Add Prowler IaC scanning of blumeops repo (Saturday 2am)

Clone repo in init container, scan Dockerfiles and K8s manifests
with Prowler's IaC provider (Trivy). Reports written to
sifaka:/volume1/reports/prowler-iac/.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

argocd/manifests/prowler/cronjob-iac-scan.yaml

@@ -0,0 +1,57 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: prowler-iac-scan
+  namespace: prowler
+spec:
+  schedule: "0 2 * * 6"  # Saturday 2am
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 604800  # Auto-delete after 7 days
+      template:
+        spec:
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+          initContainers:
+            - name: clone-repo
+              image: alpine/git:kustomized
+              command:
+                - git
+                - clone
+                - --depth
+                - "1"
+                - https://forge.ops.eblu.me/eblume/blumeops.git
+                - /repo
+              volumeMounts:
+                - name: repo
+                  mountPath: /repo
+          containers:
+            - name: prowler
+              image: registry.ops.eblu.me/blumeops/prowler:kustomized
+              args:
+                - iac
+                - --directory
+                - /repo
+                - -z
+                - --output-formats
+                - html
+                - csv
+                - json-ocsf
+                - --output-directory
+                - /reports/prowler-iac
+              volumeMounts:
+                - name: reports
+                  mountPath: /reports
+                - name: repo
+                  mountPath: /repo
+                  readOnly: true
+          restartPolicy: OnFailure
+          volumes:
+            - name: reports
+              persistentVolumeClaim:
+                claimName: prowler-reports
+            - name: repo
+              emptyDir: {}

argocd/manifests/prowler/kustomization.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
@@ -10,7 +11,10 @@ resources:
   - pvc.yaml
   - cronjob.yaml
   - cronjob-image-scan.yaml
+  - cronjob-iac-scan.yaml
 
 images:
   - name: registry.ops.eblu.me/blumeops/prowler
     newTag: v5.22.0-d021b35
+  - name: alpine/git
+    newTag: v2.47.2

docs/changelog.d/+prowler-iac-scan.feature.md

@@ -0,0 +1 @@
+Add IaC scanning via Prowler IaC provider (Saturday 2am, Dockerfiles and K8s manifests).

docs/how-to/operations/deploy-prowler.md

@@ -49,6 +49,22 @@ To run an ad-hoc image scan:
 kubectl create job --from=cronjob/prowler-image-scan prowler-image-manual -n prowler --context=minikube-indri
 ```
 
+### IaC scanning (Saturday 2am)
+
+Prowler's IaC provider scans the blumeops repository (cloned at scan time) for misconfigurations in:
+
+- **Dockerfiles** — running as root, using `latest` tags, missing `HEALTHCHECK`
+- **Kubernetes manifests** — missing resource limits, privileged containers, insecure settings
+- **Other IaC files** — Terraform, CloudFormation, etc. if present
+
+Uses Trivy under the hood. Reports are written to `sifaka:/volume1/reports/prowler-iac/`.
+
+To run an ad-hoc IaC scan:
+
+```fish
+kubectl create job --from=cronjob/prowler-iac-scan prowler-iac-manual -n prowler --context=minikube-indri
+```
+
 ## Reports
 
 Reports are written to `sifaka:/volume1/reports/prowler/` with timestamped filenames. See [[read-compliance-reports]] for how to access and interpret them.

docs/how-to/operations/read-compliance-reports.md

@@ -20,6 +20,7 @@ Reports are stored on sifaka at `/volume1/reports/`. Each scanner writes to its
 |---------|------|----------|
 | [[prowler]] K8s CIS | `sifaka:/volume1/reports/prowler/` | Weekly (Sunday 3am) |
 | [[prowler]] Image | `sifaka:/volume1/reports/prowler-images/` | Weekly (Saturday 3am) |
+| [[prowler]] IaC | `sifaka:/volume1/reports/prowler-iac/` | Weekly (Saturday 2am) |
 
 Copy reports to your local machine (remember `scp -O` for sifaka):
 

docs/reference/operations/security.md

@@ -50,4 +50,4 @@ All compliance scan reports are stored on `sifaka:/volume1/reports/`. See [[read
 - No SOC 2 compliance mapping for Kubernetes (Prowler only maps SOC 2 for AWS/Azure/GCP)
 - k3s control plane checks produce no results (embedded binary, no static pods) — consider kube-bench
 - Container image scanning covers `blumeops/*` images only — upstream images (ollama, immich, etc.) are not scanned
-- No IaC scanning of manifests/Dockerfiles yet (Prowler has an `iac` provider using Trivy)
+- IaC scanning covers the blumeops repo only — no scanning of third-party Helm charts or vendored manifests

docs/reference/services/prowler.md

@@ -17,8 +17,8 @@ CIS Kubernetes Benchmark scanner for compliance posture reporting.
 |----------|-------|
 | **Namespace** | `prowler` |
 | **Image** | `registry.ops.eblu.me/blumeops/prowler` (see `argocd/manifests/prowler/kustomization.yaml` for current tag) |
-| **Schedule** | K8s CIS: Sunday 3am / Image scan: Saturday 3am |
-| **Reports** | `sifaka:/volume1/reports/prowler/` and `prowler-images/` (NFS) |
+| **Schedule** | K8s CIS: Sunday 3am / Image: Saturday 3am / IaC: Saturday 2am |
+| **Reports** | `sifaka:/volume1/reports/prowler/`, `prowler-images/`, `prowler-iac/` (NFS) |
 | **Manifests** | `argocd/manifests/prowler/` |
 
 ## What it does
@@ -27,6 +27,7 @@ Runs Prowler 5 as two CronJobs:
 
 - **K8s CIS scan** (Sunday) — CIS Kubernetes Benchmark v1.11 checks across pod security, RBAC, apiserver, etcd, kubelet, controller-manager, and scheduler
 - **Image scan** (Saturday) — CVE, secret, and misconfiguration scanning of all `blumeops/*` container images in the registry via Trivy
+- **IaC scan** (Saturday) — static analysis of Dockerfiles, K8s manifests, and other IaC files in the repo via Trivy
 
 Reports are written in HTML, CSV, and JSON-OCSF to the NFS share on sifaka.