eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add Prowler IaC scanning of blumeops repo (Saturday 2am)

Browse source 
Clone repo in init container, scan Dockerfiles and K8s manifests
with Prowler's IaC provider (Trivy). Reports written to
sifaka:/volume1/reports/prowler-iac/.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-03-24 16:49:38 -07:00
commit fe201a495c
7 changed files with 83 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/reference/operations/security.md
View file

@ -50,4 +50,4 @@ All compliance scan reports are stored on `sifaka:/volume1/reports/`. See [[read
- No SOC 2 compliance mapping for Kubernetes (Prowler only maps SOC 2 for AWS/Azure/GCP)
- k3s control plane checks produce no results (embedded binary, no static pods) — consider kube-bench
- Container image scanning covers `blumeops/*` images only — upstream images (ollama, immich, etc.) are not scanned
- No IaC scanning of manifests/Dockerfiles yet (Prowler has an `iac` provider using Trivy)
- IaC scanning covers the blumeops repo only — no scanning of third-party Helm charts or vendored manifests

5
docs/reference/services/prowler.md
View file

@ -17,8 +17,8 @@ CIS Kubernetes Benchmark scanner for compliance posture reporting.
|----------|-------|
| **Namespace** | `prowler` |
| **Image** | `registry.ops.eblu.me/blumeops/prowler` (see `argocd/manifests/prowler/kustomization.yaml` for current tag) |
| **Schedule** | K8s CIS: Sunday 3am / Image scan: Saturday 3am |
| **Reports** | `sifaka:/volume1/reports/prowler/` and `prowler-images/` (NFS) |
| **Schedule** | K8s CIS: Sunday 3am / Image: Saturday 3am / IaC: Saturday 2am |
| **Reports** | `sifaka:/volume1/reports/prowler/`, `prowler-images/`, `prowler-iac/` (NFS) |
| **Manifests** | `argocd/manifests/prowler/` |
## What it does
@ -27,6 +27,7 @@ Runs Prowler 5 as two CronJobs:
- **K8s CIS scan** (Sunday) — CIS Kubernetes Benchmark v1.11 checks across pod security, RBAC, apiserver, etcd, kubelet, controller-manager, and scheduler
- **Image scan** (Saturday) — CVE, secret, and misconfiguration scanning of all `blumeops/*` container images in the registry via Trivy
- **IaC scan** (Saturday) — static analysis of Dockerfiles, K8s manifests, and other IaC files in the repo via Trivy
Reports are written in HTML, CSV, and JSON-OCSF to the NFS share on sifaka.