Add Prowler IaC scanning of blumeops repo (Saturday 2am)

Clone repo in init container, scan Dockerfiles and K8s manifests
with Prowler's IaC provider (Trivy). Reports written to
sifaka:/volume1/reports/prowler-iac/.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/changelog.d/+prowler-iac-scan.feature.md

@@ -0,0 +1 @@
+Add IaC scanning via Prowler IaC provider (Saturday 2am, Dockerfiles and K8s manifests).

docs/how-to/operations/deploy-prowler.md

@@ -49,6 +49,22 @@ To run an ad-hoc image scan:
 kubectl create job --from=cronjob/prowler-image-scan prowler-image-manual -n prowler --context=minikube-indri
 ```
 
+### IaC scanning (Saturday 2am)
+
+Prowler's IaC provider scans the blumeops repository (cloned at scan time) for misconfigurations in:
+
+- **Dockerfiles** — running as root, using `latest` tags, missing `HEALTHCHECK`
+- **Kubernetes manifests** — missing resource limits, privileged containers, insecure settings
+- **Other IaC files** — Terraform, CloudFormation, etc. if present
+
+Uses Trivy under the hood. Reports are written to `sifaka:/volume1/reports/prowler-iac/`.
+
+To run an ad-hoc IaC scan:
+
+```fish
+kubectl create job --from=cronjob/prowler-iac-scan prowler-iac-manual -n prowler --context=minikube-indri
+```
+
 ## Reports
 
 Reports are written to `sifaka:/volume1/reports/prowler/` with timestamped filenames. See [[read-compliance-reports]] for how to access and interpret them.

docs/how-to/operations/read-compliance-reports.md

@@ -20,6 +20,7 @@ Reports are stored on sifaka at `/volume1/reports/`. Each scanner writes to its
 |---------|------|----------|
 | [[prowler]] K8s CIS | `sifaka:/volume1/reports/prowler/` | Weekly (Sunday 3am) |
 | [[prowler]] Image | `sifaka:/volume1/reports/prowler-images/` | Weekly (Saturday 3am) |
+| [[prowler]] IaC | `sifaka:/volume1/reports/prowler-iac/` | Weekly (Saturday 2am) |
 
 Copy reports to your local machine (remember `scp -O` for sifaka):
 

docs/reference/operations/security.md

@@ -50,4 +50,4 @@ All compliance scan reports are stored on `sifaka:/volume1/reports/`. See [[read
 - No SOC 2 compliance mapping for Kubernetes (Prowler only maps SOC 2 for AWS/Azure/GCP)
 - k3s control plane checks produce no results (embedded binary, no static pods) — consider kube-bench
 - Container image scanning covers `blumeops/*` images only — upstream images (ollama, immich, etc.) are not scanned
-- No IaC scanning of manifests/Dockerfiles yet (Prowler has an `iac` provider using Trivy)
+- IaC scanning covers the blumeops repo only — no scanning of third-party Helm charts or vendored manifests

docs/reference/services/prowler.md

@@ -17,8 +17,8 @@ CIS Kubernetes Benchmark scanner for compliance posture reporting.
 |----------|-------|
 | **Namespace** | `prowler` |
 | **Image** | `registry.ops.eblu.me/blumeops/prowler` (see `argocd/manifests/prowler/kustomization.yaml` for current tag) |
-| **Schedule** | K8s CIS: Sunday 3am / Image scan: Saturday 3am |
-| **Reports** | `sifaka:/volume1/reports/prowler/` and `prowler-images/` (NFS) |
+| **Schedule** | K8s CIS: Sunday 3am / Image: Saturday 3am / IaC: Saturday 2am |
+| **Reports** | `sifaka:/volume1/reports/prowler/`, `prowler-images/`, `prowler-iac/` (NFS) |
 | **Manifests** | `argocd/manifests/prowler/` |
 
 ## What it does
@@ -27,6 +27,7 @@ Runs Prowler 5 as two CronJobs:
 
 - **K8s CIS scan** (Sunday) — CIS Kubernetes Benchmark v1.11 checks across pod security, RBAC, apiserver, etcd, kubelet, controller-manager, and scheduler
 - **Image scan** (Saturday) — CVE, secret, and misconfiguration scanning of all `blumeops/*` container images in the registry via Trivy
+- **IaC scan** (Saturday) — static analysis of Dockerfiles, K8s manifests, and other IaC files in the repo via Trivy
 
 Reports are written in HTML, CSV, and JSON-OCSF to the NFS share on sifaka.