Split report-reading guidance out of deploy-prowler into its own
how-to (read-compliance-reports). Add security & compliance
reference card (reference/operations/security) following the
pattern of the observability card.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Mount /volume1/reports (share root) not /volume1/reports/prowler.
Prowler writes to /reports/prowler/ subdirectory within the mount.
This allows other services to share the same NFS share.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The build-container-nix.yaml workflow was merged into
build-container.yaml. Remove the second dispatch that now 404s.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Clone from forge.ops.eblu.me/mirrors/prowler instead of GitHub
directly. Mirror already exists. Fix OCI source label to use
canonical forge.eblu.me URL per repo convention. Add prowler
entry to service-versions.yaml.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Custom slim container (no PowerShell/Trivy), NFS-backed reports
on sifaka:/volume1/reports/prowler/, ClusterRole with read-only
RBAC for Kubernetes CIS Benchmark v1.11 checks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
