eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/mise-tasks
History
Erich Blume be30668eef Automate Prowler MANUAL finding verification (#335) 
## Summary
- Adds automated node-level verification to `review-compliance-reports`: kubelet file perms/ownership, kubelet config args, etcd CA separation, RBAC cluster-admin bindings
- Mutes the 14 MANUAL Prowler findings via new `manual-node-checks.yaml` mutelist file
- New `node-config-automated-verification` compensating control documents the approach
- Script fails loudly (red FAIL + verdict panel) if any check deviates from expected values

## Test plan
- [x] `mise run review-compliance-reports` — all 12 node checks PASS
- [x] Injected bad expected value (perms 400 vs actual 600) — FAIL rendered correctly
- [x] Fixed colon-in-binding-name bug (kubeadm:cluster-admins) with tab-separated jsonpath
- [ ] After merge: sync prowler mutelist ConfigMap and verify next scan shows 0 MANUAL findings

## Note
Prowler coverage is minikube-indri only — ringtail/k3s is a known gap tracked separately.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #335
2026-04-14 13:00:44 -07:00
..
ai-docs
ai-sources
blumeops-tasks Fix blumeops-tasks swallowing bracket content in descriptions 2026-04-06 10:37:40 -07:00
branch-cleanup Add preserve/* branch protection and document Pyroscope blocker 2026-03-26 15:32:25 -07:00
changelog-check
container-build-and-release Native Dagger container builds + Navidrome v0.61.1 (#330) 2026-04-11 17:11:56 -07:00
container-list Native Dagger container builds + Navidrome v0.61.1 (#330) 2026-04-11 17:11:56 -07:00
container-version-check Native Dagger container builds + Navidrome v0.61.1 (#330) 2026-04-11 17:11:56 -07:00
dns-preview
dns-up
docs-check-frontmatter Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
docs-check-links Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
docs-mikado Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
docs-preview Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
docs-review Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
docs-review-stale Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
docs-review-tags Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
ensure-k3s-ringtail-kubectl-config
ensure-minikube-indri-kubectl-config
fly-deploy
fly-setup
fly-shutoff
frigate-export-model
mikado-branch-invariant-check Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
mirror-create
mirror-update-pats
op-backup Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
pr-comments Update tooling dependencies (March 2026) (#307) 2026-03-24 08:11:46 -07:00
provision-indri
provision-ringtail
provision-sifaka
prune-ringtail-generations Add ringtail post-deploy maintenance: kernel check, generation pruning, GC 2026-03-27 07:55:45 -07:00
review-compensating-controls Add compensating controls framework and date-based report dirs (#320) 2026-03-30 17:44:11 -07:00
review-compliance-reports Automate Prowler MANUAL finding verification (#335) 2026-04-14 13:00:44 -07:00
runner-logs Rewrite runner-logs: API-based log fetching, multi-repo support 2026-04-12 09:42:58 -07:00
service-review Miniflux 2.2.19 + container.py migration + ty typechecker (#331) 2026-04-12 08:54:32 -07:00
services-check Fix services-check to show all firing alerts per alert name 2026-04-10 19:10:09 -07:00
spork-create spork-create: check for conflicting branch names before sporking 2026-03-29 09:36:53 -07:00
tailnet-preview
tailnet-up
validate-workflows