Erich Blume
2daf6291b7
Prowler's IaC provider hardcodes self._mutelist = None and delegates filtering to Trivy, but doesn't plumb --ignorefile through. The original attempt with --mutelist-file silently no-op'd. Add a wrapper around trivy in our image that injects --ignorefile $TRIVY_IGNOREFILE on `fs` subcommands; switch the IaC cronjob to mount a Trivy-format trivyignore.yaml and set the env var. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
976 B
Address the 6 critical Prowler IaC findings against argocd/manifests/. Prowler's IaC provider hardcodes self._mutelist = None and delegates filtering to Trivy, but doesn't plumb --ignorefile through — so the documented "use Trivy filtering" path is actually broken. Added a shim around trivy in the Prowler image that injects --ignorefile $TRIVY_IGNOREFILE for trivy fs invocations when the env var points at a real file. The IaC cronjob now mounts mutelist/trivyignore.yaml (Trivy's per-path schema) and sets the env var. Two new compensating controls — operator-purpose-bound-rbac and kube-state-metrics-metadata-only — justify muting the external-secrets and kube-state-metrics Secret-access findings (KSV-0041, KSV-0114). Separately, grafana-clusterrole is tightened to remove secrets access entirely: the dashboard sidecar already only consumes ConfigMap-labeled dashboards, so its RESOURCE env var is now configmap instead of both.