eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/containers/prowler/Dockerfile
Erich Blume 696024306c
All checks were successful
Build Container / detect (push) Successful in 39s
Details
Build Container / build-dockerfile (prowler) (push) Successful in 10m15s
Details
Add Prowler image vulnerability scanning for blumeops containers 
Add Trivy to the Prowler container for image and IaC scanning.
New CronJob (Saturday 3am) scans all blumeops/* images in the
registry for CVEs, embedded secrets, and Dockerfile misconfigs.
Reports written to sifaka:/volume1/reports/prowler-images/.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 16:43:08 -07:00

63 lines
2.2 KiB
Docker
Raw Blame History

# Prowler CIS scanner — slim build for Kubernetes, image, and IaC providers
# Strips PowerShell (M365) and dashboard dependencies from upstream
# Includes Trivy for image vulnerability and IaC scanning
ARG CONTAINER_APP_VERSION=5.22.0
FROM python:3.12-slim-bookworm AS build
ARG CONTAINER_APP_VERSION
RUN apt-get update && apt-get install -y --no-install-recommends \
git ca-certificates \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /build
RUN git clone --depth 1 --branch ${CONTAINER_APP_VERSION} \
https://forge.ops.eblu.me/mirrors/prowler.git .
# Install prowler into a virtualenv so we can copy it cleanly
RUN python -m venv /opt/prowler \
&& /opt/prowler/bin/pip install --no-cache-dir --upgrade pip \
&& /opt/prowler/bin/pip install --no-cache-dir .
# ---
FROM python:3.12-slim-bookworm
ARG CONTAINER_APP_VERSION
LABEL org.opencontainers.image.title="prowler"
LABEL org.opencontainers.image.version="${CONTAINER_APP_VERSION}"
LABEL org.opencontainers.image.source="https://forge.eblu.me/eblume/blumeops"
LABEL org.opencontainers.image.vendor="blumeops"
LABEL org.opencontainers.image.description="Prowler scanner (Kubernetes, image, IaC providers)"
ARG TRIVY_VERSION=0.69.2
RUN ARCH=$(dpkg --print-architecture) \
&& case "$ARCH" in \
amd64) TRIVY_ARCH="Linux-64bit" ;; \
arm64) TRIVY_ARCH="Linux-ARM64" ;; \
*) echo "Unsupported architecture: $ARCH" && exit 1 ;; \
esac \
&& apt-get update && apt-get install -y --no-install-recommends wget ca-certificates \
&& wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz" -O /tmp/trivy.tar.gz \
&& tar xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy \
&& chmod +x /usr/local/bin/trivy \
&& rm /tmp/trivy.tar.gz \
&& apt-get purge -y wget && apt-get autoremove -y && rm -rf /var/lib/apt/lists/*
RUN addgroup --gid 1000 prowler \
&& adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler \
&& mkdir -p /tmp/.cache/trivy && chown prowler:prowler /tmp/.cache/trivy
COPY --from=build /opt/prowler /opt/prowler
ENV PATH="/opt/prowler/bin:${PATH}"
ENV TRIVY_CACHE_DIR="/tmp/.cache/trivy"
USER prowler
WORKDIR /home/prowler
ENTRYPOINT ["prowler"]
Reference in a new issue View git blame Copy permalink