Read Compliance Reports
How to access and interpret compliance scan reports from prowler and other security scanners.
Accessing reports
Reports are stored on sifaka at /volume1/reports/. Each scanner writes to its own subdirectory:
| Scanner | Path | Schedule |
|---|---|---|
| prowler K8s CIS | sifaka:/volume1/reports/prowler/ | Weekly (Sunday 3am) |
| prowler Image | sifaka:/volume1/reports/prowler-images/ | Weekly (Saturday 3am) |
| prowler IaC | sifaka:/volume1/reports/prowler-iac/ | Weekly (Saturday 2am) |
Copy reports to your local machine (remember scp -O for sifaka):
scp -O sifaka:/volume1/reports/prowler/prowler-output-In-Cluster-*.html /tmp/
open /tmp/prowler-output-In-Cluster-*.htmlReport formats
HTML
Open in a browser. Self-contained, filterable by severity, status, and service. Best for human review — shows pass/fail per check with remediation guidance.
CSV
One row per finding. Columns include check ID, status, severity, resource, namespace, description, and remediation. Good for filtering in a spreadsheet or scripting.
JSON-OCSF
Open Cybersecurity Schema Framework format. Machine-parseable, suitable for SIEM ingestion or programmatic analysis.
Compliance CSV
In the compliance/ subdirectory. Findings mapped to specific framework requirement IDs (e.g., CIS 1.11 section numbers). Shows which controls pass or fail.
Interpreting results
Status values
- PASS — the resource is configured securely per the check
- FAIL — remediation is recommended
- MANUAL — Prowler cannot determine the result automatically (e.g., kubelet file permissions when not running on the node)
- MUTED — the finding was explicitly suppressed via a mutelist
Severity
Findings are categorized as critical, high, medium, or low. Focus on critical and high first.
Expected failures
Not all failures require action. Common expected failures in our minikube cluster:
- Core/pod security (high): System pods (ArgoCD, external-secrets, tailscale-operator) legitimately need elevated privileges. These can be mutelisted.
- Apiserver (medium): Audit logging, profiling, and some admission plugins are not configured in minikube defaults. Low risk for a homelab.
- Kubelet (high): Anonymous auth or read-only port settings from minikube defaults.
Acting on findings
- Triage — review new failures, distinguish real issues from expected noise
- Remediate — fix what you can (pod security contexts, RBAC tightening)
- Mutelist — suppress expected/accepted failures via Prowler’s
--mutelist-fileto reduce noise in future scans - Track — compare reports over time to spot regressions
See also
- security — security & compliance posture overview
- deploy-prowler — Prowler deployment and ad-hoc scans