Work around Prowler --registry bug with init container

Prowler's --registry flag doesn't work (registry args not passed to ImageProvider constructor, prowler-cloud/prowler PR #10128 regression). Use an init container to enumerate images from the zot catalog API and generate an image list file instead. See: https://github.com/eblume/prowler/tree/fix/image-provider-registry-args Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 17:29:25 -07:00 · 2026-03-24 17:29:25 -07:00 · d90be355dd
commit d90be355dd
parent 7d1ae1a57e
1 changed files with 41 additions and 4 deletions
--- a/argocd/manifests/prowler/cronjob-image-scan.yaml
+++ b/argocd/manifests/prowler/cronjob-image-scan.yaml
@ -1,3 +1,4 @@
+---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@ -14,15 +15,46 @@ spec:
          securityContext:
            seccompProfile:
              type: RuntimeDefault
+          initContainers:
+            # Workaround: Prowler's --registry flag is broken (registry args
+            # not passed to provider constructor). Generate image list from
+            # zot catalog API instead.
+            - name: enumerate-images
+              image: registry.ops.eblu.me/blumeops/kubectl:kustomized
+              command: ["/bin/bash", "-c"]
+              args:
+                - |
+                  set -euo pipefail
+                  REGISTRY="https://registry.ops.eblu.me"
+                  repos=$(curl -sf "${REGISTRY}/v2/_catalog" | python3 -c "
+                  import json, sys
+                  for r in json.load(sys.stdin)['repositories']:
+                      if r.startswith('blumeops/'):
+                          print(r)
+                  ")
+                  > /shared/images.txt
+                  for repo in $repos; do
+                      tags=$(curl -sf "${REGISTRY}/v2/${repo}/tags/list" | python3 -c "
+                  import json, sys
+                  for t in (json.load(sys.stdin).get('tags') or []):
+                      print(t)
+                  ")
+                      for tag in $tags; do
+                          echo "registry.ops.eblu.me/${repo}:${tag}" >> /shared/images.txt
+                      done
+                  done
+                  echo "Discovered $(wc -l < /shared/images.txt) images"
+                  cat /shared/images.txt
+              volumeMounts:
+                - name: shared
+                  mountPath: /shared
          containers:
            - name: prowler
              image: registry.ops.eblu.me/blumeops/prowler:kustomized
              args:
                - image
-                - --registry
-                - https://registry.ops.eblu.me
-                - --image-filter
-                - blumeops/
+                - --image-list
+                - /shared/images.txt
                - -z
                - --output-formats
                - html
@ -33,8 +65,13 @@ spec:
              volumeMounts:
                - name: reports
                  mountPath: /reports
+                - name: shared
+                  mountPath: /shared
+                  readOnly: true
          restartPolicy: OnFailure
          volumes:
            - name: reports
              persistentVolumeClaim:
                claimName: prowler-reports
+            - name: shared
+              emptyDir: {}