Erich Blume
69737dc915
Deletes the CC how-to and explanation docs, and the orphan changelog fragments describing CC reviews. Updates security.md and read-compliance-reports.md to describe muting in terms of the mutelist files only. Adds the branch changelog fragment. Mutelist YAML files, the Prowler CronJobs, and the review-compliance-reports task all stay — they're updated in the next commit.
861 B
Address the 6 critical Prowler IaC findings against argocd/manifests/. Prowler's IaC provider hardcodes self._mutelist = None and delegates filtering to Trivy, but doesn't plumb --ignorefile through — so the documented "use Trivy filtering" path is actually broken. Added a shim around trivy in the Prowler image that injects --ignorefile $TRIVY_IGNOREFILE for trivy fs invocations when the env var points at a real file. The IaC cronjob now mounts mutelist/trivyignore.yaml (Trivy's per-path schema) and sets the env var, muting the external-secrets and kube-state-metrics Secret-access findings (KSV-0041, KSV-0114). Separately, grafana-clusterrole is tightened to remove secrets access entirely: the dashboard sidecar already only consumes ConfigMap-labeled dashboards, so its RESOURCE env var is now configmap instead of both.