO(upstream): contribute --ignorefile plumbing to prowler-cloud/prowler
# iac_provider.py so this shim isn't necessary.
RUN printf '%s\n' \
        '#!/bin/sh' \
        'if [ "${1:-}" = "fs" ] && [ -n "${TRIVY_IGNOREFILE:-}" ] && [ -f "${TRIVY_IGNOREFILE}" ]; then' \
        '    shift' \
        '    exec /usr/local/bin/trivy.real fs --ignorefile "${TRIVY_IGNOREFILE}" "$@"' \
        'fi' \
        'exec /usr/local/bin/trivy.real "$@"' \
        > /usr/local/bin/trivy \
    && chmod +x /usr/local/bin/trivy

RUN addgroup --gid 1000 prowler \
    && adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler \
    && mkdir -p /tmp/.cache/trivy && chown prowler:prowler /tmp/.cache/trivy

COPY --from=build /opt/prowler /opt/prowler

ENV PATH="/opt/prowler/bin:${PATH}"
ENV TRIVY_CACHE_DIR="/tmp/.cache/trivy"

USER prowler
WORKDIR /home/prowler

ENTRYPOINT ["prowler"]
Add Prowler image vulnerability scanning for blumeops containers Add Trivy to the Prowler container for image and IaC scanning. New CronJob (Saturday 3am) scans all blumeops/* images in the registry for CVEs, embedded secrets, and Dockerfile misconfigs. Reports written to sifaka:/volume1/reports/prowler-images/. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-24 16:43:08 -07:00			`# Prowler CIS scanner — slim build for Kubernetes, image, and IaC providers`
			`# Strips PowerShell (M365) and dashboard dependencies from upstream`
			`# Includes Trivy for image vulnerability and IaC scanning`
Upgrade Prowler to 5.23.0, remove registry workaround (#336) ## Summary - Upgrade Prowler from 5.22.0 to 5.23.0 - Remove the `enumerate-images` init container workaround from `cronjob-image-scan.yaml` - Use native `--registry` and `--image-filter` flags now that upstream fix (PR prowler-cloud/prowler#10470) is released The init container was a workaround for prowler-cloud/prowler#10457 where `--registry` args weren't forwarded to the provider constructor. We wrote the fix, it was merged, and v5.23.0 includes it. ## Test plan - [ ] Build new container (`mise run container-release prowler 5.23.0`) - [ ] Update kustomization.yaml with new image tag - [ ] Sync prowler ArgoCD app from branch - [ ] Manually trigger image scan job and verify `--registry` works natively - [ ] Verify CIS and IaC scan cronjobs still work 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/336 2026-04-14 13:45:28 -07:00			`ARG CONTAINER_APP_VERSION=5.23.0`
Deploy Prowler CIS scanner (#310) ## Summary - Deploy Prowler 5 as a weekly CronJob on minikube-indri for CIS Kubernetes Benchmark v1.11 scanning - Custom slim container build (strips PowerShell, Trivy, and non-K8s providers from upstream) - Reports (HTML, CSV, JSON-OCSF) written to NFS share on sifaka at `/volume1/reports/prowler/` - Read-only ClusterRole for pod, RBAC, and control plane inspection - Host path mounts + hostPID for kubelet file permission checks ## Follow-ups - Mirror prowler-cloud/prowler on forge for supply chain control - Build and push container image, update kustomization.yaml newTag - Consider adding k3s-ringtail scanning (core + RBAC checks only) ## Test plan - [ ] Build container: `mise run container-release prowler v5.22.0` - [ ] Update `argocd/manifests/prowler/kustomization.yaml` newTag to built image tag - [ ] Sync ArgoCD: `argocd app sync apps && argocd app set prowler --revision deploy-prowler && argocd app sync prowler` - [ ] Trigger manual job: `kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri` - [ ] Verify reports appear on sifaka NFS share - [ ] `mise run services-check` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/310 2026-03-24 16:08:09 -07:00
			`FROM python:3.12-slim-bookworm AS build`

			`ARG CONTAINER_APP_VERSION`

			`RUN apt-get update && apt-get install -y --no-install-recommends \`
			`git ca-certificates \`
			`&& rm -rf /var/lib/apt/lists/*`

			`WORKDIR /build`

			`RUN git clone --depth 1 --branch ${CONTAINER_APP_VERSION} \`
			`https://forge.ops.eblu.me/mirrors/prowler.git .`

			`# Install prowler into a virtualenv so we can copy it cleanly`
			`RUN python -m venv /opt/prowler \`
			`&& /opt/prowler/bin/pip install --no-cache-dir --upgrade pip \`
			`&& /opt/prowler/bin/pip install --no-cache-dir .`

			`# ---`

			`FROM python:3.12-slim-bookworm`

			`ARG CONTAINER_APP_VERSION`

			`LABEL org.opencontainers.image.title="prowler"`
			`LABEL org.opencontainers.image.version="${CONTAINER_APP_VERSION}"`
			`LABEL org.opencontainers.image.source="https://forge.eblu.me/eblume/blumeops"`
			`LABEL org.opencontainers.image.vendor="blumeops"`
Add Prowler image vulnerability scanning for blumeops containers Add Trivy to the Prowler container for image and IaC scanning. New CronJob (Saturday 3am) scans all blumeops/* images in the registry for CVEs, embedded secrets, and Dockerfile misconfigs. Reports written to sifaka:/volume1/reports/prowler-images/. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-24 16:43:08 -07:00			`LABEL org.opencontainers.image.description="Prowler scanner (Kubernetes, image, IaC providers)"`

			`ARG TRIVY_VERSION=0.69.2`

			`RUN ARCH=$(dpkg --print-architecture) \`
			`&& case "$ARCH" in \`
			`amd64) TRIVY_ARCH="Linux-64bit" ;; \`
			`arm64) TRIVY_ARCH="Linux-ARM64" ;; \`
			`*) echo "Unsupported architecture: $ARCH" && exit 1 ;; \`
			`esac \`
			`&& apt-get update && apt-get install -y --no-install-recommends wget ca-certificates \`
			`&& wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz" -O /tmp/trivy.tar.gz \`
			`&& tar xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy \`
Replace dead Prowler IaC mutelist with Trivy ignorefile shim Prowler's IaC provider hardcodes self._mutelist = None and delegates filtering to Trivy, but doesn't plumb --ignorefile through. The original attempt with --mutelist-file silently no-op'd. Add a wrapper around trivy in our image that injects --ignorefile $TRIVY_IGNOREFILE on `fs` subcommands; switch the IaC cronjob to mount a Trivy-format trivyignore.yaml and set the env var. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-28 09:50:31 -07:00			`&& mv /usr/local/bin/trivy /usr/local/bin/trivy.real \`
			`&& chmod +x /usr/local/bin/trivy.real \`
Add Prowler image vulnerability scanning for blumeops containers Add Trivy to the Prowler container for image and IaC scanning. New CronJob (Saturday 3am) scans all blumeops/* images in the registry for CVEs, embedded secrets, and Dockerfile misconfigs. Reports written to sifaka:/volume1/reports/prowler-images/. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-24 16:43:08 -07:00			`&& rm /tmp/trivy.tar.gz \`
			`&& apt-get purge -y wget && apt-get autoremove -y && rm -rf /var/lib/apt/lists/*`
Deploy Prowler CIS scanner (#310) ## Summary - Deploy Prowler 5 as a weekly CronJob on minikube-indri for CIS Kubernetes Benchmark v1.11 scanning - Custom slim container build (strips PowerShell, Trivy, and non-K8s providers from upstream) - Reports (HTML, CSV, JSON-OCSF) written to NFS share on sifaka at `/volume1/reports/prowler/` - Read-only ClusterRole for pod, RBAC, and control plane inspection - Host path mounts + hostPID for kubelet file permission checks ## Follow-ups - Mirror prowler-cloud/prowler on forge for supply chain control - Build and push container image, update kustomization.yaml newTag - Consider adding k3s-ringtail scanning (core + RBAC checks only) ## Test plan - [ ] Build container: `mise run container-release prowler v5.22.0` - [ ] Update `argocd/manifests/prowler/kustomization.yaml` newTag to built image tag - [ ] Sync ArgoCD: `argocd app sync apps && argocd app set prowler --revision deploy-prowler && argocd app sync prowler` - [ ] Trigger manual job: `kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri` - [ ] Verify reports appear on sifaka NFS share - [ ] `mise run services-check` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/310 2026-03-24 16:08:09 -07:00
Replace dead Prowler IaC mutelist with Trivy ignorefile shim Prowler's IaC provider hardcodes self._mutelist = None and delegates filtering to Trivy, but doesn't plumb --ignorefile through. The original attempt with --mutelist-file silently no-op'd. Add a wrapper around trivy in our image that injects --ignorefile $TRIVY_IGNOREFILE on `fs` subcommands; switch the IaC cronjob to mount a Trivy-format trivyignore.yaml and set the env var. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-28 09:50:31 -07:00			# Shim: Prowler's IaC provider invokes `trivy fs` directly with no
			`# --ignorefile flag, so any TRIVY_IGNOREFILE the user sets is ignored.`
			`# This wrapper injects --ignorefile when the env var points at a real`
			# file and the invocation is `trivy fs ...`. Other subcommands and
			`# global-only invocations (--version, --help) pass through unchanged.`
			`# TODO(upstream): contribute --ignorefile plumbing to prowler-cloud/prowler`
			`# iac_provider.py so this shim isn't necessary.`
			`RUN printf '%s\n' \`
			`'#!/bin/sh' \`
			`'if [ "${1:-}" = "fs" ] && [ -n "${TRIVY_IGNOREFILE:-}" ] && [ -f "${TRIVY_IGNOREFILE}" ]; then' \`
			`' shift' \`
			`' exec /usr/local/bin/trivy.real fs --ignorefile "${TRIVY_IGNOREFILE}" "$@"' \`
			`'fi' \`
			`'exec /usr/local/bin/trivy.real "$@"' \`
			`> /usr/local/bin/trivy \`
			`&& chmod +x /usr/local/bin/trivy`

Deploy Prowler CIS scanner (#310) ## Summary - Deploy Prowler 5 as a weekly CronJob on minikube-indri for CIS Kubernetes Benchmark v1.11 scanning - Custom slim container build (strips PowerShell, Trivy, and non-K8s providers from upstream) - Reports (HTML, CSV, JSON-OCSF) written to NFS share on sifaka at `/volume1/reports/prowler/` - Read-only ClusterRole for pod, RBAC, and control plane inspection - Host path mounts + hostPID for kubelet file permission checks ## Follow-ups - Mirror prowler-cloud/prowler on forge for supply chain control - Build and push container image, update kustomization.yaml newTag - Consider adding k3s-ringtail scanning (core + RBAC checks only) ## Test plan - [ ] Build container: `mise run container-release prowler v5.22.0` - [ ] Update `argocd/manifests/prowler/kustomization.yaml` newTag to built image tag - [ ] Sync ArgoCD: `argocd app sync apps && argocd app set prowler --revision deploy-prowler && argocd app sync prowler` - [ ] Trigger manual job: `kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri` - [ ] Verify reports appear on sifaka NFS share - [ ] `mise run services-check` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/310 2026-03-24 16:08:09 -07:00			`RUN addgroup --gid 1000 prowler \`
Add Prowler image vulnerability scanning for blumeops containers Add Trivy to the Prowler container for image and IaC scanning. New CronJob (Saturday 3am) scans all blumeops/* images in the registry for CVEs, embedded secrets, and Dockerfile misconfigs. Reports written to sifaka:/volume1/reports/prowler-images/. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-24 16:43:08 -07:00			`&& adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler \`
			`&& mkdir -p /tmp/.cache/trivy && chown prowler:prowler /tmp/.cache/trivy`
Deploy Prowler CIS scanner (#310) ## Summary - Deploy Prowler 5 as a weekly CronJob on minikube-indri for CIS Kubernetes Benchmark v1.11 scanning - Custom slim container build (strips PowerShell, Trivy, and non-K8s providers from upstream) - Reports (HTML, CSV, JSON-OCSF) written to NFS share on sifaka at `/volume1/reports/prowler/` - Read-only ClusterRole for pod, RBAC, and control plane inspection - Host path mounts + hostPID for kubelet file permission checks ## Follow-ups - Mirror prowler-cloud/prowler on forge for supply chain control - Build and push container image, update kustomization.yaml newTag - Consider adding k3s-ringtail scanning (core + RBAC checks only) ## Test plan - [ ] Build container: `mise run container-release prowler v5.22.0` - [ ] Update `argocd/manifests/prowler/kustomization.yaml` newTag to built image tag - [ ] Sync ArgoCD: `argocd app sync apps && argocd app set prowler --revision deploy-prowler && argocd app sync prowler` - [ ] Trigger manual job: `kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri` - [ ] Verify reports appear on sifaka NFS share - [ ] `mise run services-check` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/310 2026-03-24 16:08:09 -07:00
			`COPY --from=build /opt/prowler /opt/prowler`

			`ENV PATH="/opt/prowler/bin:${PATH}"`
Add Prowler image vulnerability scanning for blumeops containers Add Trivy to the Prowler container for image and IaC scanning. New CronJob (Saturday 3am) scans all blumeops/* images in the registry for CVEs, embedded secrets, and Dockerfile misconfigs. Reports written to sifaka:/volume1/reports/prowler-images/. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-24 16:43:08 -07:00			`ENV TRIVY_CACHE_DIR="/tmp/.cache/trivy"`
Deploy Prowler CIS scanner (#310) ## Summary - Deploy Prowler 5 as a weekly CronJob on minikube-indri for CIS Kubernetes Benchmark v1.11 scanning - Custom slim container build (strips PowerShell, Trivy, and non-K8s providers from upstream) - Reports (HTML, CSV, JSON-OCSF) written to NFS share on sifaka at `/volume1/reports/prowler/` - Read-only ClusterRole for pod, RBAC, and control plane inspection - Host path mounts + hostPID for kubelet file permission checks ## Follow-ups - Mirror prowler-cloud/prowler on forge for supply chain control - Build and push container image, update kustomization.yaml newTag - Consider adding k3s-ringtail scanning (core + RBAC checks only) ## Test plan - [ ] Build container: `mise run container-release prowler v5.22.0` - [ ] Update `argocd/manifests/prowler/kustomization.yaml` newTag to built image tag - [ ] Sync ArgoCD: `argocd app sync apps && argocd app set prowler --revision deploy-prowler && argocd app sync prowler` - [ ] Trigger manual job: `kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri` - [ ] Verify reports appear on sifaka NFS share - [ ] `mise run services-check` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/310 2026-03-24 16:08:09 -07:00
			`USER prowler`
			`WORKDIR /home/prowler`

			`ENTRYPOINT ["prowler"]`