eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add Prowler image vulnerability scanning for blumeops containers
All checks were successful
Build Container / detect (push) Successful in 39s
Details
Build Container / build-dockerfile (prowler) (push) Successful in 10m15s
Details

Browse source 
Add Trivy to the Prowler container for image and IaC scanning.
New CronJob (Saturday 3am) scans all blumeops/* images in the
registry for CVEs, embedded secrets, and Dockerfile misconfigs.
Reports written to sifaka:/volume1/reports/prowler-images/.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-03-24 16:43:08 -07:00
commit 696024306c
8 changed files with 93 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/reference/operations/security.md
View file

@ -49,5 +49,5 @@ All compliance scan reports are stored on `sifaka:/volume1/reports/`. See [[read
- No SOC 2 compliance mapping for Kubernetes (Prowler only maps SOC 2 for AWS/Azure/GCP)
- k3s control plane checks produce no results (embedded binary, no static pods) — consider kube-bench
- No container image vulnerability scanning yet (Prowler has an `image` provider)
- Container image scanning covers `blumeops/*` images only — upstream images (ollama, immich, etc.) are not scanned
- No IaC scanning of manifests/Dockerfiles yet (Prowler has an `iac` provider using Trivy)

11
docs/reference/services/prowler.md
View file

@ -17,13 +17,18 @@ CIS Kubernetes Benchmark scanner for compliance posture reporting.
|----------|-------|
| **Namespace** | `prowler` |
| **Image** | `registry.ops.eblu.me/blumeops/prowler` (see `argocd/manifests/prowler/kustomization.yaml` for current tag) |
| **Schedule** | Weekly (Sunday 3am) |
| **Reports** | `sifaka:/volume1/reports/prowler/` (NFS) |
| **Schedule** | K8s CIS: Sunday 3am / Image scan: Saturday 3am |
| **Reports** | `sifaka:/volume1/reports/prowler/` and `prowler-images/` (NFS) |
| **Manifests** | `argocd/manifests/prowler/` |
## What it does
Runs Prowler 5 as a CronJob against minikube-indri, executing CIS Kubernetes Benchmark v1.11 checks across pod security, RBAC, apiserver, etcd, kubelet, controller-manager, and scheduler. Reports are written in HTML, CSV, and JSON-OCSF to the NFS share on sifaka.
Runs Prowler 5 as two CronJobs:
- **K8s CIS scan** (Sunday) — CIS Kubernetes Benchmark v1.11 checks across pod security, RBAC, apiserver, etcd, kubelet, controller-manager, and scheduler
- **Image scan** (Saturday) — CVE, secret, and misconfiguration scanning of all `blumeops/*` container images in the registry via Trivy
Reports are written in HTML, CSV, and JSON-OCSF to the NFS share on sifaka.
## See also