Address 6 critical Prowler IaC findings (mute + grafana RBAC tighten) (#340)

## Summary

The weekly Prowler IaC scan reported 6 critical findings against `argocd/manifests/`. They split cleanly into two patterns:

- **Legitimate-by-design RBAC → mute with new compensating controls**
  - `external-secrets-controller`, `external-secrets-cert-controller` manage `secrets` (KSV-0041) and the cert-controller mutates its own webhook configurations (KSV-0114). This is what the operator is *for*. New CC: `operator-purpose-bound-rbac`.
  - `kube-state-metrics` (both `minikube-indri` and `k3s-ringtail`) holds `list/watch` on secrets to expose `kube_secret_info` and `kube_secret_labels` metrics. KSM's metric schema only reads metadata, never the `data:` field. New CC: `kube-state-metrics-metadata-only`.

- **Over-broad RBAC → fix**
  - `grafana-clusterrole` had `get/watch/list` on `secrets` because the dashboard-sidecar config used `RESOURCE=both` (ConfigMaps + Secrets). Nothing in the cluster labels Secrets with `grafana_dashboard=1`, so this was unused power. Switched both sidecar instances to `RESOURCE=configmap` and removed `secrets` from the ClusterRole.

The IaC cronjob also did not previously pass `--mutelist-file`, which is why every IaC finding reported as unmuted regardless of mutelist configuration. The new `mutelist/iac.yaml` is bundled into the existing `prowler-mutelist` ConfigMap and mounted via `items:` selector.

## Test plan

- [ ] `kubectl --context=minikube-indri kustomize argocd/manifests/prowler/` — already passes locally
- [ ] `kubectl --context=minikube-indri kustomize argocd/manifests/grafana/` — already passes locally
- [ ] Deploy from this branch via `argocd app set prowler --revision prowler-iac-mutelist && argocd app sync prowler` and same for `grafana`
- [ ] Manually trigger the IaC cronjob and verify `MUTED=True` on the 6 critical findings (`kubectl --context=minikube-indri -n prowler create job --from=cronjob/prowler-iac-scan prowler-iac-test`)
- [ ] Restart grafana pod and confirm dashboards still render (sidecar still finds them via ConfigMap watch)
- [ ] After verify, `argocd app set <app> --revision main && argocd app sync <app>` post-merge

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #340

containers/prowler/Dockerfile

@@ -44,10 +44,28 @@ RUN ARCH=$(dpkg --print-architecture) \
     && apt-get update && apt-get install -y --no-install-recommends wget ca-certificates \
     && wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz" -O /tmp/trivy.tar.gz \
     && tar xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy \
-    && chmod +x /usr/local/bin/trivy \
+    && mv /usr/local/bin/trivy /usr/local/bin/trivy.real \
+    && chmod +x /usr/local/bin/trivy.real \
     && rm /tmp/trivy.tar.gz \
     && apt-get purge -y wget && apt-get autoremove -y && rm -rf /var/lib/apt/lists/*
 
+# Shim: Prowler's IaC provider invokes `trivy fs` directly with no
+# --ignorefile flag, so any TRIVY_IGNOREFILE the user sets is ignored.
+# This wrapper injects --ignorefile when the env var points at a real
+# file and the invocation is `trivy fs ...`. Other subcommands and
+# global-only invocations (--version, --help) pass through unchanged.
+# TODO(upstream): contribute --ignorefile plumbing to prowler-cloud/prowler
+# iac_provider.py so this shim isn't necessary.
+RUN printf '%s\n' \
+        '#!/bin/sh' \
+        'if [ "${1:-}" = "fs" ] && [ -n "${TRIVY_IGNOREFILE:-}" ] && [ -f "${TRIVY_IGNOREFILE}" ]; then' \
+        '    shift' \
+        '    exec /usr/local/bin/trivy.real fs --ignorefile "${TRIVY_IGNOREFILE}" "$@"' \
+        'fi' \
+        'exec /usr/local/bin/trivy.real "$@"' \
+        > /usr/local/bin/trivy \
+    && chmod +x /usr/local/bin/trivy
+
 RUN addgroup --gid 1000 prowler \
     && adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler \
     && mkdir -p /tmp/.cache/trivy && chown prowler:prowler /tmp/.cache/trivy