blumeops/argocd/manifests/prowler/cronjob-iac-scan.yaml

---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: prowler-iac-scan
  namespace: prowler
spec:
  schedule: "0 2 * * 6"  # Saturday 2am
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
      ttlSecondsAfterFinished: 604800  # Auto-delete after 7 days
      template:
        spec:
          securityContext:
            seccompProfile:
              type: RuntimeDefault
          containers:
            - name: prowler
              image: registry.ops.eblu.me/blumeops/prowler:kustomized
              command: ["/bin/sh", "-c"]
              # Prowler's --mutelist-file is a no-op for the IaC provider
              # (it delegates to Trivy). The Prowler image's trivy shim
              # injects --ignorefile $TRIVY_IGNOREFILE when set; see
              # containers/prowler/Dockerfile.
              env:
                - name: TRIVY_IGNOREFILE
                  value: /mutelist/trivyignore.yaml
              args:
                - |
                  DATEDIR=/reports/prowler-iac/$(date +%Y-%m-%d)
                  mkdir -p "$DATEDIR"
                  prowler iac \
                    --scan-repository-url https://forge.ops.eblu.me/eblume/blumeops.git \
                    -z \
                    --output-formats html csv json-ocsf \
                    --output-directory "$DATEDIR"
              volumeMounts:
                - name: reports
                  mountPath: /reports
                - name: mutelist
                  mountPath: /mutelist
                  readOnly: true
          restartPolicy: OnFailure
          volumes:
            - name: reports
              persistentVolumeClaim:
                claimName: prowler-reports
            - name: mutelist
              configMap:
                name: prowler-mutelist
                items:
                  - key: trivyignore.yaml
                    path: trivyignore.yaml