eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Retire Prowler image + IaC scans (keep K8s CIS only) #372

Merged
eblume merged 2 commits from retire-prowler-image-iac-scans into main 2026-06-08 09:30:11 -07:00
Conversation 0 Commits 2 Files changed 10 +67 -298
eblume commented 2026-06-08 09:25:07 -07:00
Owner
Copy link

Why

Weekly compliance review (2026-06-07) surfaced the toil problem head-on:

Report Unmuted findings Muted Acted on
K8s CIS (In-Cluster) 0 65 clean
Container Images 20,005 (+713 WoW) 0 never
IaC (manifests) 654 (+31/−30 WoW) 0 never

The image and IaC scans generate tens of thousands of un-actioned, un-muted findings every week:

  • Image scan — overwhelmingly unpatchable upstream base-image CVEs, and it re-scans every historical tag still in the registry (2× paperless, 3× mealie, 4× prowler tags in the latest report), multiplying the count.
  • IaC scan — systemic Trivy KSV pod-security warnings against our own manifests; real but homelab-acceptable, never muted, so re-surfaced indefinitely.

The K8s CIS scan is the only one with realized value (fully mutelisted, 0 unmuted WoW) and is retained. Matches the broader scaling-back of the reporting system as minikube heads toward retirement.

Changes

  • Delete cronjob-image-scan.yaml and cronjob-iac-scan.yaml + remove from kustomization
  • Drop the now-unused mutelist/trivyignore.yaml (only the IaC scan consumed it)
  • review-compliance-reports: drop the two retired scans (and the grouped-findings rendering that existed solely for them)
  • Docs: deploy-prowler (new 'Why only the K8s CIS scan' section), read-compliance-reports, security reference, prowler reference

Deploy (after review)

argocd app set prowler --revision retire-prowler-image-iac-scans
argocd app sync prowler   # prune removes the two CronJobs
# after merge: argocd app set prowler --revision main && argocd app sync prowler

🤖 Generated with Claude Code

## Why Weekly compliance review (2026-06-07) surfaced the toil problem head-on: | Report | Unmuted findings | Muted | Acted on | |--------|------------------|-------|----------| | **K8s CIS (In-Cluster)** | 0 | 65 | clean ✅ | | **Container Images** | 20,005 (+713 WoW) | 0 | never | | **IaC (manifests)** | 654 (+31/−30 WoW) | 0 | never | The image and IaC scans generate tens of thousands of un-actioned, un-muted findings every week: - **Image scan** — overwhelmingly unpatchable *upstream* base-image CVEs, and it re-scans every historical tag still in the registry (2× paperless, 3× mealie, 4× prowler tags in the latest report), multiplying the count. - **IaC scan** — systemic Trivy KSV pod-security warnings against our own manifests; real but homelab-acceptable, never muted, so re-surfaced indefinitely. The K8s CIS scan is the only one with realized value (fully mutelisted, 0 unmuted WoW) and is retained. Matches the broader scaling-back of the reporting system as minikube heads toward retirement. ## Changes - Delete `cronjob-image-scan.yaml` and `cronjob-iac-scan.yaml` + remove from kustomization - Drop the now-unused `mutelist/trivyignore.yaml` (only the IaC scan consumed it) - `review-compliance-reports`: drop the two retired scans (and the grouped-findings rendering that existed solely for them) - Docs: deploy-prowler (new 'Why only the K8s CIS scan' section), read-compliance-reports, security reference, prowler reference ## Deploy (after review) ```fish argocd app set prowler --revision retire-prowler-image-iac-scans argocd app sync prowler # prune removes the two CronJobs # after merge: argocd app set prowler --revision main && argocd app sync prowler ``` 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Document the decision to retire the container-image CVE scan and the IaC
scan, which generated tens of thousands of un-actioned, un-muted findings
weekly with no realized value. The K8s CIS scan (fully mutelisted, runs
clean) is retained. Rationale captured in deploy-prowler.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Delete prowler-image-scan and prowler-iac-scan CronJobs, remove them from
the kustomization, and drop the now-unused trivyignore.yaml mutelist (only
the IaC scan consumed it via TRIVY_IGNOREFILE).

Trim review-compliance-reports to the single remaining K8s CIS scan and
remove the grouped-findings rendering (_print_grouped_findings /
_worst_severity) that existed solely for the high-volume image/IaC scans.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
eblume merged commit 1c41cca903 into main 2026-06-08 09:30:11 -07:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!372
No description provided.