## Why
Weekly compliance review (2026-06-07) surfaced the toil problem head-on:
| Report | Unmuted findings | Muted | Acted on |
|--------|------------------|-------|----------|
| **K8s CIS (In-Cluster)** | 0 | 65 | clean ✅ |
| **Container Images** | 20,005 (+713 WoW) | 0 | never |
| **IaC (manifests)** | 654 (+31/−30 WoW) | 0 | never |
The image and IaC scans generate tens of thousands of un-actioned, un-muted findings every week:
- **Image scan** — overwhelmingly unpatchable *upstream* base-image CVEs, and it re-scans every historical tag still in the registry (2× paperless, 3× mealie, 4× prowler tags in the latest report), multiplying the count.
- **IaC scan** — systemic Trivy KSV pod-security warnings against our own manifests; real but homelab-acceptable, never muted, so re-surfaced indefinitely.
The K8s CIS scan is the only one with realized value (fully mutelisted, 0 unmuted WoW) and is retained. Matches the broader scaling-back of the reporting system as minikube heads toward retirement.
## Changes
- Delete `cronjob-image-scan.yaml` and `cronjob-iac-scan.yaml` + remove from kustomization
- Drop the now-unused `mutelist/trivyignore.yaml` (only the IaC scan consumed it)
- `review-compliance-reports`: drop the two retired scans (and the grouped-findings rendering that existed solely for them)
- Docs: deploy-prowler (new 'Why only the K8s CIS scan' section), read-compliance-reports, security reference, prowler reference
## Deploy (after review)
```fish
argocd app set prowler --revision retire-prowler-image-iac-scans
argocd app sync prowler # prune removes the two CronJobs
# after merge: argocd app set prowler --revision main && argocd app sync prowler
```
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: #372
Erich Blume
1c41cca903