From d90be355ddfb9e970252f4277665724e5ec73c87 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 24 Mar 2026 17:29:25 -0700
Subject: [PATCH] Work around Prowler --registry bug with init container

Prowler's --registry flag doesn't work (registry args not passed
to ImageProvider constructor, prowler-cloud/prowler PR #10128
regression). Use an init container to enumerate images from the
zot catalog API and generate an image list file instead.

See: https://github.com/eblume/prowler/tree/fix/image-provider-registry-args

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../manifests/prowler/cronjob-image-scan.yaml | 45 +++++++++++++++++--
 1 file changed, 41 insertions(+), 4 deletions(-)

diff --git a/argocd/manifests/prowler/cronjob-image-scan.yaml b/argocd/manifests/prowler/cronjob-image-scan.yaml
index 89f4493..8ad85ad 100644
--- a/argocd/manifests/prowler/cronjob-image-scan.yaml
+++ b/argocd/manifests/prowler/cronjob-image-scan.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -14,15 +15,46 @@ spec:
           securityContext:
             seccompProfile:
               type: RuntimeDefault
+          initContainers:
+            # Workaround: Prowler's --registry flag is broken (registry args
+            # not passed to provider constructor). Generate image list from
+            # zot catalog API instead.
+            - name: enumerate-images
+              image: registry.ops.eblu.me/blumeops/kubectl:kustomized
+              command: ["/bin/bash", "-c"]
+              args:
+                - |
+                  set -euo pipefail
+                  REGISTRY="https://registry.ops.eblu.me"
+                  repos=$(curl -sf "${REGISTRY}/v2/_catalog" | python3 -c "
+                  import json, sys
+                  for r in json.load(sys.stdin)['repositories']:
+                      if r.startswith('blumeops/'):
+                          print(r)
+                  ")
+                  > /shared/images.txt
+                  for repo in $repos; do
+                      tags=$(curl -sf "${REGISTRY}/v2/${repo}/tags/list" | python3 -c "
+                  import json, sys
+                  for t in (json.load(sys.stdin).get('tags') or []):
+                      print(t)
+                  ")
+                      for tag in $tags; do
+                          echo "registry.ops.eblu.me/${repo}:${tag}" >> /shared/images.txt
+                      done
+                  done
+                  echo "Discovered $(wc -l < /shared/images.txt) images"
+                  cat /shared/images.txt
+              volumeMounts:
+                - name: shared
+                  mountPath: /shared
           containers:
             - name: prowler
               image: registry.ops.eblu.me/blumeops/prowler:kustomized
               args:
                 - image
-                - --registry
-                - https://registry.ops.eblu.me
-                - --image-filter
-                - blumeops/
+                - --image-list
+                - /shared/images.txt
                 - -z
                 - --output-formats
                 - html
@@ -33,8 +65,13 @@ spec:
               volumeMounts:
                 - name: reports
                   mountPath: /reports
+                - name: shared
+                  mountPath: /shared
+                  readOnly: true
           restartPolicy: OnFailure
           volumes:
             - name: reports
               persistentVolumeClaim:
                 claimName: prowler-reports
+            - name: shared
+              emptyDir: {}