Erich Blume
fe201a495c
Clone repo in init container, scan Dockerfiles and K8s manifests with Prowler's IaC provider (Trivy). Reports written to sifaka:/volume1/reports/prowler-iac/. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1.4 KiB
1.4 KiB
| title | modified | last-reviewed | tags | ||
|---|---|---|---|---|---|
| Prowler | 2026-03-24 | 2026-03-24 |
|
Prowler
CIS Kubernetes Benchmark scanner for compliance posture reporting.
Quick Reference
| Property | Value |
|---|---|
| Namespace | prowler |
| Image | registry.ops.eblu.me/blumeops/prowler (see argocd/manifests/prowler/kustomization.yaml for current tag) |
| Schedule | K8s CIS: Sunday 3am / Image: Saturday 3am / IaC: Saturday 2am |
| Reports | sifaka:/volume1/reports/prowler/, prowler-images/, prowler-iac/ (NFS) |
| Manifests | argocd/manifests/prowler/ |
What it does
Runs Prowler 5 as two CronJobs:
- K8s CIS scan (Sunday) — CIS Kubernetes Benchmark v1.11 checks across pod security, RBAC, apiserver, etcd, kubelet, controller-manager, and scheduler
- Image scan (Saturday) — CVE, secret, and misconfiguration scanning of all
blumeops/*container images in the registry via Trivy - IaC scan (Saturday) — static analysis of Dockerfiles, K8s manifests, and other IaC files in the repo via Trivy
Reports are written in HTML, CSV, and JSON-OCSF to the NFS share on sifaka.
See also
- security — security & compliance posture overview
- deploy-prowler — deployment how-to, ad-hoc scan instructions, check relevance notes
- read-compliance-reports — how to access and interpret reports