blumeops/argocd/manifests/prowler/mutelist/trivyignore.yaml

# Trivy ignorefile for Prowler IaC scan.
#
# Prowler's `--mutelist-file` flag is a no-op for the IaC provider
# (iac_provider.py sets self._mutelist = None and delegates to Trivy).
# Trivy in turn does not auto-discover this YAML form from cwd, so the
# Prowler image ships a shim wrapper around `trivy` that injects
# --ignorefile $TRIVY_IGNOREFILE when the env var is set. The cronjob
# mounts this file and sets TRIVY_IGNOREFILE accordingly.
#
# Schema: https://trivy.dev/latest/docs/configuration/filtering/
# IDs use the hyphenated form Trivy displays (KSV-0041, not KSV0041).
misconfigurations:
  - id: KSV-0041
    paths:
      - "argocd/manifests/external-secrets/rbac.yaml"
    statement: >-
      external-secrets-operator's entire function is to read and
      synthesize Secret objects; ClusterRole over secrets is its
      purpose. Both the controller and cert-controller are
      upstream-defined.
  - id: KSV-0041
    paths:
      - "argocd/manifests/kube-state-metrics/rbac.yaml"
      - "argocd/manifests/kube-state-metrics-ringtail/rbac.yaml"
    statement: >-
      KSM exposes only Secret metadata (name, namespace, type, labels),
      never the data field. list/watch on secrets is required for
      kube_secret_info / kube_secret_labels metrics.
  - id: KSV-0114
    paths:
      - "argocd/manifests/external-secrets/rbac.yaml"
    statement: >-
      cert-controller manages the external-secrets validating webhook
      configurations to inject its own rotating CA bundle. RBAC is
      scoped to two named webhooks (secretstore-validate,
      externalsecret-validate) via resourceNames; KSV-0114 doesn't see
      the resourceNames restriction so reports the full ClusterRole.