diff --git a/argocd/manifests/prowler/cronjob-image-scan.yaml b/argocd/manifests/prowler/cronjob-image-scan.yaml index 84df1e0..b779d08 100644 --- a/argocd/manifests/prowler/cronjob-image-scan.yaml +++ b/argocd/manifests/prowler/cronjob-image-scan.yaml @@ -15,39 +15,6 @@ spec: securityContext: seccompProfile: type: RuntimeDefault - initContainers: - # Workaround: Prowler's --registry flag is broken (registry args - # not passed to provider constructor). Generate image list from - # zot catalog API instead. - # See: https://github.com/prowler-cloud/prowler/issues/10457 - # Fix merged upstream (PR #10470, 2026-03-30) but not yet in a - # release (latest: 5.22.0). Remove this initContainer once a - # release includes the fix and we upgrade. - - name: enumerate-images - image: registry.ops.eblu.me/blumeops/prowler:kustomized - command: ["python3", "-c"] - args: - - | - import json, urllib.request - - REGISTRY = "https://registry.ops.eblu.me" - catalog = json.loads(urllib.request.urlopen(f"{REGISTRY}/v2/_catalog").read()) - images = [] - for repo in catalog["repositories"]: - if not repo.startswith("blumeops/"): - continue - tags = json.loads(urllib.request.urlopen(f"{REGISTRY}/v2/{repo}/tags/list").read()) - for tag in tags.get("tags") or []: - images.append(f"registry.ops.eblu.me/{repo}:{tag}") - - with open("/shared/images.txt", "w") as f: - f.write("\n".join(images) + "\n") - print(f"Discovered {len(images)} images") - for img in images: - print(img) - volumeMounts: - - name: shared - mountPath: /shared containers: - name: prowler image: registry.ops.eblu.me/blumeops/prowler:kustomized @@ -57,20 +24,16 @@ spec: DATEDIR=/reports/prowler-images/$(date +%Y-%m-%d) mkdir -p "$DATEDIR" prowler image \ - --image-list /shared/images.txt \ + --registry https://registry.ops.eblu.me \ + --image-filter "^blumeops/" \ -z \ --output-formats html csv json-ocsf \ --output-directory "$DATEDIR" volumeMounts: - name: reports mountPath: /reports - - name: shared - mountPath: /shared - readOnly: true restartPolicy: OnFailure volumes: - name: reports persistentVolumeClaim: claimName: prowler-reports - - name: shared - emptyDir: {} diff --git a/argocd/manifests/prowler/kustomization.yaml b/argocd/manifests/prowler/kustomization.yaml index b6b11fe..fb5f233 100644 --- a/argocd/manifests/prowler/kustomization.yaml +++ b/argocd/manifests/prowler/kustomization.yaml @@ -26,4 +26,4 @@ configMapGenerator: images: - name: registry.ops.eblu.me/blumeops/prowler - newTag: v5.22.0-6960243 + newTag: v5.23.0-d05b503 diff --git a/containers/prowler/Dockerfile b/containers/prowler/Dockerfile index 7cafd17..bd74bdb 100644 --- a/containers/prowler/Dockerfile +++ b/containers/prowler/Dockerfile @@ -1,7 +1,7 @@ # Prowler CIS scanner — slim build for Kubernetes, image, and IaC providers # Strips PowerShell (M365) and dashboard dependencies from upstream # Includes Trivy for image vulnerability and IaC scanning -ARG CONTAINER_APP_VERSION=5.22.0 +ARG CONTAINER_APP_VERSION=5.23.0 FROM python:3.12-slim-bookworm AS build diff --git a/docs/changelog.d/upgrade-prowler-5.23.infra.md b/docs/changelog.d/upgrade-prowler-5.23.infra.md new file mode 100644 index 0000000..df2d0ab --- /dev/null +++ b/docs/changelog.d/upgrade-prowler-5.23.infra.md @@ -0,0 +1 @@ +Upgrade Prowler from 5.22.0 to 5.23.0; remove init container workaround for broken `--registry` flag (upstream fix in PR #10470). diff --git a/service-versions.yaml b/service-versions.yaml index e7e2ac9..f6f3be4 100644 --- a/service-versions.yaml +++ b/service-versions.yaml @@ -310,8 +310,8 @@ services: - name: prowler type: argocd - last-reviewed: 2026-03-24 - current-version: "5.22.0" + last-reviewed: 2026-04-14 + current-version: "5.23.0" upstream-source: https://github.com/prowler-cloud/prowler/releases notes: CIS Kubernetes Benchmark scanner; weekly CronJob on minikube-indri