eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/operations/read-compliance-reports.md
Erich Blume a059d81314 Add review-compliance-reports task and reorganize report storage 
New mise task fetches Prowler reports from sifaka, parses with proper
muted/unmuted distinction, shows week-over-week delta, and includes
a scaffold for Kingfisher once JSON/CSV output is available upstream.

Moved all legacy top-level reports on sifaka into date subdirectories
to match the current CronJob output structure. Updated
read-compliance-reports doc with task reference and links.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 10:16:46 -07:00

3.3 KiB
Raw Blame History

title modified last-reviewed tags
Read Compliance Reports 2026-04-06 2026-04-06
how-to
security
compliance

Read Compliance Reports

How to access and interpret compliance scan reports from prowler and other security scanners.

Quick summary

mise run review-compliance-reports

This fetches the latest Prowler report from sifaka, parses it (respecting muted status), compares against the previous week, and shows only actionable unmuted failures. Use --show-muted to also see muted findings, or --full for complete detail.

Accessing reports

Reports are stored on sifaka at /volume1/reports/. Each scanner writes to its own subdirectory:

Scanner Path Schedule
prowler K8s CIS sifaka:/volume1/reports/prowler/ Weekly (Sunday 3am)
prowler Image sifaka:/volume1/reports/prowler-images/ Weekly (Saturday 3am)
prowler IaC sifaka:/volume1/reports/prowler-iac/ Weekly (Saturday 2am)

Copy reports to your local machine (remember scp -O for sifaka):

scp -O sifaka:/volume1/reports/prowler/prowler-output-In-Cluster-*.html /tmp/
open /tmp/prowler-output-In-Cluster-*.html

Report formats

HTML

Open in a browser. Self-contained, filterable by severity, status, and service. Best for human review — shows pass/fail per check with remediation guidance.

CSV

One row per finding. Columns include check ID, status, severity, resource, namespace, description, and remediation. Good for filtering in a spreadsheet or scripting.

JSON-OCSF

Open Cybersecurity Schema Framework format. Machine-parseable, suitable for SIEM ingestion or programmatic analysis.

Compliance CSV

In the compliance/ subdirectory. Findings mapped to specific framework requirement IDs (e.g., CIS 1.11 section numbers). Shows which controls pass or fail.

Interpreting results

Status values

  • PASS — the resource is configured securely per the check
  • FAIL — remediation is recommended
  • MANUAL — Prowler cannot determine the result automatically (e.g., kubelet file permissions when not running on the node)
  • MUTED — the finding was explicitly suppressed via a mutelist

Severity

Findings are categorized as critical, high, medium, or low. Focus on critical and high first.

Expected failures

Not all failures require action. Common expected failures in our minikube cluster:

  • Core/pod security (high): System pods (ArgoCD, external-secrets, tailscale-operator) legitimately need elevated privileges. These can be mutelisted.
  • Apiserver (medium): Audit logging, profiling, and some admission plugins are not configured in minikube defaults. Low risk for a homelab.
  • Kubelet (high): Anonymous auth or read-only port settings from minikube defaults.

Acting on findings

  1. Triage — review new failures, distinguish real issues from expected noise
  2. Remediate — fix what you can (pod security contexts, RBAC tightening)
  3. Mutelist — suppress expected/accepted failures via Prowler's --mutelist-file to reduce noise in future scans
  4. Track — compare reports over time to spot regressions

Related