Upgrade Prowler to 5.23.0 and remove registry workaround

Upstream merged our fix for the broken --registry flag (PR #10470),
released in v5.23.0. Replace the enumerate-images init container
with native --registry and --image-filter flags.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

argocd/manifests/prowler/cronjob-image-scan.yaml

@@ -15,39 +15,6 @@ spec:
           securityContext:
             seccompProfile:
               type: RuntimeDefault
-          initContainers:
-            # Workaround: Prowler's --registry flag is broken (registry args
-            # not passed to provider constructor). Generate image list from
-            # zot catalog API instead.
-            # See: https://github.com/prowler-cloud/prowler/issues/10457
-            # Fix merged upstream (PR #10470, 2026-03-30) but not yet in a
-            # release (latest: 5.22.0). Remove this initContainer once a
-            # release includes the fix and we upgrade.
-            - name: enumerate-images
-              image: registry.ops.eblu.me/blumeops/prowler:kustomized
-              command: ["python3", "-c"]
-              args:
-                - |
-                  import json, urllib.request
-
-                  REGISTRY = "https://registry.ops.eblu.me"
-                  catalog = json.loads(urllib.request.urlopen(f"{REGISTRY}/v2/_catalog").read())
-                  images = []
-                  for repo in catalog["repositories"]:
-                      if not repo.startswith("blumeops/"):
-                          continue
-                      tags = json.loads(urllib.request.urlopen(f"{REGISTRY}/v2/{repo}/tags/list").read())
-                      for tag in tags.get("tags") or []:
-                          images.append(f"registry.ops.eblu.me/{repo}:{tag}")
-
-                  with open("/shared/images.txt", "w") as f:
-                      f.write("\n".join(images) + "\n")
-                  print(f"Discovered {len(images)} images")
-                  for img in images:
-                      print(img)
-              volumeMounts:
-                - name: shared
-                  mountPath: /shared
           containers:
             - name: prowler
               image: registry.ops.eblu.me/blumeops/prowler:kustomized
@@ -57,20 +24,16 @@ spec:
                   DATEDIR=/reports/prowler-images/$(date +%Y-%m-%d)
                   mkdir -p "$DATEDIR"
                   prowler image \
-                    --image-list /shared/images.txt \
+                    --registry https://registry.ops.eblu.me \
+                    --image-filter "^blumeops/" \
                     -z \
                     --output-formats html csv json-ocsf \
                     --output-directory "$DATEDIR"
               volumeMounts:
                 - name: reports
                   mountPath: /reports
-                - name: shared
-                  mountPath: /shared
-                  readOnly: true
           restartPolicy: OnFailure
           volumes:
             - name: reports
               persistentVolumeClaim:
                 claimName: prowler-reports
-            - name: shared
-              emptyDir: {}

containers/prowler/Dockerfile

@@ -1,7 +1,7 @@
 # Prowler CIS scanner — slim build for Kubernetes, image, and IaC providers
 # Strips PowerShell (M365) and dashboard dependencies from upstream
 # Includes Trivy for image vulnerability and IaC scanning
-ARG CONTAINER_APP_VERSION=5.22.0
+ARG CONTAINER_APP_VERSION=5.23.0
 
 FROM python:3.12-slim-bookworm AS build
 

docs/changelog.d/upgrade-prowler-5.23.infra.md

@@ -0,0 +1 @@
+Upgrade Prowler from 5.22.0 to 5.23.0; remove init container workaround for broken `--registry` flag (upstream fix in PR #10470).

service-versions.yaml

@@ -310,8 +310,8 @@ services:
 
   - name: prowler
     type: argocd
-    last-reviewed: 2026-03-24
-    current-version: "5.22.0"
+    last-reviewed: 2026-04-14
+    current-version: "5.23.0"
     upstream-source: https://github.com/prowler-cloud/prowler/releases
     notes: CIS Kubernetes Benchmark scanner; weekly CronJob on minikube-indri