From 7c1cd11e452c7eb1a284b3b0ae0ced5bf47d3042 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Tue, 14 Apr 2026 13:45:28 -0700 Subject: [PATCH] Upgrade Prowler to 5.23.0, remove registry workaround (#336) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Upgrade Prowler from 5.22.0 to 5.23.0 - Remove the `enumerate-images` init container workaround from `cronjob-image-scan.yaml` - Use native `--registry` and `--image-filter` flags now that upstream fix (PR prowler-cloud/prowler#10470) is released The init container was a workaround for prowler-cloud/prowler#10457 where `--registry` args weren't forwarded to the provider constructor. We wrote the fix, it was merged, and v5.23.0 includes it. ## Test plan - [ ] Build new container (`mise run container-release prowler 5.23.0`) - [ ] Update kustomization.yaml with new image tag - [ ] Sync prowler ArgoCD app from branch - [ ] Manually trigger image scan job and verify `--registry` works natively - [ ] Verify CIS and IaC scan cronjobs still work 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/336 --- .../manifests/prowler/cronjob-image-scan.yaml | 41 +------------------ argocd/manifests/prowler/kustomization.yaml | 2 +- containers/prowler/Dockerfile | 2 +- .../changelog.d/upgrade-prowler-5.23.infra.md | 1 + service-versions.yaml | 4 +- 5 files changed, 7 insertions(+), 43 deletions(-) create mode 100644 docs/changelog.d/upgrade-prowler-5.23.infra.md diff --git a/argocd/manifests/prowler/cronjob-image-scan.yaml b/argocd/manifests/prowler/cronjob-image-scan.yaml index 84df1e0..b779d08 100644 --- a/argocd/manifests/prowler/cronjob-image-scan.yaml +++ b/argocd/manifests/prowler/cronjob-image-scan.yaml @@ -15,39 +15,6 @@ spec: securityContext: seccompProfile: type: RuntimeDefault - initContainers: - # Workaround: Prowler's --registry flag is broken (registry args - # not passed to provider constructor). Generate image list from - # zot catalog API instead. - # See: https://github.com/prowler-cloud/prowler/issues/10457 - # Fix merged upstream (PR #10470, 2026-03-30) but not yet in a - # release (latest: 5.22.0). Remove this initContainer once a - # release includes the fix and we upgrade. - - name: enumerate-images - image: registry.ops.eblu.me/blumeops/prowler:kustomized - command: ["python3", "-c"] - args: - - | - import json, urllib.request - - REGISTRY = "https://registry.ops.eblu.me" - catalog = json.loads(urllib.request.urlopen(f"{REGISTRY}/v2/_catalog").read()) - images = [] - for repo in catalog["repositories"]: - if not repo.startswith("blumeops/"): - continue - tags = json.loads(urllib.request.urlopen(f"{REGISTRY}/v2/{repo}/tags/list").read()) - for tag in tags.get("tags") or []: - images.append(f"registry.ops.eblu.me/{repo}:{tag}") - - with open("/shared/images.txt", "w") as f: - f.write("\n".join(images) + "\n") - print(f"Discovered {len(images)} images") - for img in images: - print(img) - volumeMounts: - - name: shared - mountPath: /shared containers: - name: prowler image: registry.ops.eblu.me/blumeops/prowler:kustomized @@ -57,20 +24,16 @@ spec: DATEDIR=/reports/prowler-images/$(date +%Y-%m-%d) mkdir -p "$DATEDIR" prowler image \ - --image-list /shared/images.txt \ + --registry https://registry.ops.eblu.me \ + --image-filter "^blumeops/" \ -z \ --output-formats html csv json-ocsf \ --output-directory "$DATEDIR" volumeMounts: - name: reports mountPath: /reports - - name: shared - mountPath: /shared - readOnly: true restartPolicy: OnFailure volumes: - name: reports persistentVolumeClaim: claimName: prowler-reports - - name: shared - emptyDir: {} diff --git a/argocd/manifests/prowler/kustomization.yaml b/argocd/manifests/prowler/kustomization.yaml index b6b11fe..fb5f233 100644 --- a/argocd/manifests/prowler/kustomization.yaml +++ b/argocd/manifests/prowler/kustomization.yaml @@ -26,4 +26,4 @@ configMapGenerator: images: - name: registry.ops.eblu.me/blumeops/prowler - newTag: v5.22.0-6960243 + newTag: v5.23.0-d05b503 diff --git a/containers/prowler/Dockerfile b/containers/prowler/Dockerfile index 7cafd17..bd74bdb 100644 --- a/containers/prowler/Dockerfile +++ b/containers/prowler/Dockerfile @@ -1,7 +1,7 @@ # Prowler CIS scanner — slim build for Kubernetes, image, and IaC providers # Strips PowerShell (M365) and dashboard dependencies from upstream # Includes Trivy for image vulnerability and IaC scanning -ARG CONTAINER_APP_VERSION=5.22.0 +ARG CONTAINER_APP_VERSION=5.23.0 FROM python:3.12-slim-bookworm AS build diff --git a/docs/changelog.d/upgrade-prowler-5.23.infra.md b/docs/changelog.d/upgrade-prowler-5.23.infra.md new file mode 100644 index 0000000..df2d0ab --- /dev/null +++ b/docs/changelog.d/upgrade-prowler-5.23.infra.md @@ -0,0 +1 @@ +Upgrade Prowler from 5.22.0 to 5.23.0; remove init container workaround for broken `--registry` flag (upstream fix in PR #10470). diff --git a/service-versions.yaml b/service-versions.yaml index e7e2ac9..f6f3be4 100644 --- a/service-versions.yaml +++ b/service-versions.yaml @@ -310,8 +310,8 @@ services: - name: prowler type: argocd - last-reviewed: 2026-03-24 - current-version: "5.22.0" + last-reviewed: 2026-04-14 + current-version: "5.23.0" upstream-source: https://github.com/prowler-cloud/prowler/releases notes: CIS Kubernetes Benchmark scanner; weekly CronJob on minikube-indri