infra: retire Prowler image + IaC scan CronJobs

Delete prowler-image-scan and prowler-iac-scan CronJobs, remove them from the kustomization, and drop the now-unused trivyignore.yaml mutelist (only the IaC scan consumed it via TRIVY_IGNOREFILE). Trim review-compliance-reports to the single remaining K8s CIS scan and remove the grouped-findings rendering (_print_grouped_findings / _worst_severity) that existed solely for the high-volume image/IaC scans. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 09:27:08 -07:00 · 2026-06-08 09:27:08 -07:00 · 0496192435
commit 0496192435
parent 3166aa88dd
6 changed files with 34 additions and 251 deletions
--- a/docs/changelog.d/retire-prowler-image-iac-scans.infra.md
+++ b/docs/changelog.d/retire-prowler-image-iac-scans.infra.md
@ -0,0 +1 @@
+Retired the Prowler container-image CVE scan and IaC scan, keeping only the K8s CIS benchmark scan. The two retired scans generated tens of thousands of un-actioned, un-muted findings every week (~20,000 image findings and growing, mostly unpatchable upstream-image CVEs; ~650 systemic Trivy KSV pod-security warnings) — the weekly `mise run review-compliance-reports` re-surfaced them all as "action needed" though none were ever triaged. The K8s CIS scan is fully mutelisted and runs clean, so it stays. Removed the two CronJobs, the now-unused `trivyignore.yaml` mutelist, and the grouped-findings rendering in the review tool that existed solely for the high-volume scans.
				`@ -0,0 +1 @@`
				Retired the Prowler container-image CVE scan and IaC scan, keeping only the K8s CIS benchmark scan. The two retired scans generated tens of thousands of un-actioned, un-muted findings every week (~20,000 image findings and growing, mostly unpatchable upstream-image CVEs; ~650 systemic Trivy KSV pod-security warnings) — the weekly `mise run review-compliance-reports` re-surfaced them all as "action needed" though none were ever triaged. The K8s CIS scan is fully mutelisted and runs clean, so it stays. Removed the two CronJobs, the now-unused `trivyignore.yaml` mutelist, and the grouped-findings rendering in the review tool that existed solely for the high-volume scans.